1 / 49

آشنایی با تدوین سیاست های امنیتی و پیاده سازی آن ها

آشنایی با تدوین سیاست های امنیتی و پیاده سازی آن ها. کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388. Objectives. Describe the concepts of security policies. Examine the standards of Security Policy Design.

giacomo-rollins
Download Presentation

آشنایی با تدوین سیاست های امنیتی و پیاده سازی آن ها

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. آشنایی با تدوین سیاست های امنیتی و پیاده سازی آن ها کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388

  2. Objectives • Describe the concepts of security policies. • Examine the standards of Security Policy Design. • Describe the individual policies in a security policy. • Examine a detailed complete policy template. • Describe the policy procedures for Incident Handling and Escalation. 2

  3. Concepts of Security Policies • A security policy is nothing more than a well-written strategy on protecting and maintaining availability to your network and it’s resources. • Most organizations do not have a security policy • Excuses are rampant! 3

  4. Policy Benefits • Categories • They lower the legal liability to employees and 3rd party users of resources • They prevent waste on resources • They protect proprietary and confidential information from theft, unauthorized access or modification, or internal misuse of resources 4

  5. How to Start • Policy Design • policy committee works together to develop an overall strategy for the policy • Enforcement • mechanisms to ensure the policy is enforced • Monitoring • tracking the performance of the policy and its effectiveness, or lack thereof 5

  6. A graphical representation of the components of the security policy. 6

  7. A Question of Trust • The level of trust varies by the organization • Balancing is the key • too little trust impacts functionality • too much trust affects security 7

  8. Trust Options • Trust all the people all the time • Trust none of the people none of the time • Trust some of the people some of the time 8

  9. Policy Committee • Security Policy Committee • Upper & Middle Management • Local & Remote Users • Human Resources • Legal Professionals • Security Professionals • IT Users 9

  10. Security Policy Scenario • Organization Overview • Physical Building Overview • Network & Computer Overview • Extranet Overview 10

  11. Are Policies Political? • Resistance • A person who doesn’t like change • A person who is convinced the policy will hinder their work performance • A person who believes the organization is akin to “big-brother” 11

  12. The Policy Design

  13. The Policy Design • Choosing a leader • strong project management skills • excellent communicator • Goals • Formulating the policy 13

  14. Policy Standards • BS7799 • www.securityauditor.net • ISO17799 • www.iso.ch • .ch = Switzerland. • (Switzerland is also known as ‘Confoederatio Helvetica’, hence ‘ch’) 14

  15. BS7799 • Business continuity planning • System access control • System development and maintenance • Physical and environmental security • Compliance 15

  16. BS7799 • Personnel security • Security Organization • Computer and network management • Asset classification and control • Security policy 16

  17. ISO17799 • Sections • Business Continuity Planning • System Access Control • System Development and Maintenance • Physical and Environmental Security • Compliance • Personnel Security • Security Organization 17

  18. ISO17799 • Computer and Network Management • Asset Classification and Control • Security Polilcy 18

  19. Important RFCs • RFC 2196: The Site Security Handbook • RFC 2504: The User’s Security Handbook 19

  20. The Policies 20

  21. The Policies • The Acceptable Use Policy • The User Account Policy • The Remote Access Policy • The Information Protection Policy • The Network Connection Policy • The Strategic Partner Policy • The Privileged Access Policy 21

  22. The Policies • The Password Policy • The Internet Policy • Individual policies per technology • i.e. firewall policy or IDS policy 22

  23. The Acceptable Use Policy • Considerations • Are users allowed to share user accounts? • Are users allowed to install software without approval? • Are users allowed to copy software for archive or other purposes? • Are users allowed to read and/or copy files that they do not own. but have access to? 23

  24. The Acceptable Use Policy • Are users allowed to make copies of any OS files • Are users allowed to modify files they do not own, but have write abilities? • Are users required to use password-protected screensavers? 24

  25. The User Account Policy • Considerations • Are users allowed to share their user accounts with coworkers? • Are users allowed to share their user accounts with family members or friends? • Are users allowed to have multiple accounts on a computer? • Are users allowed to have multiple accounts in the network? 25

  26. The User Account Policy • Considerations • Who in the organization has the right to approve requests for new user accounts? • How long are accounts to remain inactive befor they are disabled? 26

