View
216
Download
2
Embed Size (px)
Citation preview
K. Salah 1
Administering Security Administering Security
Vulnerabilities, Risk Analysis, and Security PolicyVulnerabilities, Risk Analysis, and Security Policy
K. Salah 2
VulnerabilitiesVulnerabilities
K. Salah 3
VulnerabilitiesVulnerabilities
Security objectives:Security objectives: Prevent attacks Detect attacks Recover from attacks
Attacks: against weaknesses in the Attacks: against weaknesses in the information systemsinformation systems
Need: find weaknessesNeed: find weaknesses
K. Salah 4
Identifying and Eliminating WeaknessesIdentifying and Eliminating Weaknesses
I.I. Vulnerability monitoringVulnerability monitoring
II.II. Secure system developmentSecure system development
III.III. User training and awarenessUser training and awareness
IV.IV. Avoiding single point of failureAvoiding single point of failure
K. Salah 5
I. Vulnerability MonitoringI. Vulnerability Monitoring
Identify potential weaknesses in existing Identify potential weaknesses in existing information systemsinformation systems
Reveal wide-range of vulnerabilitiesReveal wide-range of vulnerabilities
K. Salah 6
I. Security FlawsI. Security Flaws
Secure software installationSecure software installation Correct installation of software Change default settings Validate upgrades/changes Patch new security flaws
K. Salah 7
I. Vulnerability Detection ToolsI. Vulnerability Detection Tools
Computer Oracle and Password System (COPS) Computer Oracle and Password System (COPS) – FREE– FREE Checks vulnerabilities of UNIX systems
Secure Analysis Tool for Auditing Networks Secure Analysis Tool for Auditing Networks (SATAN) – FREE (SATAN) – FREE
SAFEsuite (Internet Security Systems, Inc.) SAFEsuite (Internet Security Systems, Inc.) Family of network security assessment tools (web
security scanner, firewall scanner, intranet scanner, system security scanner)
Keyed to the IP address of the customer
K. Salah 8
I. Keeping up with Security PublicationsI. Keeping up with Security Publications
Legal publications: how to remove Legal publications: how to remove vulnerabilitiesvulnerabilities CERT advisories SANS Security Digest
Hacker publications: “how to” exploit Hacker publications: “how to” exploit known vulnerabilities known vulnerabilities
Security mailing listsSecurity mailing lists
K. Salah 9
II. Building Secure SystemsII. Building Secure Systems
1960s: US Department of Defense (DoD) risk 1960s: US Department of Defense (DoD) risk of unsecured information systemsof unsecured information systems
1981: National Computer Security Center 1981: National Computer Security Center (NCSC) at the NSA(NCSC) at the NSA DoD Trusted Computer System Evaluation
Criteria (TCSEC) == Orange Book
K. Salah 10
II. National Information Assurance Partnership II. National Information Assurance Partnership (NIAP)(NIAP)
1997: National Institute of Standards and 1997: National Institute of Standards and Technology (NIST), National Security Agency (NSA), Technology (NIST), National Security Agency (NSA), and Industry and Industry
Aims to improve the efficiency of evaluationAims to improve the efficiency of evaluation Transfer methodologies and techniques to private Transfer methodologies and techniques to private
sector laboratoriessector laboratories Functions: developing tests, test methods, tools for Functions: developing tests, test methods, tools for
evaluating and improving security products, evaluating and improving security products, developing protection profiles and associated tests, developing protection profiles and associated tests, establish formal and international schema for CC.establish formal and international schema for CC.
K. Salah 11
III. Security Awareness and TrainingIII. Security Awareness and Training
Major weakness: users unawarenessMajor weakness: users unawareness Organizational effortOrganizational effort Educational effortEducational effort Customer trainingCustomer training Federal Trade Commission: program to educate Federal Trade Commission: program to educate
customers about web scamscustomers about web scams
K. Salah 12
IV. Avoid Single Point of FailureIV. Avoid Single Point of Failure
Critical information resourcesCritical information resources Identification Backup Hiding
Separation of dutiesSeparation of duties Multi-person requirements Limit temptations
K. Salah 13
Risk AnalysisRisk Analysis
K. Salah 14
OverviewOverview
Definition and Purpose Of Risk AnalysisDefinition and Purpose Of Risk Analysis Elements of Risk Analysis Quantitative vs Qualitative Analysis
Quantitative ExampleQuantitative ExampleQualitative ExampleQualitative Example
K. Salah 15
Risk Management CycleRisk Management Cycle
From GAO/AIMD-99-139
K. Salah 16
What is Risk Analysis?What is Risk Analysis?
The process of identifying, assessing, and The process of identifying, assessing, and reducing risks to an acceptable levelreducing risks to an acceptable level Defines and controls threats and vulnerabilities Implements risk reduction measures
An analytic discipline with three parts:An analytic discipline with three parts: Risk assessment: determine what the risks are Risk management: evaluating alternatives for mitigating
the risk Risk communication: presenting this material in an
understandable way to decision makers and/or the public
K. Salah 17
Benefits of Risk AnalysisBenefits of Risk Analysis
Assurance that greatest risks have been Assurance that greatest risks have been identified and addressedidentified and addressed
Increased understanding of risksIncreased understanding of risksMechanism for reaching consensusMechanism for reaching consensusSupport for needed controlsSupport for needed controlsMeans for communicating resultsMeans for communicating results
K. Salah 18
Basic Risk Analysis StructureBasic Risk Analysis Structure
EvaluateEvaluate Value of computing and information assets Vulnerabilities of the system Threats from inside and outside
ExamineExamine Availability of security countermeasures Effectiveness of countermeasures Costs (installation, operation, etc.) of countermeasures
K. Salah 19
Who should be Involved?Who should be Involved?
Security ExpertsSecurity Experts Internal domain expertsInternal domain experts
Knows best how things really work
Managers responsible for implementing Managers responsible for implementing controlscontrols
K. Salah 20
Critical AssetsCritical Assets
People and skillsPeople and skills GoodwillGoodwill Hardware/SoftwareHardware/Software DataData DocumentationDocumentation SuppliesSupplies Physical plantPhysical plant MoneyMoney
K. Salah 21
ThreatsThreats
Attacks against key security servicesAttacks against key security services Confidentiality, integrity, availability
One threat classificationOne threat classification Disclosure Deception Disruption Usurpation
K. Salah 22
Example Threat ListExample Threat List
•T01 Access (Unauthorized to System - logical)
•T02 Access (Unauthorized to Area - physical)
•T03 Airborne Particles (Dust)•T04 Air Conditioning Failure•T05 Application Program Change(Unauthorized)•T06 Bomb Threat•T07 Chemical Spill•T08 Civil Disturbance•T09 Communications Failure•T10 Data Alteration (Error)•T11 Data Alteration (Deliberate)•T12 Data Destruction (Error)•T13 Data Destruction (Deliberate)•T14 Data Disclosure
(Unauthorized)•T15 Disgruntled Employee•T16 Earthquakes
•T17 Errors (All Types)•T18 Electro-Magnetic
Interference•T19 Emanations Detection•T20 Explosion (Internal)•T21 Fire, Catastrophic•T22 Fire, Major•T23 Fire, Minor•T24 Floods/Water Damage•T25 Fraud/Embezzlement•T26 Hardware
Failure/Malfunction•T27 Hurricanes•T28 Injury/Illness (Personal)•T29 Lightning Storm•T30 Liquid Leaking (Any)•T31 Loss of Data/Software•T32 Marking of Data/Media
Improperly•T33 Misuse of
Computer/Resource•T34 Nuclear Mishap
•T35 Operating System Penetration/Alteration
•T36 Operator Error
•T37 Power Fluctuation (Brown/Transients)
•T38 Power Loss
•T39 Programming Error/Bug
•T40 Sabotage
•T41 Static Electricity
•T42 Storms (Snow/Ice/Wind)
•T43 System Software Alteration
•T44 Terrorist Actions
•T45 Theft (Data/Hardware/Software)
•T46 Tornado
•T47 Tsunami (Pacific area only)
•T48 Vandalism
•T49 Virus/Worm (Computer)
•T50 Volcanic Eruption
K. Salah 23
VulnerabilitiesVulnerabilities
Flaw or weakness in systemFlaw or weakness in system Security Procedures Design Implementation
Threats trigger vulnerabilitiesThreats trigger vulnerabilities Accidental Malicious
K. Salah 24
Example VulnerabilitiesExample Vulnerabilities
•Physical•V01 Susceptible to unauthorized
building access•V02 Computer Room
susceptible to unauthorizedaccess•V03 Media Library susceptible
to unauthorizedaccess•V04 Inadequate visitor control
procedures•(and 36 more)•Administrative•V41 Lack of management
support for security•V42 No separation of duties
policy•V43 Inadequate/no computer
security plan policy
•V47 Inadequate/no emergency action plan
•(and 7 more)
•Personnel
•V56 Inadequate personnel screening
•V57 Personnel not adequately trained in job
•...
•Software
•V62 Inadequate/missing audit trail capability
•V63 Audit trail log not reviewed weekly
•V64 Inadequate control over application/program
changes
Communications
•V87 Inadequate communications system
•V88 Lack of encryption
•V89 Potential for disruptions
•...
•Hardware
•V92 Lack of hardware inventory
•V93 Inadequate monitoring of maintenance
personnel
•V94 No preventive maintenance program
•…
•V100 Susceptible to electronic emanations
K. Salah 25
ControlsControls
Mechanisms or procedures for mitigating Mechanisms or procedures for mitigating vulnerabilitiesvulnerabilities Prevent Detect Recover
Understand cost and coverage of controlUnderstand cost and coverage of controlControls follow vulnerability and threat Controls follow vulnerability and threat
analysisanalysis
K. Salah 26
Example ControlsExample Controls•C01 Access control devices - physical•C02 Access control lists - physical•C03 Access control - software•C04 Assign ADP security and assistant in
writing•C05 Install-/review audit trails•C06 Conduct risk analysis•C07Develop backup plan•C08 Develop emergency action plan•C09 Develop disaster recovery plan•...•C21 Install walls from true floor to true
ceiling•C22 Develop visitor sip-in/escort procedures•C23 Investigate backgrounds of new
employees•C24 Restrict numbers of privileged users•C25 Develop separation of duties policy•C26 Require use of unique passwords for
logon
•C27 Make password changes mandatory•C28 Encrypt password file•C29 Encrypt data/files•C30 Hardware/software training for personnel•C31Prohibit outside software on system•...•C47 Develop software life cycle developmentprogram•C48 Conduct hardware/software inventory•C49 Designate critical programs/files•C50 Lock PCs/terminals to desks•C51 Update communications system/hardware•C52 Monitor maintenance personnel•C53 Shield equipment from electromagneticinterference/emanations•C54Identify terminals
K. Salah 27
Risk Control Trade OffsRisk Control Trade Offs
Only Safe Asset is a Dead AssetOnly Safe Asset is a Dead Asset Asset that is completely locked away is safe, but
useless Trade-off between safety and availability
Do not waste effort on efforts with low loss valueDo not waste effort on efforts with low loss value Don’t spend resources to protect garbage
Control only has to be good enough, not Control only has to be good enough, not absoluteabsolute Make it tough enough to discourage enemy
K. Salah 28
Types of Risk AnalysisTypes of Risk Analysis
QuantitativeQuantitative Assigns real numbers to costs of safeguards and damage Annual loss expectance (ALE) Probability of event occurring Can be unreliable/inaccurate
QualitativeQualitative Judges an organization’s risk to threats Based on judgment, intuition, and experience Ranks the seriousness of the threats for the sensitivity of the
asserts Subjective, lacks hard numbers to justify return on investment
K. Salah 29
Qualitative Risk AnalysisQualitative Risk Analysis
Generally used in Information SecurityGenerally used in Information Security Hard to make meaningful valuations and meaningful
probabilities Relative ordering is faster and more important
Many approaches to performing qualitative risk Many approaches to performing qualitative risk analysisanalysis
Same basic steps as quantitative analysisSame basic steps as quantitative analysis Still identifying asserts, threats, vulnerabilities, and
controls Just evaluating importance differently
K. Salah 30
Key PointsKey Points
Key Elements of Risk AnalysisKey Elements of Risk Analysis Assets, Threats, Vulnerabilities, and Controls
Most security risk analysis uses qualitative Most security risk analysis uses qualitative analysisanalysis
Not a scientific processNot a scientific process Companies will develop their own procedure Still a good framework for better understanding
of system security
K. Salah 31
Security PolicySecurity Policy
K. Salah 32
Overview Overview
Understanding why policy is important. Understanding why policy is important. Defining various policies. Defining various policies. Creating an appropriate policy. Creating an appropriate policy. Deploying policies. Deploying policies. Using policy effectively. Using policy effectively.
K. Salah 33
Understanding Why Policy is Understanding Why Policy is Important Important
The two primary functions of a policy are:The two primary functions of a policy are: It defines the scope of security within an
organization. It clearly states the expectations from everyone
in the organization.
K. Salah 34
Understanding Why Policy is Understanding Why Policy is Important Important Policy defines how security should be implemented.Policy defines how security should be implemented. It includes the system configurations, network It includes the system configurations, network
configurations, and physical security measures. configurations, and physical security measures. It defines the mechanisms used to protect information It defines the mechanisms used to protect information
and systems.and systems. It defines how organizations should react when It defines how organizations should react when
security incidents occur. security incidents occur. Policy provides the framework for employees to work Policy provides the framework for employees to work
together. together. It defines the common goals and objectives of the It defines the common goals and objectives of the
organization’s security program. organization’s security program. Proper security awareness training helps implement Proper security awareness training helps implement
policy initiatives effectively. policy initiatives effectively.
K. Salah 35
Defining Various Policies Defining Various Policies
Information policy.Information policy. Security policy. Security policy. Computer use policy. Computer use policy. Internet use policy. Internet use policy. E-mail policy.E-mail policy. User management procedures. User management procedures. System administration procedures. System administration procedures. Backup policy.Backup policy. Incident response policy. Incident response policy. Configuration management procedures. Configuration management procedures. Design methodology. Design methodology. Disaster recovery plans.Disaster recovery plans.
K. Salah 36
Information Policy Information Policy
Identification of sensitive information. Identification of sensitive information. Classifications.Classifications.Marking and storing sensitive information.Marking and storing sensitive information.Transmission of sensitive information. Transmission of sensitive information. Destruction of sensitive information. Destruction of sensitive information.
K. Salah 37
Identification of Sensitive Information Identification of Sensitive Information
Sensitive information differs depending on Sensitive information differs depending on the business of the organization.the business of the organization.
It may include business records, product It may include business records, product designs, patent information, and company designs, patent information, and company phone books. phone books.
It may also include payroll, medical It may also include payroll, medical insurance, and any other financial insurance, and any other financial information. information.
K. Salah 38
Classifications Classifications
Only the lowest level of information should Only the lowest level of information should be made public. be made public.
All proprietary, company sensitive, or All proprietary, company sensitive, or company confidential information is company confidential information is releasable to employees. releasable to employees.
All restricted or protected information must All restricted or protected information must be made available to authorized be made available to authorized employees only. employees only.
K. Salah 39
Marking and Storing Sensitive Marking and Storing Sensitive Information Information
The policy must mark all sensitive information. The policy must mark all sensitive information. It should address the storage mechanism for It should address the storage mechanism for
information on paper or on computer systems. information on paper or on computer systems. Incase of information stored on computer Incase of information stored on computer
systems, the policy should specify appropriate systems, the policy should specify appropriate levels of protection. levels of protection.
Use encryption wherever required. Use encryption wherever required.
K. Salah 40
Transmission of Sensitive Information Transmission of Sensitive Information
The policy addresses how sensitive information The policy addresses how sensitive information needs to be transmitted. needs to be transmitted.
It specifies the encryption method to be used It specifies the encryption method to be used while transmitting information through electronic while transmitting information through electronic mail. mail.
Incase of hardcopies of information, request a Incase of hardcopies of information, request a signed receipt. signed receipt.
K. Salah 41
Destruction of Sensitive Information Destruction of Sensitive Information
To destroy sensitive information:To destroy sensitive information: Shred the information on paper. Use cross-cut shredders that provide an added
level of protection. PGP desktop and BCWipe can be used to
delete documents placed on a desktop.
K. Salah 42
Security Policy Security Policy
Identification and authentication. Identification and authentication. Access control.Access control.Audit. Audit. Network connectivity. Network connectivity. Malicious code.Malicious code.Encryption. Encryption. Waivers. Waivers. Appendices.Appendices.
K. Salah 43
Identification and Authentication Identification and Authentication
The security policy defines how users will The security policy defines how users will be identified. be identified.
It defines the primary authentication It defines the primary authentication mechanism for users and administrators. mechanism for users and administrators.
It defines stronger mechanism for remote It defines stronger mechanism for remote access such as VPN or dial-in access. access such as VPN or dial-in access.
K. Salah 44
Access Control Access Control The security policy defines the standard The security policy defines the standard
requirement for access control of electronic files. requirement for access control of electronic files. The requirement includes the required The requirement includes the required
mechanism and the default requirements for mechanism and the default requirements for new files. new files.
The mechanism should work with authentication The mechanism should work with authentication mechanism to allow only authorized users to mechanism to allow only authorized users to access the information. access the information.
K. Salah 45
Audit Audit
Security policies must frequently audit the Security policies must frequently audit the following events:following events: Logins (successful and failed). Logouts. Failed access to files or system objects. Remote access (successful and failed). Privileged actions. System events (such as shutdowns and
reboots).
K. Salah 46
Audit Audit
Each event should also capture the following Each event should also capture the following information:information: User ID (if there is one) Date and time Process ID (if there is one) Action performed Success or failure of the event
K. Salah 47
Network Connectivity Network Connectivity
The security policy specifies the rules for The security policy specifies the rules for network connectivity and the protection network connectivity and the protection mechanisms. It includes:mechanisms. It includes: Dial-in connections. Permanent connections. Remote access of internal systems. Wireless networks.
K. Salah 48
Malicious Code Malicious Code
The security policy specifies where security The security policy specifies where security programs that look for malicious code need to be programs that look for malicious code need to be placed. placed.
Some appropriate locations are file servers, Some appropriate locations are file servers, desktop systems, and electronic mail servers.desktop systems, and electronic mail servers.
It should specify the requirements for security It should specify the requirements for security programs.programs.
It should require updates of signatures for such It should require updates of signatures for such security programs on a periodic basis. security programs on a periodic basis.
K. Salah 49
Encryption Encryption
The security policy should define the The security policy should define the acceptable encryption algorithms for use. acceptable encryption algorithms for use.
It can refer to the information policy to It can refer to the information policy to choose the appropriate algorithms to choose the appropriate algorithms to protect sensitive information. protect sensitive information.
It should also specify the procedures It should also specify the procedures required for key management. required for key management.
K. Salah 50
Waivers Waivers The security policy should provide a mechanism The security policy should provide a mechanism
for risk assessment and formulating a for risk assessment and formulating a contingency plan. contingency plan.
For each situation, the system designer or For each situation, the system designer or project manager should fill a waiver form. project manager should fill a waiver form.
The security department reviews the waiver The security department reviews the waiver request and provides risk assessment results request and provides risk assessment results and recommendations to minimize the risk. and recommendations to minimize the risk.
The waiver should be approved by the The waiver should be approved by the organization’s officer in charge of the project. organization’s officer in charge of the project.
K. Salah 51
Appendices Appendices
The security policy appendices should have The security policy appendices should have details of:details of: Security configurations for various operating
systems. Network devices. Telecommunication equipments.
K. Salah 52
Computer Use Policy Computer Use Policy
Ownership of computers - States that all computers are Ownership of computers - States that all computers are owned by the organization. owned by the organization.
Ownership of information - States that all information Ownership of information - States that all information stored on or used by the organization’s computers is stored on or used by the organization’s computers is proprietary to the organization.proprietary to the organization.
Acceptable use of computers - States all acceptable and Acceptable use of computers - States all acceptable and unacceptable use of the organization’s computers. unacceptable use of the organization’s computers.
No expectation of privacy - States that the employee No expectation of privacy - States that the employee have no expectation of privacy for any information have no expectation of privacy for any information stored, sent, or received on the organization’s stored, sent, or received on the organization’s computers.computers.
K. Salah 53
Internet Use Policy Internet Use Policy
The Internet use policy is a part of the general The Internet use policy is a part of the general computer use policy. computer use policy.
It can be a separate policy due to the specific It can be a separate policy due to the specific nature of the Internet use. nature of the Internet use.
The Internet use policy defines the appropriate The Internet use policy defines the appropriate uses of the Internet within an organization. uses of the Internet within an organization.
It may also define inappropriate uses such as It may also define inappropriate uses such as visiting non-business-related web sites. visiting non-business-related web sites.
K. Salah 54
E-mail Policy E-mail Policy
Internal mail issues - The electronic mail Internal mail issues - The electronic mail policy should not be in conflict with other policy should not be in conflict with other human resource policies. human resource policies.
External mail issues - Electronic mail External mail issues - Electronic mail leaving an organization may contain leaving an organization may contain sensitive information. Therefore, it may be sensitive information. Therefore, it may be monitored. monitored.
K. Salah 55
User Management Procedures User Management Procedures
New employment procedure - Provides new New employment procedure - Provides new employees with the proper access to computer employees with the proper access to computer resources. resources.
Transferred employee procedure - Reviews Transferred employee procedure - Reviews employee’s computer access when they are employee’s computer access when they are transferred within the organization. transferred within the organization.
Employee termination procedure - Ensures Employee termination procedure - Ensures removal of users who no longer work for the removal of users who no longer work for the organization. organization.
K. Salah 56
System Administration Procedure System Administration Procedure
Software upgrades - Defines how often a system Software upgrades - Defines how often a system administrator will check for new patches or updates. administrator will check for new patches or updates.
Vulnerability scans - Defines how often and when the Vulnerability scans - Defines how often and when the scans will be conducted by security. scans will be conducted by security.
Policy reviews - Specifies the security requirements for Policy reviews - Specifies the security requirements for each system.each system.
Log reviews - Specifies configuration of automated tools Log reviews - Specifies configuration of automated tools that create log entries and how exceptions must be that create log entries and how exceptions must be handled. handled.
Regular monitoring - Documents when network traffic Regular monitoring - Documents when network traffic monitoring will occur.monitoring will occur.
K. Salah 57
Backup Policy Backup Policy
Frequency of backups - Identifies how often Frequency of backups - Identifies how often backups actually occur. backups actually occur.
Storage of backups - Defines how to store Storage of backups - Defines how to store backups in a secure location. It also states the backups in a secure location. It also states the mechanism for requesting and restoring mechanism for requesting and restoring backups. backups.
Information to be backed up - Identifies which Information to be backed up - Identifies which data needs to be backed up more frequently. data needs to be backed up more frequently.
K. Salah 58
Incident Response Procedure Incident Response Procedure Incident handling objectives - Specifies the objectives of the organization Incident handling objectives - Specifies the objectives of the organization
when handling an incident. when handling an incident. Event identification - States corrective actions for an intrusion or user Event identification - States corrective actions for an intrusion or user
mistake. mistake. Escalation - Specifies an escalation procedure such as activating an Escalation - Specifies an escalation procedure such as activating an
incident response team. incident response team. Information control - Specifies what information is classified and what can Information control - Specifies what information is classified and what can
be made public. be made public. Response - Defines the type of response when an incident occurs. Response - Defines the type of response when an incident occurs. Authority - Defines which individual within the organization or the incident Authority - Defines which individual within the organization or the incident
response team has the authority to take action. response team has the authority to take action. Documentation - Defines how the incident response team should document Documentation - Defines how the incident response team should document
its actions. its actions. Testing of the procedure - Tests the IRP once it is written. It also identifies Testing of the procedure - Tests the IRP once it is written. It also identifies
the loop holes in the procedure and suggests corrective actions. the loop holes in the procedure and suggests corrective actions.
K. Salah 59
Configuration Management Configuration Management Procedures Procedures
Initial system state - Documents the state of a Initial system state - Documents the state of a new system when it goes into production. It new system when it goes into production. It should include details of the operating system, should include details of the operating system, version, patch level, application details, and version, patch level, application details, and configuration details. configuration details.
Change control procedure - Executes a change Change control procedure - Executes a change control procedure when a change is to be made control procedure when a change is to be made to an existing system. to an existing system.
K. Salah 60
Design Methodology Design Methodology
Requirements definition - Specifies the security Requirements definition - Specifies the security requirements that need to be included during the requirements that need to be included during the requirement definition phase. requirement definition phase.
Design - Specifies that security should be represented to Design - Specifies that security should be represented to ensure that the project is secured during the design ensure that the project is secured during the design phase. phase.
Test - Specifies that when the project reaches the testing Test - Specifies that when the project reaches the testing phase, the security requirement should also be tested. phase, the security requirement should also be tested.
Implementation - Specifies that the implementation team Implementation - Specifies that the implementation team should use proper configuration management should use proper configuration management procedures. procedures.
K. Salah 61
Disaster Recovery Plans Disaster Recovery Plans
Single system or device failures - Includes a network Single system or device failures - Includes a network device, disk, motherboard, network interface card, or device, disk, motherboard, network interface card, or component failure. component failure.
Data center events - Provides procedures for a major Data center events - Provides procedures for a major event within a data center. event within a data center.
Site events - Identifies the critical capabilities that need Site events - Identifies the critical capabilities that need to be restored. to be restored.
Testing the DRP - Identifies key employees and Testing the DRP - Identifies key employees and performs walkthroughs of the plan periodically. performs walkthroughs of the plan periodically.
K. Salah 62
Creating an Appropriate Policy Creating an Appropriate Policy
To create an appropriate policy:To create an appropriate policy: Identify which policies are most relevant and important
to an organization. Conduct a risk assessment to identify risk areas. Define all acceptable and unacceptable employee
behavior. State all restrictions clearly. Identify individuals and other stakeholders who will be
affected by the policy. State expectations clearly. Define a set of possible outlines. Draft the policy based on the outline. Include stakeholders during discussions and invite
suggestions. Brainstorm before developing the final policy.
K. Salah 63
Deploying the Policy Deploying the Policy
Every department of the organization that is Every department of the organization that is affected by the policy must accept the underlying affected by the policy must accept the underlying concept. concept.
Conduct security awareness training where Conduct security awareness training where employees are informed of the intended change. employees are informed of the intended change.
Make well-planned transitions rather than radical Make well-planned transitions rather than radical changes while implementing the policy. changes while implementing the policy.
K. Salah 64
Using Policy Effectively Using Policy Effectively
Identify security requirements early in the Identify security requirements early in the process. Security should be a part of the design process. Security should be a part of the design phase of the project.phase of the project.
Examine existing systems to ensure it is in Examine existing systems to ensure it is in compliance to new policies.compliance to new policies.
Conduct periodic audits to ensure compliance Conduct periodic audits to ensure compliance with the policy. with the policy.
Review policies regularly to ensure they are still Review policies regularly to ensure they are still relevant for the organization. relevant for the organization.
K. Salah 65
Summary Summary
Policies define how security is implemented within an organization. Policies define how security is implemented within an organization. Each policy must have a purpose, scope, and responsibility. Each policy must have a purpose, scope, and responsibility. An organization must establish information policy, security policy, An organization must establish information policy, security policy,
computer use policy, Internet and e-mail policy, and a backup computer use policy, Internet and e-mail policy, and a backup policy. policy.
An organization must also define user management, system An organization must also define user management, system administration, incident response, and configuration management administration, incident response, and configuration management procedures. procedures.
The disaster recovery plan details recovery action for various levels The disaster recovery plan details recovery action for various levels of failures. of failures.
While creating a policy ensure that it will be relevant and important While creating a policy ensure that it will be relevant and important to an organization. to an organization.
Involve stakeholders in policy discussions. Conduct security Involve stakeholders in policy discussions. Conduct security awareness trainings regularly. awareness trainings regularly.
Include security issues at each development phase of a project.Include security issues at each development phase of a project.