SlideShare una empresa de Scribd logo

12 security policies

Descargar como PPTX, PDF
S
Saqib Raza

This lecture Includes introduction to security policies, implemented by the organization to defend their trade secrets.

Educación
1 de 51
Information Security Policies Professional Practice Syed Saqib Raza Rizvi Lecture 12
Topics To Be Covered: • PART 1: Introduction To Security Policies Information Security History Information Security Policy Information Security Life Cycle Laws and Regulation Sources Of Standards • PART 2: Security Principles Basic Information Security Principles 1. Support the business 2. Defend the business 3. Promote responsible security behavior • PART 3: Security Architecture Introduction Defense in Depth
Information Security: • Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, illegal use, disclosure, disruption, modification, inspection, recording or destruction. • Preservation of confidentiality, integrity(accuracy and consistency) and availability of information. • Information Security is the process of protecting the intellectual property of an organization (information may be customer names, trade secrets etc). • Information security is the protection of information and minimizes the risk of exposing information to unauthorized parties.
History: • Since the early days of communication, diplomats and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of correspondence and to have some means of detecting tampering. • Julius Caesar is credited with the invention of the Caesar cipher c. 50 B.C., which was created in order to prevent his secret messages from being read should a message fall into the wrong hands, but for the most part protection was achieved through the application of procedural handling controls. • In the mid-19th century more complex classification systems were developed to allow governments to manage their information according to the degree of sensitivity.
History: • By the time of the First World War, multi-tier classification systems were used to communicate information to and from various fronts, which encouraged greater use of code making and breaking sections in diplomatic and military headquarters. • During Second World War, Encoding became more sophisticated between the wars as machines were employed to scramble and unscramble information.
Information Security Policy: • Set of policies (rules and guideline) issued by an organization to ensure that all information technology users within the domain of the organization, related to the security of the information. • The evolution of computer networks has made the sharing of information ever more prevalent. Information is now exchanged at the rate of trillions of bytes per millisecond.
Information Security Policy: • Every organization needs to protect its data and also control how it should be distributed both within and outside the organizational boundaries. This may mean that information may have to be encrypted, authorized through a third party or institution and may have restrictions placed on its distribution with reference to a classification system laid out in the information security policy.
Information Security Policy: • An example of the use of an information security policy might be in a data storage facility which stores database records on behalf of medical facilities. These records are sensitive and cannot be shared, under penalty of law, with any unauthorized recipient whether a real person or another device. • An information security policy would be enabled within the software that the facility uses to manage the data they are responsible for. • A business might employ an information security policy to protect its digital assets and intellectual rights in efforts to prevent theft of industrial secrets and information that could benefit competitors.
Information Security Policy: • A typical security policy might be hierarchical and apply differently depending on whom they apply to. • For example, the secretarial staff who type all the communications of an organization are usually bound never to share any information unless explicitly authorized, whereby a more senior manager may be deemed authoritative enough to decide what information produced by the secretaries can be shared, and to who, so they are not bound by the same. • To cover the whole organization therefore, information security policies frequently contain different specifications depending upon the authoritative status of the persons they apply to
Information Security Policies: • Organizations are giving more priority to development of information security policies, as protecting their assets is one of the prominent things that needs to be considered. • Lack of clarity in InfoSec policies can lead to catastrophic damages which cannot be recovered. So an organization makes different strategies in implementing a security policy successfully. • Security policies are intended to define what is expected from employees within an organization with respect to information systems. The objective is to guide or control the use of systems to reduce the risk to information assets. It also gives the staff who are dealing with information systems an acceptable use policy, explaining what is allowed and what not
Information Security Policies Life Cycle: Acceptance Policy
1. Get Management Support: • The crucial component for the success of writing an information security policy is gaining management support. Management will study the need of information security policies and assign a budget to implement security policies. Time, money, and resource mobilization are some factors that are discussed in this level. It is the role of the presenter to make the management understand the benefits and gains achieved through implementing these security policies.
2. Write Policies: • Now we need to know our information systems and write policies accordingly. Whenever information security policies are developed, a security analyst will copy the policies from another organisation, with a few differences. Ideally it should be the case that an analyst will research and write policies specific to the organisation. • Security policies need to be properly documented, as a good understandable security policy is very easy to implement. It should also be available to individuals responsible for implementing the policies.
2. Write Policies: A policy should contain: • Overview – Background information of what issue the policy addresses. • Purpose – Why the policy is created. • Scope – To what areas this policy covers. • Targeted Audience – Tells to whom the policy is applicable. • Policy – A good description of the policy. • Definitions – A brief introduction of the technical jargon used inside the policy. • Version – A version number to control the changes made to the document.
3. Implement Policies: • Once the information security policy is written to cover the rules, all employees should adhere to it while sending email, accessing VOIP, browsing the Internet, and accessing confidential data in a system. These policies need to be implemented across the organisation, however IT assets that impact our business the most need to be considered first. By implementing security policies, an organisation will get greater outputs at a lower cost. Policies can be enforced by implementing security controls.
4. Monitor: • Once the security policy is implemented, it will be a part of day-to-day business activities. Security policies that are implemented need to be reviewed whenever there is an organizational change. Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of security policies can be seriously dealt with. There should also be a mechanism to report any violations to the policy. Employees often fear to raise violations directly, but a proper mechanism will bring problems to stakeholders immediately rather than when it is too late.
4. Monitor: Below is a list of some of the security policies that an organization may have: Access Control Policy How information is accessed Contingency Planning Policy How availability of data is made online 24/7 Data Classification Policy How data are classified Change Control Policy How changes are made to directories or the file server Wireless Policy How wireless infrastructure devices need to be configured Incident Response Policy How incidents are reported and investigated Termination of Access Policy How employees are terminated Backup Policy How data are backed up Virus Policy How virus infections need to be dealt with Retention Policy How data can be stored Physical Access Policy How access to the physical area is obtained Security Awareness Policy How security awareness are carried out Audit Trail Policy How audit trails are analysed Firewall Policy How firewalls are named, configured etc Network Security Policy How network systems can be secured Encryption Policy How datas are encryped, the encryption method used, etc.
