K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy

K. Salah 1

Administering Security Administering Security

Vulnerabilities, Risk Analysis, and Security PolicyVulnerabilities, Risk Analysis, and Security Policy

K. Salah 2

VulnerabilitiesVulnerabilities

K. Salah 3


Security objectives:Security objectives: Prevent attacks Detect attacks Recover from attacks

Attacks: against weaknesses in the Attacks: against weaknesses in the information systemsinformation systems

Need: find weaknessesNeed: find weaknesses

K. Salah 4

Identifying and Eliminating WeaknessesIdentifying and Eliminating Weaknesses

I.I. Vulnerability monitoringVulnerability monitoring

II.II. Secure system developmentSecure system development

III.III. User training and awarenessUser training and awareness

IV.IV. Avoiding single point of failureAvoiding single point of failure

K. Salah 5

I. Vulnerability MonitoringI. Vulnerability Monitoring

Identify potential weaknesses in existing Identify potential weaknesses in existing information systemsinformation systems

Reveal wide-range of vulnerabilitiesReveal wide-range of vulnerabilities

K. Salah 6

I. Security FlawsI. Security Flaws

Secure software installationSecure software installation Correct installation of software Change default settings Validate upgrades/changes Patch new security flaws

K. Salah 7

I. Vulnerability Detection ToolsI. Vulnerability Detection Tools

Computer Oracle and Password System (COPS) Computer Oracle and Password System (COPS) – FREE– FREE Checks vulnerabilities of UNIX systems

Secure Analysis Tool for Auditing Networks Secure Analysis Tool for Auditing Networks (SATAN) – FREE (SATAN) – FREE

SAFEsuite (Internet Security Systems, Inc.) SAFEsuite (Internet Security Systems, Inc.) Family of network security assessment tools (web

security scanner, firewall scanner, intranet scanner, system security scanner)

Keyed to the IP address of the customer

K. Salah 8

I. Keeping up with Security PublicationsI. Keeping up with Security Publications

Legal publications: how to remove Legal publications: how to remove vulnerabilitiesvulnerabilities CERT advisories SANS Security Digest

Hacker publications: “how to” exploit Hacker publications: “how to” exploit known vulnerabilities known vulnerabilities

Security mailing listsSecurity mailing lists

K. Salah 9

II. Building Secure SystemsII. Building Secure Systems

1960s: US Department of Defense (DoD) risk 1960s: US Department of Defense (DoD) risk of unsecured information systemsof unsecured information systems

1981: National Computer Security Center 1981: National Computer Security Center (NCSC) at the NSA(NCSC) at the NSA DoD Trusted Computer System Evaluation

Criteria (TCSEC) == Orange Book

K. Salah 10

II. National Information Assurance Partnership II. National Information Assurance Partnership (NIAP)(NIAP)

1997: National Institute of Standards and 1997: National Institute of Standards and Technology (NIST), National Security Agency (NSA), Technology (NIST), National Security Agency (NSA), and Industry and Industry

Aims to improve the efficiency of evaluationAims to improve the efficiency of evaluation Transfer methodologies and techniques to private Transfer methodologies and techniques to private

sector laboratoriessector laboratories Functions: developing tests, test methods, tools for Functions: developing tests, test methods, tools for

evaluating and improving security products, evaluating and improving security products, developing protection profiles and associated tests, developing protection profiles and associated tests, establish formal and international schema for CC.establish formal and international schema for CC.

K. Salah 11

III. Security Awareness and TrainingIII. Security Awareness and Training

Major weakness: users unawarenessMajor weakness: users unawareness Organizational effortOrganizational effort Educational effortEducational effort Customer trainingCustomer training Federal Trade Commission: program to educate Federal Trade Commission: program to educate

customers about web scamscustomers about web scams

K. Salah 12

IV. Avoid Single Point of FailureIV. Avoid Single Point of Failure

Critical information resourcesCritical information resources Identification Backup Hiding

Separation of dutiesSeparation of duties Multi-person requirements Limit temptations

K. Salah 13

Risk AnalysisRisk Analysis

K. Salah 14

OverviewOverview

Definition and Purpose Of Risk AnalysisDefinition and Purpose Of Risk Analysis Elements of Risk Analysis Quantitative vs Qualitative Analysis

Quantitative ExampleQuantitative ExampleQualitative ExampleQualitative Example

K. Salah 15

Risk Management CycleRisk Management Cycle

From GAO/AIMD-99-139

K. Salah 16

What is Risk Analysis?What is Risk Analysis?

