Policies CIT 380: Securing Computer SystemsSlide #1.
-
Upload
ethan-leonard -
Category
Documents
-
view
214 -
download
1
Transcript of Policies CIT 380: Securing Computer SystemsSlide #1.
![Page 1: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/1.jpg)
Policies
CIT 380: Securing Computer Systems Slide #1
![Page 2: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/2.jpg)
http://it.nku.edu/itsecurity/docs/acceptableusepolicy.pdf
CIT 380: Securing Computer Systems 2
![Page 3: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/3.jpg)
Confidentiality IntegrityAvailability
CIT 380: Securing Computer Systems 3
![Page 4: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/4.jpg)
Keeping information secret Bank records Medical records Student records Personally identifiable information
CIT 380: Securing Computer Systems 4
![Page 5: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/5.jpg)
Accuracy and reliability of information You are charged correctly for a purchase Your bank balance is correct You register for the correct class
CIT 380: Securing Computer Systems 5
![Page 6: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/6.jpg)
Reliable and timely access Email is accessible Can access airline reservation system
CIT 380: Securing Computer Systems 6
![Page 7: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/7.jpg)
National Defense Confidentiality
Banking Integrity
CIT 380: Securing Computer Systems 7
![Page 8: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/8.jpg)
1. Planning to address security needs.2. Risk assessment.3. Crafting policies to reflect risks and
needs.4. Implementing security.5. Audit and incident response.
CIT 380: Securing Computer Systems Slide #8
![Page 9: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/9.jpg)
Security professionals generally don’t refer to a computer system as being “secure” or “unsecure.”
Trust – level of confidence that a computer system will behave as expected.
CIT 380: Securing Computer Systems 9
![Page 10: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/10.jpg)
1. Identify assets and their value2. Identify risk to assets3. Calculate risk
CIT 380: Securing Computer Systems 10
![Page 11: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/11.jpg)
1. What assets are you trying to protect?
2. What are the risks to those assets?3. How well does each potential security
solution mitigate those risks?4. What other risks does the security
solutions impose on me?5. What costs and trade-offs do the
security solutions create?CIT 380: Securing Computer Systems Slide #11
![Page 12: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/12.jpg)
Home computer systemLaptopE-commerce web serverNKU computer systems
CIT 380: Securing Computer Systems 12
![Page 13: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/13.jpg)
Tangibles Computers Data Backups Printouts Software media HR records
Intangibles Privacy Passwords Reputation Goodwill Performance
CIT 380: Securing Computer Systems Slide #13
![Page 14: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/14.jpg)
Home computer systemLaptopE-commerce web serverNKU computer systems
CIT 380: Securing Computer Systems 14
![Page 15: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/15.jpg)
Loss of key personnel Loss of key vendor or service provider Loss of power Loss of phone / network Theft of laptops, USB keys, backups Introduction of malware Hardware failure Software bugs Network attacks
CIT 380: Securing Computer Systems Slide #15
![Page 16: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/16.jpg)
Cost-Benefit Analysis Cost of Loss Probability of Loss Cost of Prevention
Levels of importance High, Medium, Low
Best Practices
CIT 380: Securing Computer Systems 16
![Page 17: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/17.jpg)
Cost of a Loss Direct cost of lost hardware. Cost of idle labor during outage. Cost of time to recover. Cost to reputation.
Probability of a Loss Insurance/power companies have some stats. Records of past experience.
Cost of Prevention Remember that most risks cannot be eliminated.
CIT 380: Securing Computer Systems Slide #17
![Page 18: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/18.jpg)
Update your risks regularly Business, technology changes alter risks.
Too many risks to defend against. Rank risks to decide which ones to
mitigate. Insure against some risks. Accept other risks.
CIT 380: Securing Computer Systems Slide #18
![Page 19: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/19.jpg)
Risk Analysis is difficult and uncertain.
Follow best practices or due care Firewall require as insurance co. due
care. Update patches, anti-virus. Organizations differ in what they need.
Combine best practices + risk analysis.
CIT 380: Securing Computer Systems Slide #19
![Page 20: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/20.jpg)
Security is not free.MBA’s understand cost and benefitsMBA’s mistrust technology
CIT 380: Securing Computer Systems 20
![Page 21: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/21.jpg)
Policy helps to define what you consider to be valuable, and it specifies which steps should be taken to safeguard those assets.
CIT 380: Securing Computer Systems 21
![Page 22: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/22.jpg)
1. What is being protected2. Who is responsible3. Provides ground on which to
interpret and resolve later conflicts.
CIT 380: Securing Computer Systems 22
![Page 23: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/23.jpg)
Should be general and change little over time.