5. Acceptable usage policy: • Acceptable usage policy (AUP) is the policies that one should adhere to while accessing the network. Some of the assets that these policies cover are mobile, wireless, desktop, laptop and tablet computers, email, servers, Internet, etc. For each asset we need to look at how we can protect it, manage it, who is authorised to use and administer the asset, what are the accepted methods of communication in these assets, etc.
Laws and Regulations: • Below is a partial listing of European, United Kingdom, Canadian and US governmental laws and regulations that have, or will have, a significant effect on data processing and information security. • UK Data Protection Act 1998 makes new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. The European Union Data Protection Directive (EUDPD) requires that all EU member must adopt national regulations to standardize the protection of data privacy for citizens throughout the EU. • The Computer Misuse Act 1990 is an Act of the UK Parliament making computer crime (e.g. hacking) a criminal offence. The Act has become a model upon which several other countries including Canada and the Republic of Ireland have drawn inspiration when subsequently drafting their own information security laws. • EU Data Retention laws requires Internet service providers and phone companies to keep data on every electronic message sent and phone call made for between six months and two years. • The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232 g; 34 CFR Part 99) is a US Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. • Federal Financial Institutions Examination Council’s (FFIEC) security guidelines for auditors specifies requirements for online banking security. • Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. • Gramm–Leach–Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process.
Laws and Regulations: • Sarbanes–Oxley Act of 2002 (SOX). Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments. • Payment Card Industry Data Security Standard (PCI DSS) establishes comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. • State security breach notification laws (California and many others) require businesses, nonprofits, and state institutions to notify consumers when unencrypted "personal information" may have been compromised, lost, or stolen. • Personal Information Protection and Electronics Document Act (PIPEDA) – An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act. • Hellenic Authority for Communication Security and Privacy (ADAE) (Law 165/2011) - The Greek Law establishes and describes the minimum Information Security controls that should be deployed by every company which provides electronic communication networks and/or services in Greece in order to protect customers' Confidentiality. These include both managerial and technical controls (i.e. log records should be stored for two years). • Hellenic Authority for Communication Security and Privacy (ADAE) (Law 205/2013)- The latest Greek Law published by ADAE concentrates around the protection of the Integrity and Availability of the services and data offered by the Greek Telecommunication Companies.The new Law forces Telcos and associated companies to build, deploy and test appropriate Business Continuity Plans and redundant infrastructures.
Sources of standards: • International Organization for Standardization (ISO) is a consortium of national standards institutes from 157 countries, coordinated through a secretariat in Geneva, Switzerland. ISO is the world's largest developer of standards. ISO 15443: "Information technology - Security techniques - A framework for IT security assurance“. • The US National Institute of Standards and Technology (NIST) is a non- regulatory federal agency within the U.S. Department of Commerce. The NIST Computer Security Division develops standards, metrics, tests and validation programs as well as publishes standards and guidelines to increase secure IT planning, implementation, management and operation. NIST is also the custodian of the US Federal Information Processing Standard publications (FIPS).
Sources of standards: • The Internet Society is a professional membership society with more than 100 organization and over 20,000 individual members in over 180 countries. It provides leadership in addressing issues that confront the future of the Internet, and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). • The Information Security Forum is a global nonprofit organization of several hundred leading organizations in financial services, manufacturing, telecommunications, consumer goods, government, and other areas. It undertakes research into information security practices and offers advice in its biannual Standard of Good Practice and more detailed advisories for members. • The Institute of Information Security Professionals (IISP) is an independent, non- profit body governed by its members, with the principal objective of advancing the professionalism of information security practitioners and thereby the professionalism of the industry as a whole. The Institute developed the IISP Skills Framework.
Basic Information Security Principles: • The basic aims of information security are often summarized in three principles: Confidentiality means making sure that information is only seen by people who have the right to see it. For example, this could mean using a strong password on your computer, shredding sensitive documents, and locking filing cabinets. • Integrity means ensuring that information remains intact and unaltered. This means watching out for alterations through malicious action, natural disaster, or even a simple innocent mistake. • Availability implies having access to your information when you need it. In other words, it means making sure no person or event is able to block legitimate or timely access to information.
1: Support the business 1.1 Focus on the business: To ensure that information security is integrated into essential business activities. Individuals within the security community should forge relationships with business leaders and show how information security can complement key business and risk management processes. They should adopt an advisory approach to information security by supporting business objectives through resource allocation, programs and projects. High-level enterprise-focused advice should be provided to protect information and help manage information risk both now and in the future
1: Support the business 1.2 Deliver quality and value to stakeholders: To ensure that information security delivers value and meets business requirements. Internal and external stakeholders should be engaged through regular communication so that their changing requirements for information security can continue to be met. Promoting the value of information security (both financial and non-financial) helps to gain support for decision making, which can in turn help the success of the vision for information security.
1: Support the business 1.3 Provide timely and accurate information on security performance: To support business requirements and manage information risks. Requirements for providing information on security performance should be clearly defined, supported by the most relevant and accurate security metrics (such as compliance, incidents, control status and costs) and aligned to business objectives. Information should be captured in a periodic, consistent and rigorous manner so that information remains accurate and results can be presented to meet the objectives of relevant stakeholders.
1: Support the business 1.4 Evaluate current and future information threats: To analyze and assess emerging information security threats so that informed, timely action to mitigate risks can be taken. Major trends and specific information security threats should be categorized in a comprehensive, standard framework covering a wide range of topics such as political, legal, economic, sociocultural as well as technical issues. Individuals should share and build on their knowledge of upcoming threats to proactively address their causes, rather than just the symptoms
1: Support the business 1.5 Promote continuous improvement in information security: To reduce costs, improve efficiency and effectiveness and promote a culture of continuous improvement in information security Constantly changing organizational business models - coupled with evolving threats - require information security techniques to be adapted and their level of effectiveness improved on an ongoing basis. Knowledge of the latest information security techniques should be maintained by learning from incidents and liaising with independent research organizations.