The process of identifying, assessing, and The process of identifying, assessing, and reducing risks to an acceptable levelreducing risks to an acceptable level Defines and controls threats and vulnerabilities Implements risk reduction measures

An analytic discipline with three parts:An analytic discipline with three parts: Risk assessment: determine what the risks are Risk management: evaluating alternatives for mitigating

the risk Risk communication: presenting this material in an

understandable way to decision makers and/or the public

K. Salah 17

Benefits of Risk AnalysisBenefits of Risk Analysis

Assurance that greatest risks have been Assurance that greatest risks have been identified and addressedidentified and addressed

Increased understanding of risksIncreased understanding of risksMechanism for reaching consensusMechanism for reaching consensusSupport for needed controlsSupport for needed controlsMeans for communicating resultsMeans for communicating results

K. Salah 18

Basic Risk Analysis StructureBasic Risk Analysis Structure

EvaluateEvaluate Value of computing and information assets Vulnerabilities of the system Threats from inside and outside

ExamineExamine Availability of security countermeasures Effectiveness of countermeasures Costs (installation, operation, etc.) of countermeasures

K. Salah 19

Who should be Involved?Who should be Involved?

Security ExpertsSecurity Experts Internal domain expertsInternal domain experts

Knows best how things really work

Managers responsible for implementing Managers responsible for implementing controlscontrols

K. Salah 20

Critical AssetsCritical Assets

People and skillsPeople and skills GoodwillGoodwill Hardware/SoftwareHardware/Software DataData DocumentationDocumentation SuppliesSupplies Physical plantPhysical plant MoneyMoney

K. Salah 21

ThreatsThreats

Attacks against key security servicesAttacks against key security services Confidentiality, integrity, availability

One threat classificationOne threat classification Disclosure Deception Disruption Usurpation

K. Salah 22

Example Threat ListExample Threat List

•T01 Access (Unauthorized to System - logical)

•T02 Access (Unauthorized to Area - physical)

•T03 Airborne Particles (Dust)•T04 Air Conditioning Failure•T05 Application Program Change(Unauthorized)•T06 Bomb Threat•T07 Chemical Spill•T08 Civil Disturbance•T09 Communications Failure•T10 Data Alteration (Error)•T11 Data Alteration (Deliberate)•T12 Data Destruction (Error)•T13 Data Destruction (Deliberate)•T14 Data Disclosure

(Unauthorized)•T15 Disgruntled Employee•T16 Earthquakes

•T17 Errors (All Types)•T18 Electro-Magnetic

Interference•T19 Emanations Detection•T20 Explosion (Internal)•T21 Fire, Catastrophic•T22 Fire, Major•T23 Fire, Minor•T24 Floods/Water Damage•T25 Fraud/Embezzlement•T26 Hardware

Failure/Malfunction•T27 Hurricanes•T28 Injury/Illness (Personal)•T29 Lightning Storm•T30 Liquid Leaking (Any)•T31 Loss of Data/Software•T32 Marking of Data/Media

Improperly•T33 Misuse of

Computer/Resource•T34 Nuclear Mishap

•T35 Operating System Penetration/Alteration

•T36 Operator Error

•T37 Power Fluctuation (Brown/Transients)

•T38 Power Loss

•T39 Programming Error/Bug

•T40 Sabotage

•T41 Static Electricity

•T42 Storms (Snow/Ice/Wind)

•T43 System Software Alteration

•T44 Terrorist Actions

•T45 Theft (Data/Hardware/Software)

•T46 Tornado

•T47 Tsunami (Pacific area only)

•T48 Vandalism

•T49 Virus/Worm (Computer)

•T50 Volcanic Eruption

K. Salah 23


Flaw or weakness in systemFlaw or weakness in system Security Procedures Design Implementation