How does the NKU Acceptable Use Policy for Technology Resources meet these roles?
CIT 380: Securing Computer Systems Slide #23
![Page 24: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/24.jpg)
Security policy partitions system states into: Authorized (secure)
▪ These are states the system is allowed to enter.
Unauthorized (nonsecure)▪ If the system enters any of these states, it’s a
security violation.Secure system
Starts in authorized state. Never enters unauthorized state.CIT 380: Securing Computer
Systems Slide #24
![Page 25: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/25.jpg)
Security Policy Statement that divides system into
authorized and unauthorized states.
Mechanism Entity or procedure that enforces
some part of a security policy.
CIT 380: Securing Computer Systems Slide #25
![Page 26: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/26.jpg)
Assign an ownerBe positive
People respond better to do than don’t.Remember that employees are
people too They will make mistakes They value privacy
Concentrate on educationStandards for training and retraining
CIT 380: Securing Computer Systems 26
![Page 27: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/27.jpg)
PrivacyChange controlEmployment agreement, ethics Internet acceptable useRemote accessOutsourcingAccess controlData classification
CIT 380: Securing Computer Systems 27
![Page 28: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/28.jpg)
Codify successful security practicesStandards for backupsStandard anti-virus product
throughout the organizationEncryption algorithmPlatform independentMetric to determine if met
CIT 380: Securing Computer Systems 28
![Page 29: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/29.jpg)
Interpret standards for a particular environment.
RecommendationsFollow tested procedures or best
practicesWindow Server backups
CIT 380: Securing Computer Systems 29
![Page 30: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/30.jpg)
HIPAA Medical Privacy - National Standards to Protect
the Privacy of Personal Health Information Sarbanes Oxley
Protecting of financial and accounting information
Federal Information Security Management Act (FISMA) IT controls and auditing
CIT 380: Securing Computer Systems 30
![Page 31: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/31.jpg)
Have authority commensurate with responsibility
Spaf’s first principle of security administration: If you have responsibility for security,
but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.
CIT 380: Securing Computer Systems 31
![Page 32: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/32.jpg)
Be sure to know you security perimeter Laptops and PDAs Wireless networks Computer used at home Portable media
▪ Flash drives, CDs, DVDs
CIT 380: Securing Computer Systems 32
![Page 33: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/33.jpg)
Perimeter defines what is within your control.
Historically Within walls of building or fences of
campus. Within router that connects to ISP.
Modern perimeters are more complex Laptops, PDAs. USB keys, CDs, DVDs, portable HDs. Wireless networks. Home PCs that connect to your network.
CIT 380: Securing Computer Systems Slide #33
![Page 34: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/34.jpg)
1. Decide how important security is for your site.
2. Involve and educate your user community.
3. Devise a plan for making and storing backups of your system data.
4. Stay inquisitive and suspicious.
CIT 380: Securing Computer Systems 34
![Page 35: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/35.jpg)
Formulating policy is not enough by itself. It is important to determine regularly if the policy is being applied correctly, and if the policy is correct and sufficient.
CIT 380: Securing Computer Systems 35
![Page 36: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/36.jpg)
Audit your systems and personnel regularly.
Audit failures may result from Personnel shortcomings
▪ Insufficient education or overwork
Material shortcomings▪ Insufficient resources or maintenance
Organizational shortcomings▪ Lack of authority, conflicting responsibilities
Policy shortcomings▪ Unforeseen risks, missing or conflicting policies
CIT 380: Securing Computer Systems Slide #36
![Page 37: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/37.jpg)
In-house staffFull-time or part-time consultants
Choosing a vendor▪ “Reformed hacker”
CIT 380: Securing Computer Systems 37
![Page 38: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/38.jpg)
Policy divides system into Authorized (secure) states. Unauthorized (insecure) states.
Policy vs Mechanism Policy: describes what security is. Mechanism: how security policy is enforced.
Written policy and enforced policy will differ. Compliance audits look for those differences.
Security Perimeter Describes what is within your control. Defense in depth: defend perimeter and inside.
CIT 380: Securing Computer Systems Slide #38
![Page 39: Policies CIT 380: Securing Computer SystemsSlide #1.](https://reader035.fdocument.pub/reader035/viewer/2022062713/56649f505503460f94c730f1/html5/thumbnails/39.jpg)
1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003.
3. NKU, Acceptable Use Policy, http://it.nku.edu/itsecurity/docs/acceptableusepolicy.pdf, 2009.
4. SANS, SANS Security Policy Project, http://www.sans.org/resources/policies/
CIT 380: Securing Computer Systems Slide #39