2. Defend the business 2.1 Adopt a risk-based approach: To ensure that risks are treated in a consistent and effective manner. Options for addressing information risk should be reviewed so that informed, documented decisions are made about the treatment of risk. Risk treatment typically involves choosing one or more options, which typically include: accepting risks (i.e. by a member of management ‘signing-off’ that they have accepted the risks and that no further action is required); avoiding risks (e.g. by deciding not to pursue a particular initiative); transferring risks (e.g. by outsourcing or taking out insurance); and mitigating risk, typically by applying appropriate security measures (e.g. access controls, network monitoring and incident management).
2. Defend the business 2.2 Protect classified information: To prevent classified information (e.g. confidential or sensitive) being disclosed to unauthorized individuals. Information should be identified and then classified according to its level of confidentiality (e.g secret, restricted, internal and public). Classified information should be protected accordingly throughout all stages of the information lifecycle - from creation to destruction - using appropriate controls, such as encryption and access restrictions
2. Defend the business 2.3 Develop systems securely : To build quality, cost-effective systems upon which business people can rely (e.g. that are consistently robust, accurate and reliable). Information security should be integral to the scope, design, build and testing phases of the System Development Life Cycle (SDLC). Good security practices (e.g rigorous testing for security weaknesses, peer review and ability to cope with error, exception and emergency conditions) should play a key role at all stages of the development process.
3. Promote responsible security behavior: 3.1 Act in a professional and ethical manner: To ensure that information security-related activities are performed in a reliable, responsible and effective manner. Information security relies heavily on the ability of professionals within the industry to perform their roles responsibly and with a clear understanding of how their integrity has a direct impact on the information they are charged with protecting. Information security professionals need to be committed to a high standard of quality in their work while demonstrating consistent and ethical behavior and respect for business needs, other individuals and confidential (often personal) information.
3. Promote responsible security behavior: 3.2 Foster a security-positive culture: To provide a positive security influence on the behavior of end users, reduce the likelihood of security incidents occurring, and limit their potential business impact. Emphasis should be placed on making information security a key part of ‘business as usual’, raising security awareness amongst users and ensuring they have the skills required to protect critical or classified information and systems. Individuals should be made aware of the risks to information in their care and empowered to take the necessary steps to protect it.
Information Security Architecture
Components of Info Sec Architecture: • Information is the lifeblood of every organization • Information is compromised there can be a wide range of consequences ranging from damage to a company's reputation through to financial penalties • Therefore, organizations take a tactical approach to addressing Information Security • Information Security is a strategic approach that should be based on a solid, total framework encompassing all of an organization's Information Security requirements
1. Information: • Within this architectural model, Information is at the heart of the architecture. • It is the business sensitive information that an organization needs to protect. • For example, UOL databases, Academics containing student’s data, HR databases containing employee data and finance databases containing accounting data. • All of this data falls into the category of different structures. This refers to data held in a structured form such as a database. • However, there are large amounts of information within organizations that contain business value and therefore need protecting but aren't contained in a structured way.
2. Business Decisions: • All Information Security decisions must start from the top, which means they must to start with the business. • It is the responsibility of the business to decide what controls are required, what is driving this to happen and what the business needs from Information Security. • These decisions are governed by a number of different factors and influences. Some of these will be external whilst others will be driven from an internal perspective.
3. Policy and Process: • Taking all of the relevant external and internal factors into account, it is then the organization's responsibility to specify what Information Security rules must be applied. • This is done through a combination of policies and processes (or procedures). It is these policies and processes that provide the rules that govern the 'use' of the Information. • For Example Restriction of Facebook and YouTube for Students on SIS
4. Applications and Services: • All access to Information is via an application. • Information can only provide business value if it can be accessed when it is needed and by authorized individuals. • Information Security should not only be seen as a defense mechanism to protect the data, but, in addition, as a business enabler, ensuring that the Information is available to the right people at the right time.
5. Access Control: • Access Control is at the heart of Information Security. • All access to that information MUST flow through the Access Control layer irrespective of whether the request is internal or external • employee or customer??(Teacher, Student, HOD, or What??) • The implementation of the access control layer can (and will) exist within multiple places within an organization - in accordance with the principle of “Defense in Depth"
6. Audit and Monitoring Plan: • The Auditing and Monitoring layer is responsible for recording all of required security-related operations to maintain a non-repudiated and tamper-evident trail of evidence. The level of information that needs auditing will be determined within the Policy and Processes. This may include: • Information Access: e.g. Successful and/or Failed Authentication/Authorization attempts • Policy Administration: e.g. Changes to access control policies • User Administration: e.g. Addition/Removal of users' roles and privileges • Information Change: e.g. Changes to sensitive Information
7. Cryptography: • At the heart of many IT-related security controls is cryptography, the process of using complex math's and algorithms involving large numbers, to protect information through enciphering and deciphering messages. • This can be used for a number of different purposes including, maintaining the confidentiality of Information through encryption and the integrity of Information through digital signing.
Security Architecture: 'Defense in Depth' and 'Least Privileges'. By taking this approach to Information Security, organizations can ensure that the components of their Information security architecture address all business and critical Information and are driven by the requirements of the business.
Defense in Depth: • The principle of Defense in Depth is used to describe the concept of implementing multiple layers of security so that if one layer is breached, the asset being protected. • By implementing enough layers of protection the likelihood of compromise is drastically reduced • One of the key fact of this principle is the heterogeneity of each layer, ensuring that each layer is implemented using distinctly different patterns to another layer. In Information Security terms this could be through using different technologies, encryption standards, protocols, deployment methods, etc.
Defense in Depth:
Defense in Depth:
Conclusion: • Security policies can be developed easily depending on how big your organisation is. But the challenge is how to implement these policies by saving time and money. • If a good security policy is derived and implemented, then the organisation’s management can relax and enter into a world which is risk-free.
NON CREDITED ASSIGNMENT
12 security policies

