tsa by wulinqing

VIEWS: 16 PAGES: 49

									‫آشنایی با تدوین سیاست های امنیتی‬
       ‫و پیاده سازی آن ها‬
             ‫کامیار نیرومنذ‬
          ‫کارشناس تیم تجهیزات‬
               ‫مرکز تخصصی آپا‬
            ‫دانشگاه صنعتی اصفهان‬
                   ‫پاییز 8831‬      ‫1‬
Objectives

 Describe the concepts of security policies.
 Examine the standards of Security Policy
  Design.
 Describe the individual policies in a security
  policy.
 Examine a detailed complete policy template.
 Describe the policy procedures for Incident
  Handling and Escalation.
                                          2
Concepts of Security Policies

 A security policy is nothing more than a well-
  written strategy on protecting and
  maintaining availability to your network and
  it’s resources.

 Most organizations do not have a security
  policy
   Excuses are rampant!

                                          3
Policy Benefits

 Categories
   They lower the legal liability to employees and 3rd
    party users of resources
   They prevent waste on resources
   They protect proprietary and confidential
    information from theft, unauthorized access or
    modification, or internal misuse of resources



                                               4
How to Start

 Policy Design
     policy committee works together to develop an
      overall strategy for the policy
 Enforcement
     mechanisms to ensure the policy is enforced
 Monitoring
     tracking the performance of the policy and its
      effectiveness, or lack thereof


                                                  5
A graphical representation of the
components of the security policy.




                                6
A Question of Trust

 The level of trust varies by the organization
   Balancing is the key
     too little trust impacts functionality
     too much trust affects security




                                               7
Trust Options

 Trust all the people all the time
 Trust none of the people none of the time
 Trust some of the people some of the time




                                        8
Policy Committee

 Security Policy Committee
   Upper & Middle Management
   Local & Remote Users
   Human Resources
   Legal Professionals
   Security Professionals
   IT Users



                                9
Security Policy Scenario

 Organization Overview
 Physical Building Overview
 Network & Computer Overview
 Extranet Overview




                                10
Are Policies Political?

 Resistance
   A person who doesn’t like change
   A person who is convinced the policy will hinder
    their work performance
   A person who believes the organization is akin to
    “big-brother”




                                              11
12
The Policy Design

 Choosing a leader
   strong project management skills
   excellent communicator
 Goals
 Formulating the policy




                                       13
Policy Standards

 BS7799
   www.securityauditor.net
 ISO17799
   www.iso.ch
   .ch = Switzerland.
   (Switzerland is also known as ‘Confoederatio
   Helvetica’, hence ‘ch’)



                                            14
BS7799

 Business continuity planning
 System access control
 System development and maintenance
 Physical and environmental security
 Compliance




                                        15
BS7799

 Personnel security
 Security Organization
 Computer and network management
 Asset classification and control
 Security policy




                                     16
ISO17799

 Sections
   Business Continuity Planning
   System Access Control
   System Development and Maintenance
   Physical and Environmental Security
   Compliance
   Personnel Security
   Security Organization


                                          17
ISO17799

  Computer and Network Management
  Asset Classification and Control
  Security Polilcy




                                      18
Important RFCs

 RFC 2196: The Site Security Handbook
 RFC 2504: The User’s Security Handbook




                                         19
20
The Policies

 The Acceptable Use Policy
 The User Account Policy
 The Remote Access Policy
 The Information Protection Policy
 The Network Connection Policy
 The Strategic Partner Policy
 The Privileged Access Policy

                                      21
The Policies

 The Password Policy
 The Internet Policy
 Individual policies per technology
   i.e. firewall policy or IDS policy




                                         22
The Acceptable Use Policy

 Considerations
   Are users allowed to share user accounts?
   Are users allowed to install software without
    approval?
   Are users allowed to copy software for archive or
    other purposes?
   Are users allowed to read and/or copy files that
    they do not own. but have access to?


                                                23
The Acceptable Use Policy

   Are users allowed to make copies of any OS files
   Are users allowed to modify files they do not own,
    but have write abilities?
   Are users required to use password-protected
    screensavers?




                                              24
The User Account Policy

 Considerations
   Are users allowed to share their user accounts
    with coworkers?
   Are users allowed to share their user accounts
    with family members or friends?
   Are users allowed to have multiple accounts on a
    computer?
   Are users allowed to have multiple accounts in the
    network?

                                              25
The User Account Policy

 Considerations
   Who in the organization has the right to approve
    requests for new user accounts?
   How long are accounts to remain inactive befor
    they are disabled?