  27. The Remote Access Policy • Considerations • Which users in the organization are authorized for remote access? • What is the process for becoming authorized for remote access? • What methods of remote access are allowed? • Is the entire network accessible remotely? 27

  28. The Remote Access Policy • Can remote users use remote management to their computers in the office? • Are users family members allowed to access the organization’s network remotely? • Are users allowed to install modems to dial out of the network? • Will the organization place requirements on the software of computers performing remote access? 28

  29. The Information Protection Policy • Considerations • How are the different levels of data classification labeled? • Which users have access to the different levels of data classification? • How are users informed of their levels of access? • What is the default level of access that is to be applied to all information? 29

  30. The Information Protection Policy • Is information that is classified at the top level allowed to be printed on common printers? • Are all computers in the network able to store information that has the top level of classification? • Will computers that do store top-level information require special security controls? • How is information to be disposed of? 30

  31. The Network Connection Policy • Considerations • Are users allowed to install networking hardware into their computers? • Which users are authorized to install networking devices into their computers? • Who in the organization has the authority to approve of networking component installation? 31

  32. The Network Connection Policy • What is the process of documentation for new networking components? • What is the procedure in the event that the network is disabled? • What is the process in the event an unauthorized network component is found on the network or in a computer? 32

  33. The Strategic Partner Policy • Considerations • Are strategic partners required to have written security policies? • Are strategic partners required to provide copied of their policies? • Are strategic partners required to disclose their perimeter and internal security measures? 33

  34. The Strategic Partner Policy • Will strategic partners be allowed to connect via a VPN? • How are those VPNs to be configured? • What type of access shall be granted to Strategic Partners? 34

  35. The Privileged Access Policy • Considerations • Who hires the network administration personnel • Who may be allowed root, or domain administrator, or enterprise administrator access? • What is the process for requesting privileged access? 35

  36. The Privileged Access Policy • Who has the authority to create the privileged access user account? • Are administrators allowed to run network-scanning tools? • Are administrators allowed to access any file on any computer? • What is the process of determining which files administrators do have access to? 36

  37. The Privileged Access Policy • Are administrators allowed to run password checking tools? • Are privileged accounts allowed to access the network remotely? • Can a family member or visitor share a privileged account? 37

  38. The Password Policy • Considerations • Will the Security Administrator have the right to run password-checking tools? • What is the minimum length that users passwords must be? • How often must users change their passwords? • Can a user re-use a password? • What are the restrictions on how a password must be created? 38

  39. The Password Policy • What are the penalties for passwords that do not meet the criteria? • Are passwords required to be of a different strength for privileged accounts? • How many incorrect passwords are required for an account lockout? • What is the process of unlocking a locked account? 39

  40. The Password Policy • Are screen-savers required to be password protected? • Does a user have to log on to the system in order to change a password? 40

  41. The Internet Policy • Considerations • Are all users allowed to access the Internet? • Are all users allowed to access Web sites? • Are users allowed to access remote email servers? • Are there limits on the size of Internet downloads? 41

  42. The Internet Policy • Are there controls in place to restrict access to objectionable Web sites? • Are users aware of the controls on access? • Will the organization monitor users access to Web sites? • Are users allowed to use organizational email resources for personal use? • What level of privacy will users be granted with their email 42

  43. Miscellaneous Policies • Considerations • Are users able to install PDA software on their components? • Who in the organization is going to support the user-installed application? • Will administrators be able to review the content stored on the PDA? 43

  44. Incident Handling and Escalation Procedures 44

  45. Sample Escalation Procedures for Security Incidents • Computer security incidents • Loss of personal information • Suspected sharing of User accounts • Unfriendly employee termination • Suspected violations of specials access • Suspected computer break-in or computer virus 45

  46. Sample Escalation Procedures for Security Incidents • Physical Security Incidents • Illegal building access • Property damage or personal theft 46

  47. Incident Handling • The steps of incident handling must be discussed before an incident occurs 47

  48. Sample Incident Handling Procedure • Introduction • General procedures • Specific procedures 48

  49. با تشکر از توجه شماwww.nsec.irwww.ircert.ccKamyar@nsec.ir ?

More Related