IT Security Policy

Computer Security Fundamentals

by Chuck Easttom

Chapter 10 Security Policies

*

© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

Chapter 10 Objectives

Recognize the importance of security policies
Understand the various policies and the rationale for them
Know what elements go into good policies
Create policies for network administration
Evaluate and improve existing policies
© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

Explain what cyber terrorism is and how it has been used in some actual cases.

Understand the basics of information warfare.

Have a working knowledge of some plausible cyber terrorism scenarios.

Have an appreciation for the dangers posed by cyber terrorism.

© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

Introduction

Technology by itself cannot solve all network security problems.
© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

Cyber terrorism, according to the definition of the FBI:

Premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or clandestine agents.

Typically, loss of life in a cyber attack would be less than in a bombing attack.

© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

Introduction (cont.)

Virus software won’t prevent a user from manually opening an attachment and releasing a virus.
A technologically secured network is still vulnerable if former employees (perhaps some unhappy with the company) still have working passwords. Or if passwords are simply put on Post-it notes on computer monitors.
A server is not secure if it is in a room that nearly everyone in the company has access to.
Your network is not secure if end users are vulnerable to social engineering.
© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

All these could lead to significant deaths: train wrecks, hospital deaths, loss of air traffic control resulting in plane crashes, and so forth.

© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

What Is a Policy?

A security policy is a document that defines how an organization deals with some aspect of security. There can be policies regarding end-user behavior, IT response to incidents, or policies for specific issues and incidents.
© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

All these could lead to significant deaths: train wrecks, hospital deaths, loss of air traffic control resulting in plane crashes, and so forth.

© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

Defining User Policies

Passwords
Internet use
E-mail attachments
Installing/uninstalling software
Instant messaging
Desktop configuration
© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

All these could lead to significant deaths: train wrecks, hospital deaths, loss of air traffic control resulting in plane crashes, and so forth.

© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

System Admin Policies

New Employees
Departing Employees
Change Control
Access Control
© 2016 Pearson, Inc. Chapter 10 Computer Security Policies

*

All these could lead to significant deaths: train wrecks, hospital deaths, loss of air traffic control resulting in plane crashes, and so forth.

© 2016 Pearson, Inc. Chapter 10 Computer Security Policies