Module-3

Information Security Management

 Module-3: Information Security
Management
• Monitor systems and apply controls
• Security assessment using automated tools
• Backups of security devices
• Performance Analysis, Root cause analysis and
Resolution,
• Information Security Policies, Procedures,
Standards and Guidelines
Security Assessment
Outline

• What is security assessment?

• What are the non-intrusive types?
• How do you choose between these types?
• What are the intrusive types?
• What are the types of risk reduction?
• What is effective security?
• What are the limitations to security assessment?
Security Assessment
Overview

• Definition
– Security assessment
• identifies existing IT vulnerabilities (weakness) and
• recommends countermeasures for mitigating potential risks
• Goal
– Make the infrastructure more secure
– Identify risks and reduce them
• Consequences of Failure
– Loss of services
– Financial loss
– Loss of reputation
– Legal consequences
Security Assessment
Types

• Non-Intrusive
1. Security Audit
2. Risk Assessment
3. Risk Analysis
• Intrusive
1. Vulnerability Scan
2. Penetration Testing / Ethical Hacking
• All have the goal of identifying vulnerabilities and
improving security
– Differ in rules of engagement and limited purpose of
the specific engagement (what is allowed, legal liability,
purpose of analysis, etc.).
Security Assessment: Non-Intrusive Types
1. Security Audit

• Security Audit-
– Independent review and examination of system records & activities
to determine adequacy of system controls, ensure compliance of
security policy & operational procedures, detect breaches in
security, and recommend changes in these processes.1
• Features
– Formal Process
– Paper Oriented
• Review Policies for Compliance and Best Practices
– Review System Configurations
• Questionnaire, or console based
– Automated Scanning
– Checklists
1 http://www.atis.org/tg2k/_security_audit.html
Security Assessment: Non-Intrusive Types
2. Risk Assessment

• Risk Assessment (Vulnerability Assessment) is:

– determination of state of risk associated with a system based upon
thorough analysis
– includes recommendations to support subsequent security
controls/decisions.
– takes into account business, as well as legal constraints.
• Involves more testing than traditional paper audit
• Primarily required to identify weaknesses in the information
system
• Steps
– Identify security holes in the infrastructure
– Look but not intrude into the systems
– Focus on best practices (company policy is secondary)
Security Assessment: Non-Intrusive Types
3. Risk Analysis

• Risk Analysis is the identification or study of:

– an organization’s assets
– threats to these assets
– system’s vulnerability to the threats
• Risk Analysis is done in order to determine
exposure and potential loss.
• Computationally intensive and requires data to
– Compute probabilities of attack
– Valuation of assets
– Efficacy of the controls
• More cumbersome than audit or assessment and
usually requires an analytically trained person
Security Assessment
Assessment vs. Analysis vs. Audit

Assessment Analysis Audit

Objective Baseline Determine Measure against a
Exposure and Standard
Potential Loss
Method Various (including Various (including Audit Program/
use of tools) tools) Checklist
Deliverables Gaps and Identification of Audit Report
Recommendations Assets, Threats &
Vulnerabilities
Performed by: Internal or External Internal or External Auditors

Value Focused Preparation for Compliance

Improvement Assessment
Security Assessment: Intrusive Types
1. Vulnerability Scan

• Definition
– Scan the network using automated tools to identify
security holes in the network
• Usually a highly automated process
– Fast and cheap
• Limitations
– False findings
– System disruptions (due to improperly run tools)
• Differences in regular scans can often identify new
vulnerabilities
Security Assessment: Intrusive Types
2. Penetration Testing

• Definition (Ethical Hacking)

– Simulated attacks on computer networks to identify
weaknesses in the network.
• Steps
– Find a vulnerability
– Exploit the vulnerability to get deeper access
– Explore the potential damage that the hacker can cause
• Example
– Scan web server: Exploit buffer overflow to get an
account
– Scan database (from web server)
– Find weakness in database: Retrieve password
– Use password to compromise firewall
Security Assessment
Risk Reduction

There are three strategies for risk reduction:

• Avoiding the risk
– by changing requirements for security or other system
characteristics
• Transferring the risk
– by allocating the risk to other systems, people,
organizations assets or by buying insurance
• Assuming the risk
– by accepting it, controlling it with available resources
Security Assessment
Effective Security

• Effective security relies on several factors

– Security Assessments
– Policies & Procedures
– Education (of IT staff, users, & managers)
– Configuration Standards/Guidelines
• OS Hardening
• Network Design
• Firewall Configuration
• Router Configuration
• Web Server Configuration
– Security Coding Practices
Risk Analysis
Concept Map

• Threats exploit system vulnerabilities which expose system assets.