Recomendados

Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 

Recomendados

Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Systems Administration
Systems AdministrationSystems Administration
Systems Administration
Mark John Lado, MIT
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
Lisa Dowdell, MSISTM
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Security Policies
Security PoliciesSecurity Policies
Security Policies
phanleson
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Network security
Network securityNetwork security
Network security
Simranpreet Singh
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
Duressa Teshome
 
Information security
Information securityInformation security
Information security
Praveen Minz
 
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
acemindia
 

Más contenido relacionado

La actualidad más candente

Security Policies
Security PoliciesSecurity Policies
Security Policies
phanleson
 

La actualidad más candente (20)

Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Security policies
Security policiesSecurity policies
Security policies
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Systems Administration
Systems AdministrationSystems Administration
Systems Administration
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
 
Information security
Information securityInformation security
Information security
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Information security
Information securityInformation security
Information security
 
Security Policies
Security PoliciesSecurity Policies
Security Policies
 
Information Security
Information SecurityInformation Security
Information Security
 
Network security
Network securityNetwork security
Network security
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
 

Similar a 12 security policies

Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
Editor IJCATR
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
Financial Poise
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
soulscout02
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 

Similar a 12 security policies (20)

Information security
Information securityInformation security
Information security
 
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
 
Jason r mc kinney halfday
Jason r mc kinney halfdayJason r mc kinney halfday
Jason r mc kinney halfday
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
 
Security management.pptx
Security management.pptxSecurity management.pptx
Security management.pptx
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
What is Information Assurance Model in Cyber Security.pptx
What is Information Assurance Model in Cyber Security.pptxWhat is Information Assurance Model in Cyber Security.pptx
What is Information Assurance Model in Cyber Security.pptx
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
File000169
File000169File000169
File000169
 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptx
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdf
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 

Más de Saqib Raza

Más de Saqib Raza (20)

The Design and Analysis of Algorithms.pdf
The Design and Analysis of Algorithms.pdfThe Design and Analysis of Algorithms.pdf
The Design and Analysis of Algorithms.pdf
 
An Introduction to the Analysis of Algorithms (2nd_Edition_Robert_Sedgewick,_...
An Introduction to the Analysis of Algorithms (2nd_Edition_Robert_Sedgewick,_...An Introduction to the Analysis of Algorithms (2nd_Edition_Robert_Sedgewick,_...
An Introduction to the Analysis of Algorithms (2nd_Edition_Robert_Sedgewick,_...
 
