SlideShare uma empresa Scribd logo

Ch09 Information Security Best Practices

P
phanleson
Negócios
1 de 42
Baixar para ler offline
Lesson 9-Information Security Best Practices 中央資管 陳奕明
Overview Understanding administrative security. Security project plans. Understanding technical security. Making use of ISO 17799.
Understanding Administrative Security Administrative security policies: Define the importance of information and information systems to the company and its employees. Define the resources required to accomplish appropriate risk management activities. Identify the individuals responsible for managing the information security risk for the organization.
Understanding Administrative Security Administrative security policies fall under the following areas: Policies and procedures. Resources. Responsibility. Education. Contingency plans.
Policies and Procedures The most important policies that organizations must draft are: Information policy - Defines the level of sensitivity of information assets within the organization. Security policy - Defines the technical controls and security configurations to be implemented on all computer systems.
Policies and Procedures The most important policies that organizations must draft are (continued): Use policy - Identifies the approved uses of organization computer systems and the penalties for misusing such systems. Backup policy - Defines the frequency of information backups and the method of moving backups to an off-site storage.
Policies and Procedures Organizations must define the following procedures: User management - Includes information about individuals who can authorize access to the organization’s computer systems. System administration - Defines the process of implementing the organization’s security policy on various systems. Configuration management - Defines the steps for making changes to production systems.
Resources Determining required resources depends on: The size of the organization. The organization’s business. The risk to the organization. The full risk assessment of the organization. The plan to manage risk.
Resources The project management triangle
Resources The security department staff members should have the following skills: Security administration - A thorough understanding of day- to-day administration of security devices. Policy development - Hands-on experience in the development and maintenance of security policies, procedures, and plans. Architecture - An understanding of network and system architectures and implementation of new systems.
Resources The security department staff members should have the following skills (continued): Research - The examination of new security technologies for risk assessment. Assessment - Experience in conducting risk assessment activities, such as penetration and security testing. Audit - Experience in conducting system and procedure audits.
Resources An organization’s security budget is based on: The scope and time frame of the security project. The capital expenditures, current operations, and cost of training. The security project plans.
Responsibility An executive-level position must own security responsibilities within an organization. They should have the authority to define the organization’s policy and sign off on all security-related policies. They should also have the authority to enforce policy. They should develop metrics to track the progress toward security goals.
Education The best practices for education includes: Preventive measures. Enforcement measures. Incentive measures.
Preventive Measures Preventive measures can be used to explain the importance and need to protect an organization’s information assets. It will make employees comply with policies and procedures. It includes awareness programs, publicity campaigns, electronic mail messages, and pop-up windows.
Enforcement Measures Enforcement measures force employees to abide by the organization’s policies and procedures. It can be enforced in the form of security-awareness training. Employees can also be provided copies of relevant policies. They can also be asked to sign a security statement.
Incentive Programs Incentive programs: Can increase the reporting of security issues. Can be in the form of monetary incentives or verbal encouragement. Can also be used for suggestions on how to improve security.
Contingency Plans Contingency plans include: Incident response - Defines the series of steps to be taken in the event of a compromise. Backup and data archival - Defines how and when backups are to be taken. It also specifies the backup storage and restore mechanisms. Disaster recovery - Identifies the most critical resources and states the need and objectives in the event of a disaster.
Security Project Plans Best practices recommend that the security department must establish the following plans: Improvement plans - Address the risk areas and implement appropriate changes to the environment. Vulnerability assessment - Includes regular scans of the organization’s systems. It also includes regular follow-up with system administrators to ensure corrective actions are being taken.
Security Project Plans Best practices recommend that the security department must establish the following plans (continued): Assessment plans - Frequently assess the risk to the organization. Audit plans - Ensures policy compliance. Training - Includes schedules for awareness training classes and publicity campaigns. Policy evaluation - Includes built-in review schedules.
Understanding Technical Security Network connectivity. Malicious code protection. Authentication. Monitoring.
Understanding Technical Security Encryption. Patching systems. Backup and recovery. Physical security.