• Security controls protect against threats by meeting security requirements established on
the basis of asset values.
Risk Analysis
Basic Definitions

• Assets-
• Vulnerability-
• Threat-
• Security Risk-
• Security Controls-
Risk Analysis
Assets

• Assets: Something that the agency values and has

to protect. Assets include all information and
supporting items that an agency requires to
conduct business.
• Data • Organization
– Breach of confidentiality – Loss of trust
– Embarrassment
– Loss of data integrity
– Management failure
– Denial of service
• Personnel
– Corruption of Applications – Injury and death
– Disclosure of Data – Sickness
– Loss of morale
Risk Analysis
Assets Cont’d
• Infrastructure
– Electrical grid failure
– Loss of power
– Chemical leaks
– Facilities & equipment
– Communications
• Legal
– Use or acceptance of
unlicensed software
– Disclosure of Client
Secrets
• Operational
– Interruption of services
– Loss/Delay in Orders
– Delay in Shipments
Risk Analysis
Vulnerabilities

• Vulnerabilities are flaws within an asset, such as an

operating system, router, network, or application, which
allows the asset to be exploited by a threat.
• Examples
– Software design flaws
– Software implementation errors
– System misconfiguration (e.g. misconfigured firewalls)
– Inadequate security policies
– Poor system management
– Lack of physical protections
– Lack of employee training (e.g. passwords on post-it
notes in drawers or under keyboards)
Risk Analysis
Threats

• Threats are potential causes of events which have

a negative impact.
– Threats exploit vulnerabilities causing impact to assets

• Examples
– Denial of Service (DOS) Attacks
– Spoofing and Masquerading
– Malicious Code
– Human Error
– Insider Attacks
– Intrusion
Risk Analysis
Sources of Threats

Source Examples of Reasons

• Espionage
External Hackers with Malicious Intent • Intent to cause damage
• Terrorism

External Hackers Seeking Thrill • Popularity

• Anger at company
Insiders with Malicious Intent
• Competition with co-worker(s)

Accidental Deletion of Files and Data • User errors

• Floods
Environmental Damage • Earthquakes
• Fires

Equipment and Hardware Failure • Hard disk crashes

Risk Analysis
Security Risk

• Risk is the probability that a specific threat will successfully

exploit a vulnerability causing a loss.
• Risks of an organization are evaluated by three distinguishing
characteristics:
– loss associated with an event, e.g., disclosure of confidential data,
lost time, and lost revenues.
– likelihood that event will occur, i.e. probability of event occurrence
– Degree that risk outcome can be influenced, i.e. controls that will
influence the event
• Various forms of threats exist
• Different stakeholders have various perception of risk
• Several sources of threats exist simultaneously
Risk Analysis
Physical Asset Risks

• Physical Asset Risks

– Relating to items with physical and tangible items
that have an associated financial value
Risk Analysis
Mission Risks

• Mission Risks
– Relating to functions, jobs or tasks that need to
be performed
Risk Analysis
Security Risks

• Security Risks
– Integrates with both asset and mission risks
Risk Analysis: Define Objectives
Standards

• ISO 17799
– Title: Information technology -- Code of practice for information security
management
– Starting point for developing policies
– http://www.iso.ch/iso/en/prods-
services/popstds/.../en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441
&ICS1=35
• ISO 13335
– Title: Information technology -- Guidelines for the management of IT Security --
Part 1: Concepts and models for IT Security
– Assists with developing baseline security.
– http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=2173
3&ICS1=35

• NIST SP 800-xx
– Different standards for various applications
– http://csrc.nist.gov/publications/nistpubs/
• Center for Internet Security
– Configuration Standards (benchmarks)
– http://www.cisecurity.org/
 Module-3

Information Security Management

 Module-3: Information Security
Management
• Monitor systems and apply controls
• Security assessment using automated tools
• Backups of security devices
• Performance Analysis, Root cause analysis and
Resolution,
• Information Security Policies, Procedures,
Standards and Guidelines
Security Assessment
Outline

• What is security assessment?

• What are the non-intrusive types?
• How do you choose between these types?
• What are the intrusive types?
• What are the types of risk reduction?
• What is effective security?
• What are the limitations to security assessment?
Security Assessment
Overview

• Definition
– Security assessment
• identifies existing IT vulnerabilities (weakness) and
recommends countermeasures for mitigating potential risks
• Goal
– Make the infrastructure more secure
– Identify risks and reduce them
• Consequences of Failure
– Loss of services
– Financial loss
– Loss of reputation
– Legal consequences
Security Assessment
Types

• Non-Intrusive
1. Security Audit
2. Risk Assessment
3. Risk Analysis
• Intrusive
1. Vulnerability Scan
2. Penetration Testing / Ethical Hacking
• All have the goal of identifying vulnerabilities and
improving security
– Differ in rules of engagement and limited purpose of
the specific engagement (what is allowed, legal liability,
purpose of analysis, etc.).
Security Assessment: Non-Intrusive Types
1. Security Audit