Data_Mining: Practical Machine Learning Tools and Techniques 2ndEd.pdf
Data_Mining: Practical Machine Learning Tools and Techniques 2ndEd.pdfData_Mining: Practical Machine Learning Tools and Techniques 2ndEd.pdf
Data_Mining: Practical Machine Learning Tools and Techniques 2ndEd.pdf
 
Social Impacts of Artificial intelligence
Social Impacts of Artificial intelligenceSocial Impacts of Artificial intelligence
Social Impacts of Artificial intelligence
 
Professional Practice Course Outline
Professional Practice Course OutlineProfessional Practice Course Outline
Professional Practice Course Outline
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer Privacy
 
Software Engineering Code Of Ethics And Professional Practice
Software Engineering Code Of Ethics And Professional Practice Software Engineering Code Of Ethics And Professional Practice
Software Engineering Code Of Ethics And Professional Practice
 
7 Engineering Profession
7 Engineering Profession7 Engineering Profession
7 Engineering Profession
 
6 software contracts
6 software contracts6 software contracts
6 software contracts
 
Introduction to Intellectual Property
Introduction to Intellectual PropertyIntroduction to Intellectual Property
Introduction to Intellectual Property
 
Itroduction to Business Ethics
Itroduction to Business EthicsItroduction to Business Ethics
Itroduction to Business Ethics
 
Types of Ethics
Types of EthicsTypes of Ethics
Types of Ethics
 
Introduction to ethics
Introduction to ethicsIntroduction to ethics
Introduction to ethics
 
Project Management Concepts
Project Management ConceptsProject Management Concepts
Project Management Concepts
 
Software Re-Engineering
Software Re-EngineeringSoftware Re-Engineering
Software Re-Engineering
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
 
User Interface Analysis and Design
User Interface Analysis and Design User Interface Analysis and Design
User Interface Analysis and Design
 
Architecture Design
Architecture DesignArchitecture Design
Architecture Design
 
REQUIREMENT ENGINEERING
REQUIREMENT ENGINEERINGREQUIREMENT ENGINEERING
REQUIREMENT ENGINEERING
 

Último

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 

Último (20)

Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesEnergy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
 

