fore sec academy security essentials ii
Skip this Video
Download Presentation
Basic Security Policy

Loading in 2 Seconds...

play fullscreen
1 / 20

Basic Security Policy - PowerPoint PPT Presentation

  • Uploaded on

FORE SEC Academy Security Essentials (II). Basic Security Policy. Preface.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Basic Security Policy' - siusan

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

It never ceases to amaze me - fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy," butnobody ever explains what the policy is, let alone how to write or evaluate it.

That is why we undertook this research and education project on basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, “The Roadmap,” a usable and effective policy. Thank you!

  • Defining Security Policy
  • Using Security Policy to Manage Risk
  • Identifying Security Policy
  • Evaluating Security Policy
  • Issue-specific Security Policy
  • Exercise: Writing a Personal Security


  • Contingency Planning within your Policy
documentation is critical
Documentation is Critical
  • If it is not in writing it never


  • You must clearly document:

- What is expected of users

- What you plan on doing

- How you plan on doing it

- What other people are required to do

defining a policy
Defining a Policy
  • Policies direct the accomplishment of


- Program Policy

- Issue-specific Policy

- System-specific Policy

An effective and realistic Security Policy is the key to effective and achievable security.

defining a policy 2
Defining a Policy (2)
  • What makes up a policy?


-Related documents




-Policy statement


- Responsibility

defining a policy 3
Defining a Policy (3)
  • Who can sign the policy?
  • What process is used to:

- draft a policy

- approve a policy

- implement a policy

risk assessment
Risk Assessment
  • What do you do?

- The “important bid” story

-When is it okay to violate or change


-Who has the authority to do it?

-What are the risks involved?

managing risks in your job
Managing Risks in Your Job
  • Identify risks
  • Communicate your findings
  • Update (create) policy as needed
  • Develop metrics to measure


identifying security policy
Identifying Security Policy
  • Who does the procedure?
  • What is the procedure?
  • When is the procedure done?
  • Where is the procedure done?
  • Why is the procedure done?
roles and responsibilities
Roles and Responsibilities
  • Formal organizational structure

- Who has the title

- Who is listed at the top of the

organizational chart

  • Informal organizational structure

- Who gets things done

- Who really makes decisions

levels of policy
Levels of Policy
  • Recognize that policies can exist on

different levels

- Enterprise-wide/corporate policy

- Division-wide policy

- Local policy

- Issue-specific policy

- Procedures and checklists

checkpoint procedure guidance
Checkpoint:Procedure Guidance
  • Policies address the who, what,

and why.

  • Procedures address the how,

where, and when.

evaluating security policy
Evaluating Security Policy
  • What if your existing policy is confusing and hard to read?
  • What if it doesn’t cover all the


  • Use a checklist to evaluate your


evaluating security policy 2
Evaluating Security Policy (2)
  • Use a checklist:

- Does it contain the expected


- Is it clear?

- Is it concise?

- Is it realistic?

- Does it provide sufficient guidance?

evaluating security policy 3
Evaluating Security Policy (3)
  • Checklist, continued...

- Is it consistent?

- Is it forward-looking?

- Are there means to keep it current?

- Is the policy readily available to those

who need it?

issue specific security policy
Issue-Specific Security Policy
  • Anti-Virus
  • Password Assessment
  • Backups
  • Proprietary Information
  • Personal Security Policy
anti virus policy
Anti-virus Policy
  • Define the problem

- Various practices risk the introduction of

viruses into systems and networks

  • Develop a solution

- Define the scope

- Layer the defense strategy

- Identify responsibilities

- Measure the effectiveness

password assessment policy
Password Assessment Policy
  • Define the problem

- Password assessment is a necessary part of security, but may appear illegal if carried out without proper authority/safeguards

  • Develop a solution

- Identify the risks

- Enumerate the countermeasures

- Enable administrators to legally assess


- Escrow passwords for use during incidents

data backup policy
Data Backup Policy
  • Define the problem

- Backups are critical to protect information

and allow disaster recovery, but are often

performed sporadically

  • Develop a solution

- Identify backups as critical

- Empower system administrators

- Provide for exceptions when necessary

- Make sure the policy is implemented