Threats trigger vulnerabilitiesThreats trigger vulnerabilities Accidental Malicious

K. Salah 24

Example VulnerabilitiesExample Vulnerabilities

•Physical•V01 Susceptible to unauthorized

building access•V02 Computer Room

susceptible to unauthorizedaccess•V03 Media Library susceptible

to unauthorizedaccess•V04 Inadequate visitor control

procedures•(and 36 more)•Administrative•V41 Lack of management

support for security•V42 No separation of duties

policy•V43 Inadequate/no computer

security plan policy

•V47 Inadequate/no emergency action plan

•(and 7 more)

•Personnel

•V56 Inadequate personnel screening

•V57 Personnel not adequately trained in job

•...

•Software

•V62 Inadequate/missing audit trail capability

•V63 Audit trail log not reviewed weekly

•V64 Inadequate control over application/program

changes

Communications

•V87 Inadequate communications system

•V88 Lack of encryption

•V89 Potential for disruptions

•...

•Hardware

•V92 Lack of hardware inventory

•V93 Inadequate monitoring of maintenance

personnel

•V94 No preventive maintenance program

•…

•V100 Susceptible to electronic emanations

K. Salah 25

ControlsControls

Mechanisms or procedures for mitigating Mechanisms or procedures for mitigating vulnerabilitiesvulnerabilities Prevent Detect Recover

Understand cost and coverage of controlUnderstand cost and coverage of controlControls follow vulnerability and threat Controls follow vulnerability and threat

analysisanalysis

K. Salah 26

Example ControlsExample Controls•C01 Access control devices - physical•C02 Access control lists - physical•C03 Access control - software•C04 Assign ADP security and assistant in

writing•C05 Install-/review audit trails•C06 Conduct risk analysis•C07Develop backup plan•C08 Develop emergency action plan•C09 Develop disaster recovery plan•...•C21 Install walls from true floor to true

ceiling•C22 Develop visitor sip-in/escort procedures•C23 Investigate backgrounds of new

employees•C24 Restrict numbers of privileged users•C25 Develop separation of duties policy•C26 Require use of unique passwords for

logon

•C27 Make password changes mandatory•C28 Encrypt password file•C29 Encrypt data/files•C30 Hardware/software training for personnel•C31Prohibit outside software on system•...•C47 Develop software life cycle developmentprogram•C48 Conduct hardware/software inventory•C49 Designate critical programs/files•C50 Lock PCs/terminals to desks•C51 Update communications system/hardware•C52 Monitor maintenance personnel•C53 Shield equipment from electromagneticinterference/emanations•C54Identify terminals

K. Salah 27

Risk Control Trade OffsRisk Control Trade Offs

Only Safe Asset is a Dead AssetOnly Safe Asset is a Dead Asset Asset that is completely locked away is safe, but

useless Trade-off between safety and availability

Do not waste effort on efforts with low loss valueDo not waste effort on efforts with low loss value Don’t spend resources to protect garbage

Control only has to be good enough, not Control only has to be good enough, not absoluteabsolute Make it tough enough to discourage enemy

K. Salah 28

Types of Risk AnalysisTypes of Risk Analysis

QuantitativeQuantitative Assigns real numbers to costs of safeguards and damage Annual loss expectance (ALE) Probability of event occurring Can be unreliable/inaccurate

QualitativeQualitative Judges an organization’s risk to threats Based on judgment, intuition, and experience Ranks the seriousness of the threats for the sensitivity of the

asserts Subjective, lacks hard numbers to justify return on investment

K. Salah 29

Qualitative Risk AnalysisQualitative Risk Analysis

Generally used in Information SecurityGenerally used in Information Security Hard to make meaningful valuations and meaningful

probabilities Relative ordering is faster and more important

Many approaches to performing qualitative risk Many approaches to performing qualitative risk analysisanalysis

Same basic steps as quantitative analysisSame basic steps as quantitative analysis Still identifying asserts, threats, vulnerabilities, and

controls Just evaluating importance differently

K. Salah 30

Key PointsKey Points

Key Elements of Risk AnalysisKey Elements of Risk Analysis Assets, Threats, Vulnerabilities, and Controls

Most security risk analysis uses qualitative Most security risk analysis uses qualitative analysisanalysis

Not a scientific processNot a scientific process Companies will develop their own procedure Still a good framework for better understanding

of system security

K. Salah 31

Security PolicySecurity Policy

K. Salah 32

Overview Overview

Understanding why policy is important. Understanding why policy is important. Defining various policies. Defining various policies. Creating an appropriate policy. Creating an appropriate policy. Deploying policies. Deploying policies. Using policy effectively. Using policy effectively.