Network Connectivity To protect an organization from unwanted intrusions, the following network connectivity practices are recommended: Permanent connections - Network connection to other organizations or the Internet is protected by a firewall. This prevents damage in one network to spread to others. Remote access connections - These connections can be dial-in connections or connections across the Internet. Two-factor authentication, such as dial-back modems or dynamic passwords is recommended.
Malicious Code Protection To protect systems from computer viruses or Trojan horse programs: Use anti-virus programs for servers, desktops, and e-mail systems. Allow frequent signature updates and the delivery of updates.
Authentication The following are the recommended best practices for password usage: Passwords must be a minimum of eight characters in length. The last ten passwords should not be reused. It should always be stored in encrypted form, which is inaccessible to normal users. It should not be more than 60 days old. It should be composed of alphanumeric characters.
Authentication The following are the recommended best practices for password usage (continued): Dynamic passwords or other two-factor authentication mechanisms offer added security. Systems should be configured to start a screen saver while the employee is away. The system should require re- authentication to access the system.
Monitoring Auditing is a mechanism of monitoring actions that occur on a computer system. The audit log or files must keep track of the following events: Login/logoff. Failed login attempts. Dial-in connection attempts. Supervisor/administrator/root login. Supervisor/administrator/root privileged functions. Sensitive file access.
Monitoring Intrusion detection systems (IDS) monitor networks or systems. They trigger an alarm when security is compromised. Host-based IDS may be used to examine log files. Network-based IDS helps monitor the network for attacks or unusual traffic.
Encryption Encrypt information while transmitting over unsecured lines or electronic mail. Choose an algorithm that matches the sensitivity of the information being protected. Use well-known and well- tested encryption algorithms.
Encryption Use link encryption for transmission lines between organization facilities. Follow regulatory standards, such as HIPAA while transmitting over open networks.
Patching Systems Patches correct vulnerabilities. Install patches only after testing. Install patches according to the organization’s change control procedures. Check for new patches frequently.
Backup and Recovery Information on servers should be backed up regularly. Verify all backups to determine if the backup successfully copied the important files. Establish regular schedules of tests. Backups must be accessible to restore systems in the event of system failures. Backups should be stored off-site for protection.
Physical Security The following physical security mechanisms are recommended: Physical access - Restrict access to data center, where all sensitive computers are kept. Climate - Configure climate control units to notify administrators if a failure occurs.
Physical Security The following physical security mechanisms are recommended (continued): Fire suppression - Configure fire-suppression systems to prevent any damage to the systems in the data center. Electrical power - Size battery backups to provide sufficient power for computer systems to shut down.
Making Use of ISO 17799 The Information Technology - Code of Practice for Information Security Management (ISO 17799) covers the following areas: Security policy - Covers the need for a security policy. It also recommends regular reviews and evaluation of the document.
Making Use of ISO 17799 The Information Technology - Code of Practice for Information Security Management (ISO 17799) covers the following areas (continued): Organizational security - Covers how information security functions are managed within an organization. Asset classification and control - Covers the need to properly protect both physical and information assets.
Making Use of ISO 17799 ISO 17799 key concepts include: Personal security - Discusses the need to manage the risk within the hiring process and ongoing employee education. Physical and environmental security - Discusses the need to protect all physical assets from theft, fire, and other hazards. Communication and operations management- Covers the need for documented management procedures for computers and networks.
Making Use of ISO 17799 ISO 17799 key concepts include (continued): Access control - Discusses the control of access to information, systems, networks, and applications. Systems development and maintenance - Discusses the inclusion of security in development projects.
Making Use of ISO 17799 ISO 17799 key concepts include (continued): Business continuity management - Discusses the risks of business interruptions and various alternatives for continuity management. Compliance - Discusses how the organization should enforce policy and check compliance.
Summary Administrative security practices include policies and procedures, resources, responsibility, education, and contingency plans. The security department must establish plans for improvement, assessment, vulnerability assessment, audits, training, and policy evaluation.
Summary Technical security measures deal with the implementation of security controls on computers and networked systems. ISO 17799 standards help establish an effective security program.
BS7799 簡介 BS7799 Code of Practice for Information Security 資訊安全應用與稽核的標準 定義一套完整的政策、程序、實施與組 織化的架構 1995 年由英國標準協會提出 已成為國際標準:ISO17799

Recomendados

Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
phanleson
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Implementing security
Implementing securityImplementing security
Implementing security
Dhani Ahmad
 
Security Policies
Security PoliciesSecurity Policies
Security Policies
phanleson
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 

Recomendados

Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
phanleson
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Implementing security
Implementing securityImplementing security
Implementing security
Dhani Ahmad
 
Security Policies
Security PoliciesSecurity Policies
Security Policies
phanleson
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
Dan Morrill
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
Testing
TestingTesting
Testing
lorenceman
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
Divya Tiwari
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
wardjo
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
Guillermo Remache
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
Adetula Bunmi
 
It Audit And Forensics
It Audit And ForensicsIt Audit And Forensics
It Audit And Forensics
JED Consulting Services LLC
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
Hiran Kanishka
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
7.Trust Management
7.Trust Management7.Trust Management
7.Trust Management
phanleson
 
Jdbc
JdbcJdbc
Jdbc
phanleson
 

Mais conteúdo relacionado

Mais procurados

Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
wardjo
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
Guillermo Remache
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 

Mais procurados (20)

RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Security policy
Security policySecurity policy
Security policy
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Testing
TestingTesting
Testing
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
It Audit And Forensics
It Audit And ForensicsIt Audit And Forensics
It Audit And Forensics
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Information Security
Information SecurityInformation Security
Information Security
 

Destaque

7.Trust Management
7.Trust Management7.Trust Management
7.Trust Management
phanleson
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
phanleson
 
7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
phanleson
 
30 5 Database Jdbc
30 5 Database Jdbc30 5 Database Jdbc
30 5 Database Jdbc
phanleson
 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databases
phanleson
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
phanleson
 
Ch14 Desktop Protection
Ch14 Desktop ProtectionCh14 Desktop Protection
Ch14 Desktop Protection
phanleson
 
Ch18 Internet Security
Ch18 Internet SecurityCh18 Internet Security
Ch18 Internet Security
phanleson
 
Ch20 Wireless Security
Ch20 Wireless SecurityCh20 Wireless Security
Ch20 Wireless Security
phanleson
 
Best Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information SecurityBest Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information Security
satyakam_biswas
 

Destaque (20)

7.Trust Management
7.Trust Management7.Trust Management
7.Trust Management
 
Jdbc
JdbcJdbc
Jdbc
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
 
7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
 
30 5 Database Jdbc
30 5 Database Jdbc30 5 Database Jdbc
30 5 Database Jdbc
 
Rmi
RmiRmi
Rmi
 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databases
 
Thread
ThreadThread
Thread
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
 
Ch14 Desktop Protection
Ch14 Desktop ProtectionCh14 Desktop Protection
Ch14 Desktop Protection
 
Ch18 Internet Security
Ch18 Internet SecurityCh18 Internet Security
Ch18 Internet Security
 
Ch20 Wireless Security
Ch20 Wireless SecurityCh20 Wireless Security
Ch20 Wireless Security
 
Ch11 Vpn
Ch11 VpnCh11 Vpn
Ch11 Vpn
 
IT Security Essentials
IT Security EssentialsIT Security Essentials
IT Security Essentials
 
Information security
Information securityInformation security
Information security
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
IT Best Practices IT Security Assessments 2010
IT Best Practices IT Security Assessments 2010IT Best Practices IT Security Assessments 2010
IT Best Practices IT Security Assessments 2010
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Best Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information SecurityBest Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information Security
 
Best Practices: Data Admin & Data Management
Best Practices: Data Admin & Data ManagementBest Practices: Data Admin & Data Management
Best Practices: Data Admin & Data Management
 

Semelhante a Ch09 Information Security Best Practices

Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
oswald1horne84988
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Professional Roles and Responsibilities
Professional Roles and ResponsibilitiesProfessional Roles and Responsibilities
Professional Roles and Responsibilities
Mahesh Hiremath
 

Semelhante a Ch09 Information Security Best Practices (20)

Cyber scuriry19
Cyber scuriry19Cyber scuriry19
Cyber scuriry19
 
10 steps to cyber security
10 steps to cyber security10 steps to cyber security
10 steps to cyber security
 
10 steps to cyber security
10 steps to cyber security10 steps to cyber security
10 steps to cyber security
 
Best Practices to Secure Company's Legacy Applications in 2023.pdf
Best Practices to Secure Company's Legacy Applications in 2023.pdfBest Practices to Secure Company's Legacy Applications in 2023.pdf
Best Practices to Secure Company's Legacy Applications in 2023.pdf
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
File000169
File000169File000169
File000169
 
Chapter003
Chapter003Chapter003
Chapter003
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatance
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Cybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxCybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptx
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
 
Professional Roles and Responsibilities
Professional Roles and ResponsibilitiesProfessional Roles and Responsibilities
Professional Roles and Responsibilities
 

Mais de phanleson

Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
phanleson
 

Mais de phanleson (20)

Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
HBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designHBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table design
 
HBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - OperationsHBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - Operations
 
Hbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBaseHbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBase
 
Learning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibLearning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlib
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streaming
 
Learning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLLearning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQL
 
Learning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a ClusterLearning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a Cluster
 
Learning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark ProgrammingLearning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark Programming
 
Learning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your DataLearning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your Data
 
Learning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value PairsLearning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value Pairs
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about LibertagiaHướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
 
Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
 
Lecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the WebLecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the Web
 

Último

0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
Renandantas16
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...
Roland Driesen
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
anilsa9823
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Dipal Arora
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
lizamodels9
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
amitlee9823
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 

Último (20)

0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael Hawkins
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 

Ch09 Information Security Best Practices

  • 1. Lesson 9-Information Security Best Practices 中央資管 陳奕明
  • 2. Overview Understanding administrative security. Security project plans. Understanding technical security. Making use of ISO 17799.
  • 3. Understanding Administrative Security Administrative security policies: Define the importance of information and information systems to the company and its employees. Define the resources required to accomplish appropriate risk management activities. Identify the individuals responsible for managing the information security risk for the organization.
  • 4. Understanding Administrative Security Administrative security policies fall under the following areas: Policies and procedures. Resources. Responsibility. Education. Contingency plans.
  • 5. Policies and Procedures The most important policies that organizations must draft are: Information policy - Defines the level of sensitivity of information assets within the organization. Security policy - Defines the technical controls and security configurations to be implemented on all computer systems.
  • 6. Policies and Procedures The most important policies that organizations must draft are (continued): Use policy - Identifies the approved uses of organization computer systems and the penalties for misusing such systems. Backup policy - Defines the frequency of information backups and the method of moving backups to an off-site storage.
  • 7. Policies and Procedures Organizations must define the following procedures: User management - Includes information about individuals who can authorize access to the organization’s computer systems. System administration - Defines the process of implementing the organization’s security policy on various systems. Configuration management - Defines the steps for making changes to production systems.
  • 8. Resources Determining required resources depends on: The size of the organization. The organization’s business. The risk to the organization. The full risk assessment of the organization. The plan to manage risk.
  • 9. Resources The project management triangle
  • 10. Resources The security department staff members should have the following skills: Security administration - A thorough understanding of day- to-day administration of security devices. Policy development - Hands-on experience in the development and maintenance of security policies, procedures, and plans. Architecture - An understanding of network and system architectures and implementation of new systems.
  • 11. Resources The security department staff members should have the following skills (continued): Research - The examination of new security technologies for risk assessment. Assessment - Experience in conducting risk assessment activities, such as penetration and security testing. Audit - Experience in conducting system and procedure audits.
  • 12. Resources An organization’s security budget is based on: The scope and time frame of the security project. The capital expenditures, current operations, and cost of training. The security project plans.
  • 13. Responsibility An executive-level position must own security responsibilities within an organization. They should have the authority to define the organization’s policy and sign off on all security-related policies. They should also have the authority to enforce policy. They should develop metrics to track the progress toward security goals.
  • 14. Education The best practices for education includes: Preventive measures. Enforcement measures. Incentive measures.
  • 15. Preventive Measures Preventive measures can be used to explain the importance and need to protect an organization’s information assets. It will make employees comply with policies and procedures. It includes awareness programs, publicity campaigns, electronic mail messages, and pop-up windows.
  • 16. Enforcement Measures Enforcement measures force employees to abide by the organization’s policies and procedures. It can be enforced in the form of security-awareness training. Employees can also be provided copies of relevant policies. They can also be asked to sign a security statement.
  • 17. Incentive Programs Incentive programs: Can increase the reporting of security issues. Can be in the form of monetary incentives or verbal encouragement. Can also be used for suggestions on how to improve security.
  • 18. Contingency Plans Contingency plans include: Incident response - Defines the series of steps to be taken in the event of a compromise. Backup and data archival - Defines how and when backups are to be taken. It also specifies the backup storage and restore mechanisms. Disaster recovery - Identifies the most critical resources and states the need and objectives in the event of a disaster.
  • 19. Security Project Plans Best practices recommend that the security department must establish the following plans: Improvement plans - Address the risk areas and implement appropriate changes to the environment. Vulnerability assessment - Includes regular scans of the organization’s systems. It also includes regular follow-up with system administrators to ensure corrective actions are being taken.
  • 20. Security Project Plans Best practices recommend that the security department must establish the following plans (continued): Assessment plans - Frequently assess the risk to the organization. Audit plans - Ensures policy compliance. Training - Includes schedules for awareness training classes and publicity campaigns. Policy evaluation - Includes built-in review schedules.
  • 21. Understanding Technical Security Network connectivity. Malicious code protection. Authentication. Monitoring.
  • 22. Understanding Technical Security Encryption. Patching systems. Backup and recovery. Physical security.
  • 23. Network Connectivity To protect an organization from unwanted intrusions, the following network connectivity practices are recommended: Permanent connections - Network connection to other organizations or the Internet is protected by a firewall. This prevents damage in one network to spread to others. Remote access connections - These connections can be dial-in connections or connections across the Internet. Two-factor authentication, such as dial-back modems or dynamic passwords is recommended.
  • 24. Malicious Code Protection To protect systems from computer viruses or Trojan horse programs: Use anti-virus programs for servers, desktops, and e-mail systems. Allow frequent signature updates and the delivery of updates.
  • 25. Authentication The following are the recommended best practices for password usage: Passwords must be a minimum of eight characters in length. The last ten passwords should not be reused. It should always be stored in encrypted form, which is inaccessible to normal users. It should not be more than 60 days old. It should be composed of alphanumeric characters.
  • 26. Authentication The following are the recommended best practices for password usage (continued): Dynamic passwords or other two-factor authentication mechanisms offer added security. Systems should be configured to start a screen saver while the employee is away. The system should require re- authentication to access the system.
  • 27. Monitoring Auditing is a mechanism of monitoring actions that occur on a computer system. The audit log or files must keep track of the following events: Login/logoff. Failed login attempts. Dial-in connection attempts. Supervisor/administrator/root login. Supervisor/administrator/root privileged functions. Sensitive file access.
  • 28. Monitoring Intrusion detection systems (IDS) monitor networks or systems. They trigger an alarm when security is compromised. Host-based IDS may be used to examine log files. Network-based IDS helps monitor the network for attacks or unusual traffic.
  • 29. Encryption Encrypt information while transmitting over unsecured lines or electronic mail. Choose an algorithm that matches the sensitivity of the information being protected. Use well-known and well- tested encryption algorithms.
  • 30. Encryption Use link encryption for transmission lines between organization facilities. Follow regulatory standards, such as HIPAA while transmitting over open networks.
  • 31. Patching Systems Patches correct vulnerabilities. Install patches only after testing. Install patches according to the organization’s change control procedures. Check for new patches frequently.
  • 32. Backup and Recovery Information on servers should be backed up regularly. Verify all backups to determine if the backup successfully copied the important files. Establish regular schedules of tests. Backups must be accessible to restore systems in the event of system failures. Backups should be stored off-site for protection.
  • 33. Physical Security The following physical security mechanisms are recommended: Physical access - Restrict access to data center, where all sensitive computers are kept. Climate - Configure climate control units to notify administrators if a failure occurs.
  • 34. Physical Security The following physical security mechanisms are recommended (continued): Fire suppression - Configure fire-suppression systems to prevent any damage to the systems in the data center. Electrical power - Size battery backups to provide sufficient power for computer systems to shut down.
  • 35. Making Use of ISO 17799 The Information Technology - Code of Practice for Information Security Management (ISO 17799) covers the following areas: Security policy - Covers the need for a security policy. It also recommends regular reviews and evaluation of the document.
  • 36. Making Use of ISO 17799 The Information Technology - Code of Practice for Information Security Management (ISO 17799) covers the following areas (continued): Organizational security - Covers how information security functions are managed within an organization. Asset classification and control - Covers the need to properly protect both physical and information assets.
  • 37. Making Use of ISO 17799 ISO 17799 key concepts include: Personal security - Discusses the need to manage the risk within the hiring process and ongoing employee education. Physical and environmental security - Discusses the need to protect all physical assets from theft, fire, and other hazards. Communication and operations management- Covers the need for documented management procedures for computers and networks.
  • 38. Making Use of ISO 17799 ISO 17799 key concepts include (continued): Access control - Discusses the control of access to information, systems, networks, and applications. Systems development and maintenance - Discusses the inclusion of security in development projects.
  • 39. Making Use of ISO 17799 ISO 17799 key concepts include (continued): Business continuity management - Discusses the risks of business interruptions and various alternatives for continuity management. Compliance - Discusses how the organization should enforce policy and check compliance.
  • 40. Summary Administrative security practices include policies and procedures, resources, responsibility, education, and contingency plans. The security department must establish plans for improvement, assessment, vulnerability assessment, audits, training, and policy evaluation.
  • 41. Summary Technical security measures deal with the implementation of security controls on computers and networked systems. ISO 17799 standards help establish an effective security program.
  • 42. BS7799 簡介 BS7799 Code of Practice for Information Security 資訊安全應用與稽核的標準 定義一套完整的政策、程序、實施與組 織化的架構 1995 年由英國標準協會提出 已成為國際標準:ISO17799