12 security policies

  • 1. Information Security Policies Professional Practice Syed Saqib Raza Rizvi Lecture 12
  • 2. Topics To Be Covered: • PART 1: Introduction To Security Policies Information Security History Information Security Policy Information Security Life Cycle Laws and Regulation Sources Of Standards • PART 2: Security Principles Basic Information Security Principles 1. Support the business 2. Defend the business 3. Promote responsible security behavior • PART 3: Security Architecture Introduction Defense in Depth
  • 3. Information Security: • Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, illegal use, disclosure, disruption, modification, inspection, recording or destruction. • Preservation of confidentiality, integrity(accuracy and consistency) and availability of information. • Information Security is the process of protecting the intellectual property of an organization (information may be customer names, trade secrets etc). • Information security is the protection of information and minimizes the risk of exposing information to unauthorized parties.
  • 4. History: • Since the early days of communication, diplomats and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of correspondence and to have some means of detecting tampering. • Julius Caesar is credited with the invention of the Caesar cipher c. 50 B.C., which was created in order to prevent his secret messages from being read should a message fall into the wrong hands, but for the most part protection was achieved through the application of procedural handling controls. • In the mid-19th century more complex classification systems were developed to allow governments to manage their information according to the degree of sensitivity.
  • 5. History: • By the time of the First World War, multi-tier classification systems were used to communicate information to and from various fronts, which encouraged greater use of code making and breaking sections in diplomatic and military headquarters. • During Second World War, Encoding became more sophisticated between the wars as machines were employed to scramble and unscramble information.
  • 6. Information Security Policy: • Set of policies (rules and guideline) issued by an organization to ensure that all information technology users within the domain of the organization, related to the security of the information. • The evolution of computer networks has made the sharing of information ever more prevalent. Information is now exchanged at the rate of trillions of bytes per millisecond.
  • 7. Information Security Policy: • Every organization needs to protect its data and also control how it should be distributed both within and outside the organizational boundaries. This may mean that information may have to be encrypted, authorized through a third party or institution and may have restrictions placed on its distribution with reference to a classification system laid out in the information security policy.
  • 8. Information Security Policy: • An example of the use of an information security policy might be in a data storage facility which stores database records on behalf of medical facilities. These records are sensitive and cannot be shared, under penalty of law, with any unauthorized recipient whether a real person or another device. • An information security policy would be enabled within the software that the facility uses to manage the data they are responsible for. • A business might employ an information security policy to protect its digital assets and intellectual rights in efforts to prevent theft of industrial secrets and information that could benefit competitors.
  • 9. Information Security Policy: • A typical security policy might be hierarchical and apply differently depending on whom they apply to. • For example, the secretarial staff who type all the communications of an organization are usually bound never to share any information unless explicitly authorized, whereby a more senior manager may be deemed authoritative enough to decide what information produced by the secretaries can be shared, and to who, so they are not bound by the same. • To cover the whole organization therefore, information security policies frequently contain different specifications depending upon the authoritative status of the persons they apply to
  • 10. Information Security Policies: • Organizations are giving more priority to development of information security policies, as protecting their assets is one of the prominent things that needs to be considered. • Lack of clarity in InfoSec policies can lead to catastrophic damages which cannot be recovered. So an organization makes different strategies in implementing a security policy successfully. • Security policies are intended to define what is expected from employees within an organization with respect to information systems. The objective is to guide or control the use of systems to reduce the risk to information assets. It also gives the staff who are dealing with information systems an acceptable use policy, explaining what is allowed and what not
  • 11. Information Security Policies Life Cycle: Acceptance Policy
  • 12. 1. Get Management Support: • The crucial component for the success of writing an information security policy is gaining management support. Management will study the need of information security policies and assign a budget to implement security policies. Time, money, and resource mobilization are some factors that are discussed in this level. It is the role of the presenter to make the management understand the benefits and gains achieved through implementing these security policies.
  • 13. 2. Write Policies: • Now we need to know our information systems and write policies accordingly. Whenever information security policies are developed, a security analyst will copy the policies from another organisation, with a few differences. Ideally it should be the case that an analyst will research and write policies specific to the organisation. • Security policies need to be properly documented, as a good understandable security policy is very easy to implement. It should also be available to individuals responsible for implementing the policies.
  • 14. 2. Write Policies: A policy should contain: • Overview – Background information of what issue the policy addresses. • Purpose – Why the policy is created. • Scope – To what areas this policy covers. • Targeted Audience – Tells to whom the policy is applicable. • Policy – A good description of the policy. • Definitions – A brief introduction of the technical jargon used inside the policy. • Version – A version number to control the changes made to the document.
  • 15. 3. Implement Policies: • Once the information security policy is written to cover the rules, all employees should adhere to it while sending email, accessing VOIP, browsing the Internet, and accessing confidential data in a system. These policies need to be implemented across the organisation, however IT assets that impact our business the most need to be considered first. By implementing security policies, an organisation will get greater outputs at a lower cost. Policies can be enforced by implementing security controls.
  • 16. 4. Monitor: • Once the security policy is implemented, it will be a part of day-to-day business activities. Security policies that are implemented need to be reviewed whenever there is an organizational change. Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of security policies can be seriously dealt with. There should also be a mechanism to report any violations to the policy. Employees often fear to raise violations directly, but a proper mechanism will bring problems to stakeholders immediately rather than when it is too late.
  • 17. 4. Monitor: Below is a list of some of the security policies that an organization may have: Access Control Policy How information is accessed Contingency Planning Policy How availability of data is made online 24/7 Data Classification Policy How data are classified Change Control Policy How changes are made to directories or the file server Wireless Policy How wireless infrastructure devices need to be configured Incident Response Policy How incidents are reported and investigated Termination of Access Policy How employees are terminated Backup Policy How data are backed up Virus Policy How virus infections need to be dealt with Retention Policy How data can be stored Physical Access Policy How access to the physical area is obtained Security Awareness Policy How security awareness are carried out Audit Trail Policy How audit trails are analysed Firewall Policy How firewalls are named, configured etc Network Security Policy How network systems can be secured Encryption Policy How datas are encryped, the encryption method used, etc.
  • 18. 5. Acceptable usage policy: • Acceptable usage policy (AUP) is the policies that one should adhere to while accessing the network. Some of the assets that these policies cover are mobile, wireless, desktop, laptop and tablet computers, email, servers, Internet, etc. For each asset we need to look at how we can protect it, manage it, who is authorised to use and administer the asset, what are the accepted methods of communication in these assets, etc.
  • 19. Laws and Regulations: • Below is a partial listing of European, United Kingdom, Canadian and US governmental laws and regulations that have, or will have, a significant effect on data processing and information security. • UK Data Protection Act 1998 makes new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. The European Union Data Protection Directive (EUDPD) requires that all EU member must adopt national regulations to standardize the protection of data privacy for citizens throughout the EU. • The Computer Misuse Act 1990 is an Act of the UK Parliament making computer crime (e.g. hacking) a criminal offence. The Act has become a model upon which several other countries including Canada and the Republic of Ireland have drawn inspiration when subsequently drafting their own information security laws. • EU Data Retention laws requires Internet service providers and phone companies to keep data on every electronic message sent and phone call made for between six months and two years. • The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232 g; 34 CFR Part 99) is a US Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. • Federal Financial Institutions Examination Council’s (FFIEC) security guidelines for auditors specifies requirements for online banking security. • Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. • Gramm–Leach–Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process.
  • 20. Laws and Regulations: • Sarbanes–Oxley Act of 2002 (SOX). Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments. • Payment Card Industry Data Security Standard (PCI DSS) establishes comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. • State security breach notification laws (California and many others) require businesses, nonprofits, and state institutions to notify consumers when unencrypted "personal information" may have been compromised, lost, or stolen. • Personal Information Protection and Electronics Document Act (PIPEDA) – An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act. • Hellenic Authority for Communication Security and Privacy (ADAE) (Law 165/2011) - The Greek Law establishes and describes the minimum Information Security controls that should be deployed by every company which provides electronic communication networks and/or services in Greece in order to protect customers' Confidentiality. These include both managerial and technical controls (i.e. log records should be stored for two years). • Hellenic Authority for Communication Security and Privacy (ADAE) (Law 205/2013)- The latest Greek Law published by ADAE concentrates around the protection of the Integrity and Availability of the services and data offered by the Greek Telecommunication Companies.The new Law forces Telcos and associated companies to build, deploy and test appropriate Business Continuity Plans and redundant infrastructures.
  • 21. Sources of standards: • International Organization for Standardization (ISO) is a consortium of national standards institutes from 157 countries, coordinated through a secretariat in Geneva, Switzerland. ISO is the world's largest developer of standards. ISO 15443: "Information technology - Security techniques - A framework for IT security assurance“. • The US National Institute of Standards and Technology (NIST) is a non- regulatory federal agency within the U.S. Department of Commerce. The NIST Computer Security Division develops standards, metrics, tests and validation programs as well as publishes standards and guidelines to increase secure IT planning, implementation, management and operation. NIST is also the custodian of the US Federal Information Processing Standard publications (FIPS).
  • 22. Sources of standards: • The Internet Society is a professional membership society with more than 100 organization and over 20,000 individual members in over 180 countries. It provides leadership in addressing issues that confront the future of the Internet, and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). • The Information Security Forum is a global nonprofit organization of several hundred leading organizations in financial services, manufacturing, telecommunications, consumer goods, government, and other areas. It undertakes research into information security practices and offers advice in its biannual Standard of Good Practice and more detailed advisories for members. • The Institute of Information Security Professionals (IISP) is an independent, non- profit body governed by its members, with the principal objective of advancing the professionalism of information security practitioners and thereby the professionalism of the industry as a whole. The Institute developed the IISP Skills Framework.
  • 23. Basic Information Security Principles: • The basic aims of information security are often summarized in three principles: Confidentiality means making sure that information is only seen by people who have the right to see it. For example, this could mean using a strong password on your computer, shredding sensitive documents, and locking filing cabinets. • Integrity means ensuring that information remains intact and unaltered. This means watching out for alterations through malicious action, natural disaster, or even a simple innocent mistake. • Availability implies having access to your information when you need it. In other words, it means making sure no person or event is able to block legitimate or timely access to information.
  • 24. 1: Support the business 1.1 Focus on the business: To ensure that information security is integrated into essential business activities. Individuals within the security community should forge relationships with business leaders and show how information security can complement key business and risk management processes. They should adopt an advisory approach to information security by supporting business objectives through resource allocation, programs and projects. High-level enterprise-focused advice should be provided to protect information and help manage information risk both now and in the future
  • 25. 1: Support the business 1.2 Deliver quality and value to stakeholders: To ensure that information security delivers value and meets business requirements. Internal and external stakeholders should be engaged through regular communication so that their changing requirements for information security can continue to be met. Promoting the value of information security (both financial and non-financial) helps to gain support for decision making, which can in turn help the success of the vision for information security.
  • 26. 1: Support the business 1.3 Provide timely and accurate information on security performance: To support business requirements and manage information risks. Requirements for providing information on security performance should be clearly defined, supported by the most relevant and accurate security metrics (such as compliance, incidents, control status and costs) and aligned to business objectives. Information should be captured in a periodic, consistent and rigorous manner so that information remains accurate and results can be presented to meet the objectives of relevant stakeholders.
  • 27. 1: Support the business 1.4 Evaluate current and future information threats: To analyze and assess emerging information security threats so that informed, timely action to mitigate risks can be taken. Major trends and specific information security threats should be categorized in a comprehensive, standard framework covering a wide range of topics such as political, legal, economic, sociocultural as well as technical issues. Individuals should share and build on their knowledge of upcoming threats to proactively address their causes, rather than just the symptoms
  • 28. 1: Support the business 1.5 Promote continuous improvement in information security: To reduce costs, improve efficiency and effectiveness and promote a culture of continuous improvement in information security Constantly changing organizational business models - coupled with evolving threats - require information security techniques to be adapted and their level of effectiveness improved on an ongoing basis. Knowledge of the latest information security techniques should be maintained by learning from incidents and liaising with independent research organizations.
  • 29. 2. Defend the business 2.1 Adopt a risk-based approach: To ensure that risks are treated in a consistent and effective manner. Options for addressing information risk should be reviewed so that informed, documented decisions are made about the treatment of risk. Risk treatment typically involves choosing one or more options, which typically include: accepting risks (i.e. by a member of management ‘signing-off’ that they have accepted the risks and that no further action is required); avoiding risks (e.g. by deciding not to pursue a particular initiative); transferring risks (e.g. by outsourcing or taking out insurance); and mitigating risk, typically by applying appropriate security measures (e.g. access controls, network monitoring and incident management).
  • 30. 2. Defend the business 2.2 Protect classified information: To prevent classified information (e.g. confidential or sensitive) being disclosed to unauthorized individuals. Information should be identified and then classified according to its level of confidentiality (e.g secret, restricted, internal and public). Classified information should be protected accordingly throughout all stages of the information lifecycle - from creation to destruction - using appropriate controls, such as encryption and access restrictions
  • 31. 2. Defend the business 2.3 Develop systems securely : To build quality, cost-effective systems upon which business people can rely (e.g. that are consistently robust, accurate and reliable). Information security should be integral to the scope, design, build and testing phases of the System Development Life Cycle (SDLC). Good security practices (e.g rigorous testing for security weaknesses, peer review and ability to cope with error, exception and emergency conditions) should play a key role at all stages of the development process.
  • 32. 3. Promote responsible security behavior: 3.1 Act in a professional and ethical manner: To ensure that information security-related activities are performed in a reliable, responsible and effective manner. Information security relies heavily on the ability of professionals within the industry to perform their roles responsibly and with a clear understanding of how their integrity has a direct impact on the information they are charged with protecting. Information security professionals need to be committed to a high standard of quality in their work while demonstrating consistent and ethical behavior and respect for business needs, other individuals and confidential (often personal) information.
  • 33. 3. Promote responsible security behavior: 3.2 Foster a security-positive culture: To provide a positive security influence on the behavior of end users, reduce the likelihood of security incidents occurring, and limit their potential business impact. Emphasis should be placed on making information security a key part of ‘business as usual’, raising security awareness amongst users and ensuring they have the skills required to protect critical or classified information and systems. Individuals should be made aware of the risks to information in their care and empowered to take the necessary steps to protect it.
  • 35. Components of Info Sec Architecture: • Information is the lifeblood of every organization • Information is compromised there can be a wide range of consequences ranging from damage to a company's reputation through to financial penalties • Therefore, organizations take a tactical approach to addressing Information Security • Information Security is a strategic approach that should be based on a solid, total framework encompassing all of an organization's Information Security requirements
  • 36. 1. Information: • Within this architectural model, Information is at the heart of the architecture. • It is the business sensitive information that an organization needs to protect. • For example, UOL databases, Academics containing student’s data, HR databases containing employee data and finance databases containing accounting data. • All of this data falls into the category of different structures. This refers to data held in a structured form such as a database. • However, there are large amounts of information within organizations that contain business value and therefore need protecting but aren't contained in a structured way.
  • 37. 2. Business Decisions: • All Information Security decisions must start from the top, which means they must to start with the business. • It is the responsibility of the business to decide what controls are required, what is driving this to happen and what the business needs from Information Security. • These decisions are governed by a number of different factors and influences. Some of these will be external whilst others will be driven from an internal perspective.
  • 38. 3. Policy and Process: • Taking all of the relevant external and internal factors into account, it is then the organization's responsibility to specify what Information Security rules must be applied. • This is done through a combination of policies and processes (or procedures). It is these policies and processes that provide the rules that govern the 'use' of the Information. • For Example Restriction of Facebook and YouTube for Students on SIS
  • 39. 4. Applications and Services: • All access to Information is via an application. • Information can only provide business value if it can be accessed when it is needed and by authorized individuals. • Information Security should not only be seen as a defense mechanism to protect the data, but, in addition, as a business enabler, ensuring that the Information is available to the right people at the right time.
  • 40. 5. Access Control: • Access Control is at the heart of Information Security. • All access to that information MUST flow through the Access Control layer irrespective of whether the request is internal or external • employee or customer??(Teacher, Student, HOD, or What??) • The implementation of the access control layer can (and will) exist within multiple places within an organization - in accordance with the principle of “Defense in Depth"
  • 41.
  • 42. 6. Audit and Monitoring Plan: • The Auditing and Monitoring layer is responsible for recording all of required security-related operations to maintain a non-repudiated and tamper-evident trail of evidence. The level of information that needs auditing will be determined within the Policy and Processes. This may include: • Information Access: e.g. Successful and/or Failed Authentication/Authorization attempts • Policy Administration: e.g. Changes to access control policies • User Administration: e.g. Addition/Removal of users' roles and privileges • Information Change: e.g. Changes to sensitive Information
  • 43. 7. Cryptography: • At the heart of many IT-related security controls is cryptography, the process of using complex math's and algorithms involving large numbers, to protect information through enciphering and deciphering messages. • This can be used for a number of different purposes including, maintaining the confidentiality of Information through encryption and the integrity of Information through digital signing.
  • 44. Security Architecture: 'Defense in Depth' and 'Least Privileges'. By taking this approach to Information Security, organizations can ensure that the components of their Information security architecture address all business and critical Information and are driven by the requirements of the business.
  • 45. Defense in Depth: • The principle of Defense in Depth is used to describe the concept of implementing multiple layers of security so that if one layer is breached, the asset being protected. • By implementing enough layers of protection the likelihood of compromise is drastically reduced • One of the key fact of this principle is the heterogeneity of each layer, ensuring that each layer is implemented using distinctly different patterns to another layer. In Information Security terms this could be through using different technologies, encryption standards, protocols, deployment methods, etc.
  • 46.
  • 49. Conclusion: • Security policies can be developed easily depending on how big your organisation is. But the challenge is how to implement these policies by saving time and money. • If a good security policy is derived and implemented, then the organisation’s management can relax and enter into a world which is risk-free.