                                             26
The Remote Access Policy

 Considerations
   Which users in the organization are authorized for
    remote access?
   What is the process for becoming authorized for
    remote access?
   What methods of remote access are allowed?
   Is the entire network accessible remotely?




                                              27
The Remote Access Policy

   Can remote users use remote management to
    their computers in the office?
   Are users family members allowed to access the
    organization’s network remotely?
   Are users allowed to install modems to dial out of
    the network?
   Will the organization place requirements on the
    software of computers performing remote access?


                                             28
The Information Protection Policy

 Considerations
   How are the different levels of data classification
    labeled?
   Which users have access to the different levels of
    data classification?
   How are users informed of their levels of access?
   What is the default level of access that is to be
    applied to all information?


                                                29
The Information Protection Policy

   Is information that is classified at the top level
    allowed to be printed on common printers?
   Are all computers in the network able to store
    information that has the top level of classification?
   Will computers that do store top-level information
    require special security controls?
   How is information to be disposed of?




                                                  30
The Network Connection Policy

 Considerations
   Are users allowed to install networking hardware
    into their computers?
   Which users are authorized to install networking
    devices into their computers?
   Who in the organization has the authority to
    approve of networking component installation?



                                              31
The Network Connection Policy

   What is the process of documentation for new
    networking components?
   What is the procedure in the event that the
    network is disabled?
   What is the process in the event an unauthorized
    network component is found on the network or in
    a computer?




                                            32
The Strategic Partner Policy

 Considerations
   Are strategic partners required to have written
    security policies?
   Are strategic partners required to provide copied
    of their policies?
   Are strategic partners required to disclose their
    perimeter and internal security measures?



                                              33
The Strategic Partner Policy

   Will strategic partners be allowed to connect via a
    VPN?
   How are those VPNs to be configured?
   What type of access shall be granted to Strategic
    Partners?




                                               34
The Privileged Access Policy

 Considerations
   Who hires the network administration personnel
   Who may be allowed root, or domain
    administrator, or enterprise administrator access?
   What is the process for requesting privileged
    access?




                                              35
The Privileged Access Policy

   Who has the authority to create the privileged
    access user account?
   Are administrators allowed to run network-
    scanning tools?
   Are administrators allowed to access any file on
    any computer?
   What is the process of determining which files
    administrators do have access to?


                                              36
The Privileged Access Policy

   Are administrators allowed to run password
    checking tools?
   Are privileged accounts allowed to access the
    network remotely?
   Can a family member or visitor share a privileged
    account?




                                              37
The Password Policy

 Considerations
   Will the Security Administrator have the right to
      run password-checking tools?
     What is the minimum length that users passwords
      must be?
     How often must users change their passwords?
     Can a user re-use a password?
     What are the restrictions on how a password must
      be created?

                                               38
The Password Policy

   What are the penalties for passwords that do not
    meet the criteria?
   Are passwords required to be of a different
    strength for privileged accounts?
   How many incorrect passwords are required for an
    account lockout?
   What is the process of unlocking a locked account?




                                             39
The Password Policy

   Are screen-savers required to be password
    protected?
   Does a user have to log on to the system in order
    to change a password?




                                              40
The Internet Policy

 Considerations
   Are all users allowed to access the Internet?
   Are all users allowed to access Web sites?
   Are users allowed to access remote email servers?
   Are there limits on the size of Internet downloads?




                                                 41
The Internet Policy

   Are there controls in place to restrict access to
      objectionable Web sites?
     Are users aware of the controls on access?
     Will the organization monitor users access to Web
      sites?
     Are users allowed to use organizational email
      resources for personal use?
     What level of privacy will users be granted with
      their email

                                                42
Miscellaneous Policies

 Considerations
   Are users able to install PDA software on their
    components?
   Who in the organization is going to support the
    user-installed application?
   Will administrators be able to review the content
    stored on the PDA?



                                               43
44
Sample Escalation Procedures for
Security Incidents
 Computer security incidents
   Loss of personal information
   Suspected sharing of User accounts
   Unfriendly employee termination
   Suspected violations of specials access
   Suspected computer break-in or computer virus




                                              45
Sample Escalation Procedures for
Security Incidents
 Physical Security Incidents
   Illegal building access
   Property damage or personal theft




                                        46
Incident Handling

 The steps of incident handling must be
  discussed before an incident occurs




                                           47
Sample Incident Handling Procedure

 Introduction
 General procedures
 Specific procedures




                             48
49

								
To top