• Security Audit-
– Independent review and examination of system records & activities
to determine adequacy of system controls, ensure compliance of
security policy & operational procedures, detect breaches in
security, and recommend changes in these processes.1
• Features
– Formal Process
– Paper Oriented
• Review Policies for Compliance and Best Practices
– Review System Configurations
• Questionnaire, or console based
– Automated Scanning
– Checklists
1 http://www.atis.org/tg2k/_security_audit.html
Security Assessment: Non-Intrusive Types
2. Risk Assessment

• Risk Assessment (Vulnerability Assessment) is:

– determination of state of risk associated with a system based upon
thorough analysis
– includes recommendations to support subsequent security
controls/decisions.
– takes into account business, as well as legal constraints.
• Involves more testing than traditional paper audit
• Primarily required to identify weaknesses in the information
system
• Steps
– Identify security holes in the infrastructure
– Look but not intrude into the systems
– Focus on best practices (company policy is secondary)
Security Assessment: Non-Intrusive Types
3. Risk Analysis

• Risk Analysis is the identification or study of:

– an organization’s assets
– threats to these assets
– system’s vulnerability to the threats
• Risk Analysis is done in order to determine
exposure and potential loss.
• Computationally intensive and requires data to
– Compute probabilities of attack
– Valuation of assets
– Efficacy of the controls
• More cumbersome than audit or assessment and
usually requires an analytically trained person
Security Assessment
Assessment vs. Analysis vs. Audit

Assessment Analysis Audit

Objective Baseline Determine Measure against a
Exposure and Standard
Potential Loss
Method Various (including Various (including Audit Program/
use of tools) tools) Checklist
Deliverables Gaps and Identification of Audit Report
Recommendations Assets, Threats &
Vulnerabilities
Performed by Internal or External Internal or External Auditors

Value Focused Preparation for Compliance

Improvement Assessment
Security Assessment: Intrusive Types
1. Vulnerability Scan

• Definition
– Scan the network using automated tools to identify
security holes in the network
• Usually a highly automated process
– Fast and cheap
• Limitations
– False findings
– System disruptions (due to improperly run tools)
• Differences in regular scans can often identify new
vulnerabilities
Security Assessment: Intrusive Types
2. Penetration Testing

• Definition (Ethical Hacking)

– Simulated attacks on computer networks to identify
weaknesses in the network.
• Steps
– Find a vulnerability
– Exploit the vulnerability to get deeper access
– Explore the potential damage that the hacker can cause
• Example
– Scan web server: Exploit buffer overflow to get an
account
– Scan database (from web server)
– Find weakness in database: Retrieve password
– Use password to compromise firewall
Security Assessment
Risk Reduction

There are three strategies for risk reduction:

• Avoiding the risk
– by changing requirements for security or other system
characteristics
• Transferring the risk
– by allocating the risk to other systems, people,
organizations assets or by buying insurance
• Assuming the risk
– by accepting it, controlling it with available resources
Security Assessment
Effective Security

• Effective security relies on several factors

– Security Assessments
– Policies & Procedures
– Education (of IT staff, users, & managers)
– Configuration Standards/Guidelines
• OS Hardening
• Network Design
• Firewall Configuration
• Router Configuration
• Web Server Configuration
– Security Coding Practices
Risk Analysis
Concept Map

• Threats exploit system vulnerabilities which expose system assets.

• Security controls protect against threats by meeting security requirements established on
the basis of asset values.
Risk Analysis
Basic Definitions

• Assets-
• Vulnerability-
• Threat-
• Security Risk-
• Security Controls-
Risk Analysis
Assets

• Assets: Something that the agency values and has

to protect. Assets include all information and
supporting items that an agency requires to
conduct business.
• Data • Organization
– Breach of confidentiality – Loss of trust
– Embarrassment
– Loss of data integrity
– Management failure
– Denial of service
• Personnel
– Corruption of Applications – Injury and death
– Disclosure of Data – Sickness
– Loss of morale
Risk Analysis
Assets Cont’d
• Infrastructure
– Electrical grid failure
– Loss of power
– Chemical leaks
– Facilities & equipment
– Communications
• Legal
– Use or acceptance of
unlicensed software
– Disclosure of Client
Secrets
• Operational
– Interruption of services
– Loss/Delay in Orders
– Delay in Shipments
Risk Analysis
Vulnerabilities

• Vulnerabilities are flaws within an asset, such as an

operating system, router, network, or application, which
allows the asset to be exploited by a threat.
• Examples
– Software design flaws
– Software implementation errors
– System misconfiguration (e.g. misconfigured firewalls)
– Inadequate security policies
– Poor system management
– Lack of physical protections
– