SlideShare a Scribd company logo

Network security policies

Download as PPT, PDF
Usman Mukhtar
Usman Mukhtar
Technology
1 of 33
NETWORK SECURITY Presentation
NETWORK SECURITY presentation
Members • Usman mukhtar -046 • Anas Faheem -018 • Umair Mehmood -047 • Qasim zaman -050 • Shahbaz khan -030
Policies and Regulation in Network security • Semester BS(IT) 6th • Submitted to: Sir Kashif Nisar University of Gujrat...!!!
The challenges before us • Define security policies and standards • Measure actual security against policy • Report violations to policy • Correct violations to conform with policy • Summarize policy compliance for the organization
The Foundation of Information Security
The Information Security Functions
Managing Information Security
Policies What are the policies and what are purpose of policies???
The Purpose Provide a framework for the management of security across the enterprise
Definitions • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
Security Policy Access to network resource will be granted through a unique user ID and passwordPasswords should include one non-alpha and not found in dictionary Passwords will be 8 characters long
Elements of Policies • Set the tone of Management • Establish roles and responsibility • Define asset classifications • Provide direction for decisions • Establish the scope of authority • Provide a basis for guidelines and procedures • Establish accountability • Describe appropriate use of assets • Establish relationships to legal requirements
Policies should…… Clearly identify and define the information security goals and the goals of the university.
Actions Cabinet Goals Policy Standards Procedures Guidelines Awareness IS Goals Info Security Policy Lifecycle
The Ten-Step Approach
Step 1 – Collect Background Information • Obtain existing policies – Creighton's – Others • Identify what levels of control are needed • Identify who should write the policies
Step 2 – Perform Risk Assessment • Justify the Policies with Risk Assessment – Identify the critical functions – Identify the critical processes – Identify the critical data – Assess the vulnerabilities
Step 3 – Create a Policy Review Board • The Policy Development Process – Write the initial “Draft” – Send to the Review Board for Comments – Incorporate Comments – Resolve Issues Face-to-Face – Submit “Draft” Policy to Cabinet for Approval
Step 4 – Develop the Information Security Plan • Establish goals • Define roles • Define responsibilities • Notify the User community as to the direction • Establish a basis for compliance, risk assessment, and audit of information security
Step 5 – Develop Information Security Policies, Standards, and Guidelines • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
Step 6 – Implement Policies and Standards • Distribute Policies. • Obtain agreement with policies before accessing Creighton Systems. • Implement controls to meet or enforce policies.
Step 7 – Awareness and Training • Makes users aware of the expected behavior • Teaches users How & When to secure information • Reduces losses & theft • Reduces the need for enforcement
Step 8 – Monitor for Compliance • Management is responsible for establishing controls • Management should REGULARLY review the status of controls • Enforce “User Contracts” (Code of Conduct) • Establish effective authorization approval • Establish an internal review process • Internal Audit Reviews
Step 9 – Evaluate Policy Effectiveness • Evaluate • Document • Report
Step 10 – Modify the Policy Policies must be modified due to: – New Technology – New Threats – New or changed goals – Organizational changes – Changes in the Law – Ineffectiveness of the existing Policy
HIPAA Security Guidelines • Security Administration • Physical Safeguards • Technical Security Services and Mechanisms
Minimum HIPAA Requirements • Security Administration – Certification Policy (§ .308(a)(1)) – Chain of Trust Policy (§ .308(a)(2)) – Contingency Planning Policy (§ .308(a)(3)) – Data Classification Policy (§ .308(a)(4)) – Access Control Policy (§ .308(a)(5)) – Audit Trail Policy (§ .308(a)(6)) – Configuration Management Policy(§ .308(a)(8)) – Incident Reporting Policy (§ .308(a)(9)) – Security Governance Policy (§ .308(a)(10)) – Access Termination Policy (§ .308(a)(11)) – Security Awareness & Training Policy(§ .308(a)(12))
Minimum HIPAA Requirements • Physical Safeguards – Security Plan (Security Roles and Responsibilities) (§ .308(b)(1)) – Media Control Policy (§ .308(b)(2)) – Physical Access Policy (§ .308(b)(3)) – Workstation Use Policy (§ .308(b)(4)) – Workstation Safeguard Policy (§ .308(b)(5)) – Security Awareness & Training Policy (§ .308(b)(6))
Minimum HIPAA Requirements • Technical Security Services and Mechanisms – Mechanism for controlling system access (§ .308(c)(1)(i)) • “Need-to-know” – Employ event logging on systems that process or store PHI (§ .308(c)(1)(ii)) – Mechanism to authorize the privileged use of PHI (§ .308(c)(3)) • Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle. – Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner (§ .308(c)(4)) • checksums, double keying, message authentication codes, and digital signatures. – Users must be authenticated prior to accessing PHI (§ .308(c)(5)) • Uniquely identify each user and authenticate identity • Implement at least one of the following methods to authenticate a user: – Password; – Biometrics; – Physical token; – Call-back or strong authentication for dial-up remote access users. • Implement automatic log-offs to terminate sessions after set periods of inactivity. – Protection of PHI on networks with connections to external communication systems or public networks (§ .308(d)) • Intrusion detection • Encryption
Creighton Specific Policies • Access Control Policy • Contingency Planning Policy • Data Classification Policy • Change Control Policy • Wireless Policy • Incident Response Policy • Termination of Access Policy • Backup Policy • Virus Policy • Retention Policy • Physical Access Policy • Computer Security Policy • Security Awareness Policy • Audit Trail Policy • Firewall Policy • Network Security Policy • Encryption Policy
Policy Hierarchy Governance Policy Access Control Policy User ID Policy Access Control Authentication Standard Password Construction Standard User ID Naming Standard Strong Password Construction Guidelines
Network security policies

Recommended

Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.pptssuserec53e73
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 

Recommended

Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.pptssuserec53e73
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Securityyousef emami
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & PrivacyNawanan Theera-Ampornpunt
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cloud Encryption
Cloud EncryptionCloud Encryption
Cloud EncryptionRituparnaNag
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Network security
Network security Network security
Network security Madhumithah Ilango
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementBhadra Gowdra
 
Web security
Web securityWeb security
Web securityMuhammad Usman
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Network security
Network security Network security
Network security Madhumithah Ilango
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
IT Security
IT SecurityIT Security
IT SecurityMohsin Laiq
 
Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)Gaurav Dalvi
 
Trusted systems
Trusted systemsTrusted systems
Trusted systemsahmad abdelhafeez
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 

More Related Content

What's hot

Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementBhadra Gowdra
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)Gaurav Dalvi
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 

What's hot (20)

Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Network security
Network securityNetwork security
Network security
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Cloud Encryption
Cloud EncryptionCloud Encryption
Cloud Encryption
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network security
Network security Network security
Network security
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
 
Web security
Web securityWeb security
Web security
 
Security policies
Security policiesSecurity policies
Security policies
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 
Network security
Network security Network security
Network security
 
Security policy
Security policySecurity policy
Security policy
 
IT Security
IT SecurityIT Security
IT Security
 
Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)
 
Trusted systems
Trusted systemsTrusted systems
Trusted systems
 
Network security
Network securityNetwork security
Network security
 

Similar to Network security policies

Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesCole Libby
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfYoyo Sudaryo
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
SiteFM Managing an Effective Safety Committee
SiteFM Managing an Effective Safety CommitteeSiteFM Managing an Effective Safety Committee
SiteFM Managing an Effective Safety CommitteeMichele Thompson
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT Innovators
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxMark Simos
 
How to set up your security policy
How to set up your security policyHow to set up your security policy
How to set up your security policyTim Wulgaert
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecturebabak danyal
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 

Similar to Network security policies (20)

Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
SiteFM Managing an Effective Safety Committee
SiteFM Managing an Effective Safety CommitteeSiteFM Managing an Effective Safety Committee
SiteFM Managing an Effective Safety Committee
 
Info.ppt
Info.pptInfo.ppt
Info.ppt
 
Information security
Information securityInformation security
Information security
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security Policy
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
File000169
File000169File000169
File000169
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
How to set up your security policy
How to set up your security policyHow to set up your security policy
How to set up your security policy
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 

More from Usman Mukhtar

Software reliability
Software reliability Software reliability
Software reliability Usman Mukhtar
 
user support system in HCI
user support system in HCIuser support system in HCI
user support system in HCIUsman Mukhtar
 
LRA and TORA in MANETS
LRA and TORA in MANETSLRA and TORA in MANETS
LRA and TORA in MANETSUsman Mukhtar
 
information system of NBP
information system of NBPinformation system of NBP
information system of NBPUsman Mukhtar
 

More from Usman Mukhtar (6)

Software reliability
Software reliability Software reliability
Software reliability
 
Risk management
Risk managementRisk management
Risk management
 
Ethics in research
Ethics in researchEthics in research
Ethics in research
 
user support system in HCI
user support system in HCIuser support system in HCI
user support system in HCI
 
LRA and TORA in MANETS
LRA and TORA in MANETSLRA and TORA in MANETS
LRA and TORA in MANETS
 
information system of NBP
information system of NBPinformation system of NBP
information system of NBP
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Network security policies

  • 3. Members • Usman mukhtar -046 • Anas Faheem -018 • Umair Mehmood -047 • Qasim zaman -050 • Shahbaz khan -030
  • 4. Policies and Regulation in Network security • Semester BS(IT) 6th • Submitted to: Sir Kashif Nisar University of Gujrat...!!!
  • 5. The challenges before us • Define security policies and standards • Measure actual security against policy • Report violations to policy • Correct violations to conform with policy • Summarize policy compliance for the organization
  • 9. Policies What are the policies and what are purpose of policies???
  • 10. The Purpose Provide a framework for the management of security across the enterprise
  • 11. Definitions • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
  • 12. Security Policy Access to network resource will be granted through a unique user ID and passwordPasswords should include one non-alpha and not found in dictionary Passwords will be 8 characters long
  • 13. Elements of Policies • Set the tone of Management • Establish roles and responsibility • Define asset classifications • Provide direction for decisions • Establish the scope of authority • Provide a basis for guidelines and procedures • Establish accountability • Describe appropriate use of assets • Establish relationships to legal requirements
  • 14. Policies should…… Clearly identify and define the information security goals and the goals of the university.
  • 17. Step 1 – Collect Background Information • Obtain existing policies – Creighton's – Others • Identify what levels of control are needed • Identify who should write the policies
  • 18. Step 2 – Perform Risk Assessment • Justify the Policies with Risk Assessment – Identify the critical functions – Identify the critical processes – Identify the critical data – Assess the vulnerabilities
  • 19. Step 3 – Create a Policy Review Board • The Policy Development Process – Write the initial “Draft” – Send to the Review Board for Comments – Incorporate Comments – Resolve Issues Face-to-Face – Submit “Draft” Policy to Cabinet for Approval
  • 20. Step 4 – Develop the Information Security Plan • Establish goals • Define roles • Define responsibilities • Notify the User community as to the direction • Establish a basis for compliance, risk assessment, and audit of information security
  • 21. Step 5 – Develop Information Security Policies, Standards, and Guidelines • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
  • 22. Step 6 – Implement Policies and Standards • Distribute Policies. • Obtain agreement with policies before accessing Creighton Systems. • Implement controls to meet or enforce policies.
  • 23. Step 7 – Awareness and Training • Makes users aware of the expected behavior • Teaches users How & When to secure information • Reduces losses & theft • Reduces the need for enforcement
  • 24. Step 8 – Monitor for Compliance • Management is responsible for establishing controls • Management should REGULARLY review the status of controls • Enforce “User Contracts” (Code of Conduct) • Establish effective authorization approval • Establish an internal review process • Internal Audit Reviews
  • 25. Step 9 – Evaluate Policy Effectiveness • Evaluate • Document • Report
  • 26. Step 10 – Modify the Policy Policies must be modified due to: – New Technology – New Threats – New or changed goals – Organizational changes – Changes in the Law – Ineffectiveness of the existing Policy
  • 27. HIPAA Security Guidelines • Security Administration • Physical Safeguards • Technical Security Services and Mechanisms
  • 28. Minimum HIPAA Requirements • Security Administration – Certification Policy (§ .308(a)(1)) – Chain of Trust Policy (§ .308(a)(2)) – Contingency Planning Policy (§ .308(a)(3)) – Data Classification Policy (§ .308(a)(4)) – Access Control Policy (§ .308(a)(5)) – Audit Trail Policy (§ .308(a)(6)) – Configuration Management Policy(§ .308(a)(8)) – Incident Reporting Policy (§ .308(a)(9)) – Security Governance Policy (§ .308(a)(10)) – Access Termination Policy (§ .308(a)(11)) – Security Awareness & Training Policy(§ .308(a)(12))
  • 29. Minimum HIPAA Requirements • Physical Safeguards – Security Plan (Security Roles and Responsibilities) (§ .308(b)(1)) – Media Control Policy (§ .308(b)(2)) – Physical Access Policy (§ .308(b)(3)) – Workstation Use Policy (§ .308(b)(4)) – Workstation Safeguard Policy (§ .308(b)(5)) – Security Awareness & Training Policy (§ .308(b)(6))
  • 30. Minimum HIPAA Requirements • Technical Security Services and Mechanisms – Mechanism for controlling system access (§ .308(c)(1)(i)) • “Need-to-know” – Employ event logging on systems that process or store PHI (§ .308(c)(1)(ii)) – Mechanism to authorize the privileged use of PHI (§ .308(c)(3)) • Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle. – Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner (§ .308(c)(4)) • checksums, double keying, message authentication codes, and digital signatures. – Users must be authenticated prior to accessing PHI (§ .308(c)(5)) • Uniquely identify each user and authenticate identity • Implement at least one of the following methods to authenticate a user: – Password; – Biometrics; – Physical token; – Call-back or strong authentication for dial-up remote access users. • Implement automatic log-offs to terminate sessions after set periods of inactivity. – Protection of PHI on networks with connections to external communication systems or public networks (§ .308(d)) • Intrusion detection • Encryption
  • 31. Creighton Specific Policies • Access Control Policy • Contingency Planning Policy • Data Classification Policy • Change Control Policy • Wireless Policy • Incident Response Policy • Termination of Access Policy • Backup Policy • Virus Policy • Retention Policy • Physical Access Policy • Computer Security Policy • Security Awareness Policy • Audit Trail Policy • Firewall Policy • Network Security Policy • Encryption Policy

Editor's Notes

  1. A policy may have many standards associated. A standard should have only one policy associated. A standard may have many guidelines associated........
  2. Guidelines are used when standards cannot be enforced or management support is lukewarm. Examples: Standard: Passwords must be 8 characters long and expire every 90 days Guideline: Passwords should be constructed using alpha, numeric, upper case, lower case, and special characters.