K. Salah 33

Understanding Why Policy is Understanding Why Policy is Important Important

The two primary functions of a policy are:The two primary functions of a policy are: It defines the scope of security within an

organization. It clearly states the expectations from everyone

in the organization.

K. Salah 34

Understanding Why Policy is Understanding Why Policy is Important Important Policy defines how security should be implemented.Policy defines how security should be implemented. It includes the system configurations, network It includes the system configurations, network

configurations, and physical security measures. configurations, and physical security measures. It defines the mechanisms used to protect information It defines the mechanisms used to protect information

and systems.and systems. It defines how organizations should react when It defines how organizations should react when

security incidents occur. security incidents occur. Policy provides the framework for employees to work Policy provides the framework for employees to work

together. together. It defines the common goals and objectives of the It defines the common goals and objectives of the

organization’s security program. organization’s security program. Proper security awareness training helps implement Proper security awareness training helps implement

policy initiatives effectively. policy initiatives effectively.

K. Salah 35

Defining Various Policies Defining Various Policies

Information policy.Information policy. Security policy. Security policy. Computer use policy. Computer use policy. Internet use policy. Internet use policy. E-mail policy.E-mail policy. User management procedures. User management procedures. System administration procedures. System administration procedures. Backup policy.Backup policy. Incident response policy. Incident response policy. Configuration management procedures. Configuration management procedures. Design methodology. Design methodology. Disaster recovery plans.Disaster recovery plans.

K. Salah 36

Information Policy Information Policy

Identification of sensitive information. Identification of sensitive information. Classifications.Classifications.Marking and storing sensitive information.Marking and storing sensitive information.Transmission of sensitive information. Transmission of sensitive information. Destruction of sensitive information. Destruction of sensitive information.

K. Salah 37

Identification of Sensitive Information Identification of Sensitive Information

Sensitive information differs depending on Sensitive information differs depending on the business of the organization.the business of the organization.

It may include business records, product It may include business records, product designs, patent information, and company designs, patent information, and company phone books. phone books.

It may also include payroll, medical It may also include payroll, medical insurance, and any other financial insurance, and any other financial information. information.

K. Salah 38

Classifications Classifications

Only the lowest level of information should Only the lowest level of information should be made public. be made public.

All proprietary, company sensitive, or All proprietary, company sensitive, or company confidential information is company confidential information is releasable to employees. releasable to employees.

All restricted or protected information must All restricted or protected information must be made available to authorized be made available to authorized employees only. employees only.

K. Salah 39

Marking and Storing Sensitive Marking and Storing Sensitive Information Information

The policy must mark all sensitive information. The policy must mark all sensitive information. It should address the storage mechanism for It should address the storage mechanism for

information on paper or on computer systems. information on paper or on computer systems. Incase of information stored on computer Incase of information stored on computer

systems, the policy should specify appropriate systems, the policy should specify appropriate levels of protection. levels of protection.

Use encryption wherever required. Use encryption wherever required.

K. Salah 40

Transmission of Sensitive Information Transmission of Sensitive Information

The policy addresses how sensitive information The policy addresses how sensitive information needs to be transmitted. needs to be transmitted.

It specifies the encryption method to be used It specifies the encryption method to be used while transmitting information through electronic while transmitting information through electronic mail. mail.

Incase of hardcopies of information, request a Incase of hardcopies of information, request a signed receipt. signed receipt.

K. Salah 41

Destruction of Sensitive Information Destruction of Sensitive Information

To destroy sensitive information:To destroy sensitive information: Shred the information on paper. Use cross-cut shredders that provide an added

level of protection. PGP desktop and BCWipe can be used to

delete documents placed on a desktop.

