4196288
Planning for Security
- Info Security Policy,
Standards, and Practices
- Communities of interest must
consider policies as the basis
for all info security efforts
- Policies direct how issues should
be addresses and tech used
- Shaping policy is difficult: Never conflict
with laws, Stand up in court if
challenged, Be properly administered
- Shaping policy is difficult: Never conflict
with laws, Stand up in court if
challenged, Be properly administered
- Policies direct how issues should
be addresses and tech used
- Policies (org laws): course of
action used by org to convey
instructions from mgt to those
who perform duties
- Communities of interest must
consider policies as the basis
for all info security efforts
- Types of Policy:
- 1) Enterprise Information
Security Policy (EISP)
- Sets strategic
direction, scope, and
tone for all security
efforts within the org
- Typically addresses
compliance in 2 areas:
- Use of specified penalties
and disciplinary action
- Ensure meeting requirements
to establish program and
responsibilities assigned to
various org components
- Use of specified penalties
and disciplinary action
- Sets strategic
direction, scope, and
tone for all security
efforts within the org
- 2) Issue-Specific
Security Policy (ISSP)
- Addresses specific areas
of tech; Requires frequent
updates; Contains
statement on org's
position on specific issue
- Addresses specific areas
of tech; Requires frequent
updates; Contains
statement on org's
position on specific issue
- 3) Systems-Specific
Policy (SysSP)
- Standards and
procedures used when
configuring/maintaining
systems
- Fall into 2 groups : Access control lists
(ACL - Managerial Guidance SysSp) &
Configuration rules - Technical
Specifications SysSP
- Fall into 2 groups : Access control lists
(ACL - Managerial Guidance SysSp) &
Configuration rules - Technical
Specifications SysSP
- Standards and
procedures used when
configuring/maintaining
systems
- 1) Enterprise Information
Security Policy (EISP)
- ISO 27000 Series
- British Standard BS7799
- Adopted in 2000 as an
international standard
- Framework for IS that states org security policy
is needed to provide mgt direction and support
- Framework for IS that states org security policy
is needed to provide mgt direction and support
- Adopted in 2000 as an
international standard
- British Standard BS7799
- Design of Security
Architecture
- Defense in depth
- Requires org to establish
sufficient security controls and
safeguards, so that an intruder
faces multiple layers of controls
- Requires org to establish
sufficient security controls and
safeguards, so that an intruder
faces multiple layers of controls
- Security
perimeter
- Org's security protection ends
and outside world begins
- xx apply to internal attacks
from employee threats
- Org's security protection ends
and outside world begins
- Defense in depth
- Key Technological Components
- Firewall, Demilitarised zone (DMZ),
Intrusion detection system (IDS)
- Firewall, Demilitarised zone (DMZ),
Intrusion detection system (IDS)
- Security Education, Training,
and Awareness Program
- A control measure designed to
reduce accidental security breaches
- General knowledge employees
must possess to do their jobs,
familiarising them with the way
to do their jobs securely
- General knowledge employees
must possess to do their jobs,
familiarising them with the way
to do their jobs securely
- 1) Security Education
- 2) Security Training
- Providing members of org
with detailed info and
hands-on instruction designed
to prepare the mto perform
their duties securely
- Customised in-house training/outsource
- Providing members of org
with detailed info and
hands-on instruction designed
to prepare the mto perform
their duties securely
- 3) Security Awareness
- Designed to keep info security at the
forefront of user's mind/Stimulate
them to care about security
- Designed to keep info security at the
forefront of user's mind/Stimulate
them to care about security
- A control measure designed to
reduce accidental security breaches
Want to create your own Mind Maps for free with GoConqr? Learn more.