Professional Documents
Culture Documents
Chapter 4 - Security Policy and Design
Chapter 4 - Security Policy and Design
Security
Chapter 4
Ge.be09@yahoo.com
Security Policies
Management of resources
Resources: interconnected devices, people, skills, money, time
Security policy
Security policy is an essential foundation of effective information
security (infosec) program
The success of an information resources protection program
depends on the policy generated, & on the attitude of
management toward securing information on automated systems.
Security policy
A quality infosec program begins & ends with policy
Policies are least expensive means of control & often the most
difficult to implement
Implementation phase
Write the policies!
Make certain policies are enforceable as written
Policy distribution is not always as straightforward
Effective policy:
Is written at a reasonable reading level
Attempts to minimize technical jargon & management terminology
Statement of Purpose:
Scope & Applicability
Definition of Technology Addressed
Responsibilities
more ...
Example 1:
Policy: Computer systems are not exposed to illegal, inappropriate, or
dangerous software
Policy Control Standard: Allowed software is defined to include ...
Policy Control Procedure: A description of how to load a computer with
required software.
Example 2:
Policy: Access to confidential information is controlled
Policy Control Standard: Confidential information SHALL never be emailed
without being encrypted
Policy Guideline: Confidential info SHOULD not be written to a memory
stick
Determine requirements
Implementation
Needs a project plan to include
Phased introduction of new technology
Educating the users (what to expect)
Pilot installation (test for possible problems)
Acceptance testing (to prove performance meets requirements)
Deployment (provide support on going live and provide fallback position)
Needs Technology
Analysis design
Cost
Assessment
We need to develop the low level design and the higher level
architecture, and understand the environment in which they operate
We also need to prove that the design we’ve chosen is ‘just right’
Managing the customer’s expectations
They may expect a much simpler or more expensive solution than is really
needed
Network management and security Chapter 4
Secure Network Design Principles and
Methodologies
Requirements
Managing the customer’s expectations
Showing analysis of different design options, technologies, or architectures
can help prove you have the best solution
and its Physical Damage A/D B/C C/C D/D D/D D/D
occurrence
B: Disabling D: No Impact B: Unlikely D: Impossible
So, how do we
determine what the
requirements are for
our network?
Collect requirements
service metrics, and
delays to help
develop and map
requirements