K. Salah 42

Security Policy Security Policy

Identification and authentication. Identification and authentication. Access control.Access control.Audit. Audit. Network connectivity. Network connectivity. Malicious code.Malicious code.Encryption. Encryption. Waivers. Waivers. Appendices.Appendices.

K. Salah 43

Identification and Authentication Identification and Authentication

The security policy defines how users will The security policy defines how users will be identified. be identified.

It defines the primary authentication It defines the primary authentication mechanism for users and administrators. mechanism for users and administrators.

It defines stronger mechanism for remote It defines stronger mechanism for remote access such as VPN or dial-in access. access such as VPN or dial-in access.

K. Salah 44

Access Control Access Control The security policy defines the standard The security policy defines the standard

requirement for access control of electronic files. requirement for access control of electronic files. The requirement includes the required The requirement includes the required

mechanism and the default requirements for mechanism and the default requirements for new files. new files.

The mechanism should work with authentication The mechanism should work with authentication mechanism to allow only authorized users to mechanism to allow only authorized users to access the information. access the information.

K. Salah 45

Audit Audit

Security policies must frequently audit the Security policies must frequently audit the following events:following events: Logins (successful and failed). Logouts. Failed access to files or system objects. Remote access (successful and failed). Privileged actions. System events (such as shutdowns and

reboots).

K. Salah 46

Audit Audit

Each event should also capture the following Each event should also capture the following information:information: User ID (if there is one) Date and time Process ID (if there is one) Action performed Success or failure of the event

K. Salah 47

Network Connectivity Network Connectivity

The security policy specifies the rules for The security policy specifies the rules for network connectivity and the protection network connectivity and the protection mechanisms. It includes:mechanisms. It includes: Dial-in connections. Permanent connections. Remote access of internal systems. Wireless networks.

K. Salah 48

Malicious Code Malicious Code

The security policy specifies where security The security policy specifies where security programs that look for malicious code need to be programs that look for malicious code need to be placed. placed.

Some appropriate locations are file servers, Some appropriate locations are file servers, desktop systems, and electronic mail servers.desktop systems, and electronic mail servers.

It should specify the requirements for security It should specify the requirements for security programs.programs.

It should require updates of signatures for such It should require updates of signatures for such security programs on a periodic basis. security programs on a periodic basis.

K. Salah 49

Encryption Encryption

The security policy should define the The security policy should define the acceptable encryption algorithms for use. acceptable encryption algorithms for use.

It can refer to the information policy to It can refer to the information policy to choose the appropriate algorithms to choose the appropriate algorithms to protect sensitive information. protect sensitive information.

It should also specify the procedures It should also specify the procedures required for key management. required for key management.

K. Salah 50

Waivers Waivers The security policy should provide a mechanism The security policy should provide a mechanism

for risk assessment and formulating a for risk assessment and formulating a contingency plan. contingency plan.

For each situation, the system designer or For each situation, the system designer or project manager should fill a waiver form. project manager should fill a waiver form.

The security department reviews the waiver The security department reviews the waiver request and provides risk assessment results request and provides risk assessment results and recommendations to minimize the risk. and recommendations to minimize the risk.

The waiver should be approved by the The waiver should be approved by the organization’s officer in charge of the project. organization’s officer in charge of the project.

K. Salah 51

Appendices Appendices

The security policy appendices should have The security policy appendices should have details of:details of: Security configurations for various operating

systems. Network devices. Telecommunication equipments.

K. Salah 52

Computer Use Policy Computer Use Policy

Ownership of computers - States that all computers are Ownership of computers - States that all computers are owned by the organization. owned by the organization.

Ownership of information - States that all information Ownership of information - States that all information stored on or used by the organization’s computers is stored on or used by the organization’s computers is proprietary to the organization.proprietary to the organization.

Acceptable use of computers - States all acceptable and Acceptable use of computers - States all acceptable and unacceptable use of the organization’s computers. unacceptable use of the organization’s computers.

No expectation of privacy - States that the employee No expectation of privacy - States that the employee have no expectation of privacy for any information have no expectation of privacy for any information stored, sent, or received on the organization’s stored, sent, or received on the organization’s computers.computers.

K. Salah 53

Internet Use Policy Internet Use Policy

The Internet use policy is a part of the general The Internet use policy is a part of the general computer use policy. computer use policy.

It can be a separate policy due to the specific It can be a separate policy due to the specific nature of the Internet use. nature of the Internet use.

The Internet use policy defines the appropriate The Internet use policy defines the appropriate uses of the Internet within an organization. uses of the Internet within an organization.

It may also define inappropriate uses such as It may also define inappropriate uses such as visiting non-business-related web sites. visiting non-business-related web sites.

K. Salah 54

E-mail Policy E-mail Policy

Internal mail issues - The electronic mail Internal mail issues - The electronic mail policy should not be in conflict with other policy should not be in conflict with other human resource policies. human resource policies.

External mail issues - Electronic mail External mail issues - Electronic mail leaving an organization may contain leaving an organization may contain sensitive information. Therefore, it may be sensitive information. Therefore, it may be monitored. monitored.

K. Salah 55

User Management Procedures User Management Procedures

New employment procedure - Provides new New employment procedure - Provides new employees with the proper access to computer employees with the proper access to computer resources. resources.

Transferred employee procedure - Reviews Transferred employee procedure - Reviews employee’s computer access when they are employee’s computer access when they are transferred within the organization. transferred within the organization.

Employee termination procedure - Ensures Employee termination procedure - Ensures removal of users who no longer work for the removal of users who no longer work for the organization. organization.

K. Salah 56

System Administration Procedure System Administration Procedure

Software upgrades - Defines how often a system Software upgrades - Defines how often a system administrator will check for new patches or updates. administrator will check for new patches or updates.

Vulnerability scans - Defines how often and when the Vulnerability scans - Defines how often and when the scans will be conducted by security. scans will be conducted by security.

Policy reviews - Specifies the security requirements for Policy reviews - Specifies the security requirements for each system.each system.

Log reviews - Specifies configuration of automated tools Log reviews - Specifies configuration of automated tools that create log entries and how exceptions must be that create log entries and how exceptions must be handled. handled.

Regular monitoring - Documents when network traffic Regular monitoring - Documents when network traffic monitoring will occur.monitoring will occur.

K. Salah 57

Backup Policy Backup Policy

Frequency of backups - Identifies how often Frequency of backups - Identifies how often backups actually occur. backups actually occur.

Storage of backups - Defines how to store Storage of backups - Defines how to store backups in a secure location. It also states the backups in a secure location. It also states the mechanism for requesting and restoring mechanism for requesting and restoring backups. backups.

Information to be backed up - Identifies which Information to be backed up - Identifies which data needs to be backed up more frequently. data needs to be backed up more frequently.

K. Salah 58

Incident Response Procedure Incident Response Procedure Incident handling objectives - Specifies the objectives of the organization Incident handling objectives - Specifies the objectives of the organization

when handling an incident. when handling an incident. Event identification - States corrective actions for an intrusion or user Event identification - States corrective actions for an intrusion or user

mistake. mistake. Escalation - Specifies an escalation procedure such as activating an Escalation - Specifies an escalation procedure such as activating an

incident response team. incident response team. Information control - Specifies what information is classified and what can Information control - Specifies what information is classified and what can

be made public. be made public. Response - Defines the type of response when an incident occurs. Response - Defines the type of response when an incident occurs. Authority - Defines which individual within the organization or the incident Authority - Defines which individual within the organization or the incident

response team has the authority to take action. response team has the authority to take action. Documentation - Defines how the incident response team should document Documentation - Defines how the incident response team should document

its actions. its actions. Testing of the procedure - Tests the IRP once it is written. It also identifies Testing of the procedure - Tests the IRP once it is written. It also identifies

the loop holes in the procedure and suggests corrective actions. the loop holes in the procedure and suggests corrective actions.

K. Salah 59

Configuration Management Configuration Management Procedures Procedures

Initial system state - Documents the state of a Initial system state - Documents the state of a new system when it goes into production. It new system when it goes into production. It should include details of the operating system, should include details of the operating system, version, patch level, application details, and version, patch level, application details, and configuration details. configuration details.

Change control procedure - Executes a change Change control procedure - Executes a change control procedure when a change is to be made control procedure when a change is to be made to an existing system. to an existing system.

K. Salah 60

Design Methodology Design Methodology

Requirements definition - Specifies the security Requirements definition - Specifies the security requirements that need to be included during the requirements that need to be included during the requirement definition phase. requirement definition phase.

Design - Specifies that security should be represented to Design - Specifies that security should be represented to ensure that the project is secured during the design ensure that the project is secured during the design phase. phase.

Test - Specifies that when the project reaches the testing Test - Specifies that when the project reaches the testing phase, the security requirement should also be tested. phase, the security requirement should also be tested.

Implementation - Specifies that the implementation team Implementation - Specifies that the implementation team should use proper configuration management should use proper configuration management procedures. procedures.

K. Salah 61

Disaster Recovery Plans Disaster Recovery Plans

Single system or device failures - Includes a network Single system or device failures - Includes a network device, disk, motherboard, network interface card, or device, disk, motherboard, network interface card, or component failure. component failure.

Data center events - Provides procedures for a major Data center events - Provides procedures for a major event within a data center. event within a data center.

Site events - Identifies the critical capabilities that need Site events - Identifies the critical capabilities that need to be restored. to be restored.

Testing the DRP - Identifies key employees and Testing the DRP - Identifies key employees and performs walkthroughs of the plan periodically. performs walkthroughs of the plan periodically.

K. Salah 62

Creating an Appropriate Policy Creating an Appropriate Policy

To create an appropriate policy:To create an appropriate policy: Identify which policies are most relevant and important

to an organization. Conduct a risk assessment to identify risk areas. Define all acceptable and unacceptable employee

behavior. State all restrictions clearly. Identify individuals and other stakeholders who will be

affected by the policy. State expectations clearly. Define a set of possible outlines. Draft the policy based on the outline. Include stakeholders during discussions and invite

suggestions. Brainstorm before developing the final policy.

K. Salah 63

Deploying the Policy Deploying the Policy

Every department of the organization that is Every department of the organization that is affected by the policy must accept the underlying affected by the policy must accept the underlying concept. concept.

Conduct security awareness training where Conduct security awareness training where employees are informed of the intended change. employees are informed of the intended change.

Make well-planned transitions rather than radical Make well-planned transitions rather than radical changes while implementing the policy. changes while implementing the policy.

K. Salah 64

Using Policy Effectively Using Policy Effectively

Identify security requirements early in the Identify security requirements early in the process. Security should be a part of the design process. Security should be a part of the design phase of the project.phase of the project.

Examine existing systems to ensure it is in Examine existing systems to ensure it is in compliance to new policies.compliance to new policies.

Conduct periodic audits to ensure compliance Conduct periodic audits to ensure compliance with the policy. with the policy.

Review policies regularly to ensure they are still Review policies regularly to ensure they are still relevant for the organization. relevant for the organization.

K. Salah 65

Summary Summary

Policies define how security is implemented within an organization. Policies define how security is implemented within an organization. Each policy must have a purpose, scope, and responsibility. Each policy must have a purpose, scope, and responsibility. An organization must establish information policy, security policy, An organization must establish information policy, security policy,

computer use policy, Internet and e-mail policy, and a backup computer use policy, Internet and e-mail policy, and a backup policy. policy.

An organization must also define user management, system An organization must also define user management, system administration, incident response, and configuration management administration, incident response, and configuration management procedures. procedures.

The disaster recovery plan details recovery action for various levels The disaster recovery plan details recovery action for various levels of failures. of failures.

While creating a policy ensure that it will be relevant and important While creating a policy ensure that it will be relevant and important to an organization. to an organization.

Involve stakeholders in policy discussions. Conduct security Involve stakeholders in policy discussions. Conduct security awareness trainings regularly. awareness trainings regularly.

Include security issues at each development phase of a project.Include security issues at each development phase of a project.