CH3 – Planning Enterprise

Information Security
Pacu Putra, B.CS., M.CS.
Prootecting Enterprise Data

 Theft of equipment (particularly laptops) containing unencrypted information

 Equipment discovered missing during periodic inventory checks
 Confidential data posted to a company’s public Web site or inadequately secured
accessible location
 Improper disposal of data processing equipment
 Accidental exposure through e-mail
Creating Security Plan

 identify and include security requirements in all stages of planning and for all levels of your
enterprise architecture
 Implementation can’t start until the security requirements for all resources have been
identified.
 Physical security requirements need at least as much attention as logical security
requirements
Design a Workable Prrogram

 identified requirements and attainable goals

 Breaking your program into smaller manageable projects ensures that new technology
meets your organization’s needs before full implementation
 ensure that expectations are reasonable
Use a layered framework

 Security is more than simply the sum of its parts,

and it takes more than parts to implement a
security framework
 an enterprise security strategy must include a
layered framework ,0
 ,to protect the data
Implement Security Standard

 Silahkan cari 3 standard implementasi security yang dapat diterapkan dalam

pengimplementasian security didalam organisasi?
 Berikan penjelasan pada masing-masing standard tersebut!
 Silahkan upload di Elearning dengan format file NIM-Nama (pdf/doc)
View Security as a program, not a project

 Projects have a beginning and an end, but programs are continuous.

Keep Security simple

 find the proper balance between security and usability, or risk having users bypassing
controls in order to perform their jobs.
Developing a security policy

 A comprehensive security policy is necessary so that all network users, both technical and
nontechnical, are aware of the enterprise’s required security controls.
 The policy should balance security with usability, and its procedures must work hand in
hand with business processes to avoid disruption of normal operations.
 Requiring an employee who has forgotten his password to report to the IT office and show
proper identification
Classifying data to be secured

 know the type of information that is on your network before you can dictate policies
regarding its security.
 storage survey should reveal enough information for you to classify your organization’s
data by business function, sensitivity, owner, and known security requirements based on
legal or contractual mandates.
Addressing basic Security Elements

 Administrative access  Malware

 Acceptable use  Passwords
 Authorized software  Server and workstation hardening
 Data disposal  Social Engineering awareness
 Encryption  Social Media
 Firewall  Telephone Procedures
 Incident Management  Waste Disposal
Getting management approval

 Getting management approval serves two purposes:

 It ensures that those who control the finances understand that security is important and
must be budgeted for.
 It lets employees know that security is a valid business concern
Maintaining the policy

 Security policies are living documents, and as such, they should be reviewed and
updated periodically. The following events may also trigger a review of the security policy:
 Emerging security threats
 Changes in business functionality or data classification
 Implementation of new technology
 Mergers and acquisitions
 Security incidents
Training Employees

 After the policies are in place, employees must be educated about the policies and the
reasons behind them.
 They must also have clear instructions for reporting suspicious behavior or events.
 This training should be conducted regularly, to help keep employees alert and up-to-date
on new procedures.
Thank You