Fore sec academy security essentials ii
Sponsored Links
This presentation is the property of its rightful owner.
1 / 20

Basic Security Policy PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

FORE SEC Academy Security Essentials (II). Basic Security Policy. Preface.

Download Presentation

Basic Security Policy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Fore sec academy security essentials ii

FORESEC AcademySecurity Essentials (II)

Basic Security Policy



It never ceases to amaze me - fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy," butnobody ever explains what the policy is, let alone how to write or evaluate it.

That is why we undertook this research and education project on basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, “The Roadmap,” a usable and effective policy. Thank you!



  • Defining Security Policy

  • Using Security Policy to Manage Risk

  • Identifying Security Policy

  • Evaluating Security Policy

  • Issue-specific Security Policy

  • Exercise: Writing a Personal Security


  • Contingency Planning within your Policy

Documentation is critical

Documentation is Critical

  • If it is not in writing it never


  • You must clearly document:

    - What is expected of users

    - What you plan on doing

    - How you plan on doing it

    - What other people are required to do

Defining a policy

Defining a Policy

  • Policies direct the accomplishment of


    - Program Policy

    - Issue-specific Policy

    - System-specific Policy

    An effective and realistic Security Policy is the key to effective and achievable security.

Defining a policy 2

Defining a Policy (2)

  • What makes up a policy?


    -Related documents




    -Policy statement


    - Responsibility

Defining a policy 3

Defining a Policy (3)

  • Who can sign the policy?

  • What process is used to:

    - draft a policy

    - approve a policy

    - implement a policy

Risk assessment

Risk Assessment

  • What do you do?

    - The “important bid” story

    -When is it okay to violate or change


    -Who has the authority to do it?

    -What are the risks involved?

Managing risks in your job

Managing Risks in Your Job

  • Identify risks

  • Communicate your findings

  • Update (create) policy as needed

  • Develop metrics to measure


Identifying security policy

Identifying Security Policy

  • Who does the procedure?

  • What is the procedure?

  • When is the procedure done?

  • Where is the procedure done?

  • Why is the procedure done?

Roles and responsibilities

Roles and Responsibilities

  • Formal organizational structure

    - Who has the title

    - Who is listed at the top of the

    organizational chart

  • Informal organizational structure

    - Who gets things done

    - Who really makes decisions

Levels of policy

Levels of Policy

  • Recognize that policies can exist on

    different levels

    - Enterprise-wide/corporate policy

    - Division-wide policy

    - Local policy

    - Issue-specific policy

    - Procedures and checklists

Checkpoint procedure guidance

Checkpoint:Procedure Guidance

  • Policies address the who, what,

    and why.

  • Procedures address the how,

    where, and when.

Evaluating security policy

Evaluating Security Policy

  • What if your existing policy is confusing and hard to read?

  • What if it doesn’t cover all the


  • Use a checklist to evaluate your


Evaluating security policy 2

Evaluating Security Policy (2)

  • Use a checklist:

    - Does it contain the expected


    - Is it clear?

    - Is it concise?

    - Is it realistic?

    - Does it provide sufficient guidance?

Evaluating security policy 3

Evaluating Security Policy (3)

  • Checklist, continued...

    - Is it consistent?

    - Is it forward-looking?

    - Are there means to keep it current?

    - Is the policy readily available to those

    who need it?

Issue specific security policy

Issue-Specific Security Policy

  • Anti-Virus

  • Password Assessment

  • Backups

  • Proprietary Information

  • Personal Security Policy

Anti virus policy

Anti-virus Policy

  • Define the problem

    - Various practices risk the introduction of

    viruses into systems and networks

  • Develop a solution

    - Define the scope

    - Layer the defense strategy

    - Identify responsibilities

    - Measure the effectiveness

Password assessment policy

Password Assessment Policy

  • Define the problem

    - Password assessment is a necessary part of security, but may appear illegal if carried out without proper authority/safeguards

  • Develop a solution

    - Identify the risks

    - Enumerate the countermeasures

    - Enable administrators to legally assess


    - Escrow passwords for use during incidents

Data backup policy

Data Backup Policy

  • Define the problem

    - Backups are critical to protect information

    and allow disaster recovery, but are often

    performed sporadically

  • Develop a solution

    - Identify backups as critical

    - Empower system administrators

    - Provide for exceptions when necessary

    - Make sure the policy is implemented

  • Login