ch14 policies and legislation
DESCRIPTION
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark CiampaKnowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs). CNIT 120: Network Securityhttp://samsclass.info/120/120_S09.shtml#lecturePolicy: http://samsclass.info/policy_use.htmMany thanks to Sam Bowne for allowing to publish these presentations.TRANSCRIPT
![Page 1: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/1.jpg)
Chapter 14Security Policies and Training
![Page 2: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/2.jpg)
Objectives
Define organizational security policy List the types of security policies Describe how education and training can limit
the impact of social engineering
![Page 3: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/3.jpg)
![Page 4: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/4.jpg)
Organizational Security Policies Plans and policies must be established by
the organizationTo ensure that users correctly implement the
hardware and software defenses
One of the key policies is an organizational security policy
![Page 5: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/5.jpg)
Balancing Trust and Control Three approaches to trust:
Trust everyone all of the timeTrust no one at any timeTrust some people some of the time
Deciding on the level of control for a specific policy is not always clearThe security needs and the culture of the
organization play a major role when deciding what level of control is appropriate
![Page 6: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/6.jpg)
What Is a Security Policy? Security policy
A written document Plan to protect information technology assets
Security policy functions:States overall intention and directionDetails specific risks and how to address themCreates a security-aware organizational cultureEnsure that employee behavior is directed and
monitored
![Page 7: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/7.jpg)
UC Berkeley Loyalty Oath In 1949, the University
of California required all University employees to sign an oath
In 1950, thirty-one "non-signer" professors were dismissed
Another teacher was fired for the same reason in 2008 at Cal StateLinks Ch 14a, 14b
![Page 8: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/8.jpg)
Attitudes Toward Security
![Page 9: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/9.jpg)
Terms Used to Describe Rules Standard
A collection of requirements specific to the system or procedure that must be met by everyone
Example: Only fully patched laptops can connect to the network
GuidelineA collection of suggestions that should be
implemented (not required) Policy
Document that outlines specific requirements or rules that must be met
Frequently refers to standards and guidelines
![Page 10: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/10.jpg)
What Policies Do
Communicate a consensus of judgment Define appropriate behavior for users Identify what tools and procedures are
needed Provide directives for Human Resource
action in response to inappropriate behavior Policies may be helpful in the event that it is
necessary to prosecute violators
![Page 11: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/11.jpg)
The Security Policy Cycle
First phase--risk management studyAsset identificationThreat identificationVulnerability appraisalRisk assessmentRisk mitigation
Second phase--use the information from the risk management study to create the policy
Final phase--review the policy for compliance
![Page 12: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/12.jpg)
Security Policy Cycle
![Page 13: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/13.jpg)
Principles for Security Policy Development
![Page 14: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/14.jpg)
Development Team
Designing a security policy should be the work of a teamIncluding Management, Legal, Users
The team decides on scope and goals of the policy
Statements regarding due care are often included
![Page 15: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/15.jpg)
Due Care
The obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect themLink Ch 14c
![Page 16: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/16.jpg)
Due Care Examples
Employees will exercise due care in opening email attachments
Technicians will exercise due care when installing new equipmentDon't leave password on a note taped to the
monitor
Students will exercise due care when using computers in a lab settingDon't let other students see your password
![Page 17: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/17.jpg)
Guidelines for Designing a Security Policy
Notify users in advance that a new security policy is being developed
Explain why the policy is needed Prior to deployment, give all users at least
two weeks to review and comment
![Page 18: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/18.jpg)
![Page 19: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/19.jpg)
Types of Security Policies
The term security policy becomes an umbrella term for all of the subpolicies included within it
![Page 20: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/20.jpg)
![Page 21: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/21.jpg)
![Page 22: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/22.jpg)
Types of Security Policies (continued) Most organizations have security policies that
address:Acceptable useSecurity-related human resourcesPassword management and complexityPersonally identifiable informationDisposal and destructionService level agreementsClassification of informationChange managementEthics
![Page 23: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/23.jpg)
Acceptable Use Policy (AUP)
Defines the actions users may perform while accessing systems and networking equipment
May have an overview regarding what is covered by this policy
The AUP usually provides explicit prohibitions regarding security and proprietary information
Unacceptable use may also be outlined by the AUP
Acceptable use policies are generally considered to be the most important information security policies
![Page 24: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/24.jpg)
Security-Related Human Resource Policy
Information about technology resources How resources are used Acceptable use and security policies Penalties for violating policies
Due process Treating all accused persons in an equal fashion,
using established rules and principles Due diligence
Any investigation into suspicious employee conduct will examine all material facts
![Page 25: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/25.jpg)
Password Management and Complexity Policy
Can clearly address how passwords are created and managed
The policy should also specify what makes up a strong password
![Page 26: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/26.jpg)
Password Management and Complexity Policy (continued)
![Page 27: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/27.jpg)
Password Management and Complexity Policy (continued)
![Page 28: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/28.jpg)
Personally Identifiable Information (PII) Policy
![Page 29: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/29.jpg)
Disposal and Destruction Policy
Addresses the disposal of resources that are considered confidential
Often covers how long records and data will be retained
Involves how to dispose of equipment○ Such as destroying hard drives (link Ch 14d)
![Page 30: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/30.jpg)
Service Level Agreement (SLA) Policy Service level agreement (SLA)
A service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service
Service level agreement (SLA) policyAn organizational policy that governs the
conditions to be contained in an SLA
Many SLA policies contain tiers of service
![Page 31: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/31.jpg)
![Page 32: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/32.jpg)
Classification of Information Policy
Designed to produce a standardized framework for classifying information assets
Generally, this involves creating classification categories such as high, medium, or lowAnd then assigning information into these
categories
![Page 33: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/33.jpg)
Change Management Policy Change management
Refers to a methodology for making changes and keeping track of those changes, often manually
Seeks to approach changes systematically and provide documentation of the changes
Change management policyOutlines how an organization will manage
changes in a “rational and predictable” manner so employees and clients can plan accordingly
![Page 34: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/34.jpg)
Ethics Policy
ValuesA person’s fundamental beliefs and principles used to
define what is good, right, and just
MoralsValues that are attributed to a system of beliefs that
help the individual distinguish right from wrong
EthicsThe study of what a group of people understand to be
good and right behavior and how people make those judgments
![Page 35: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/35.jpg)
Ethics Policy (continued)
Ethics policyA written code of conduct intended to be a central
guide and reference for employees in support of day-to-day decision making
Intended to clarify an organization’s mission, values, and principles, and link them with standards of professional conduct
![Page 36: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/36.jpg)
![Page 37: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/37.jpg)
Organizational TrainingUsers need training in
The importance of securing informationRoles that they play in securitySteps to ward off attacks
All users need:Continuous training in the new security defensesTo be reminded of company security policies and
procedures
![Page 38: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/38.jpg)
Traits of Learners
![Page 39: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/39.jpg)
Training Styles
Pedagogical approach--treats students like children
Andragogical approach--helping adults learn
There are different learning stylesVisual learnersAuditory learnersKinesthetic
![Page 40: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/40.jpg)
Social EngineeringTricking and deceiving someone to provide
secure information Phishing
Sending an e-mail or other messagee Falsely claims to be from a legitimate enterprise An attempt to trick the user into surrendering
private informationOften links to a spoofed Web site
![Page 41: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/41.jpg)
![Page 42: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/42.jpg)
Variations on Phishing Attacks:
Spear phishingCustom messages targeting specific people
PharmingPlanting false DNS entries to deflect traffic laterData is stolen later from spoofed sites
![Page 43: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/43.jpg)
Ways to Recognize Phishing Messages
Deceptive Web linksE-mails that look like Web sitesFake sender’s addressGeneric greetingPop-up boxes and attachments Insecure Web sites (not HTTPS) Urgent request
![Page 44: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/44.jpg)
![Page 45: Ch14 Policies and Legislation](https://reader033.vdocuments.mx/reader033/viewer/2022061111/5455b296b1af9fcf338b49e4/html5/thumbnails/45.jpg)
Other Forms of Social Engineering Dumpster diving
Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away
Shoulder surfingWatching an individual enter a security code or
password on a keypad Computer hoax
An e-mail message containing a false warning to the recipient of a malicious entity circulating through the Internet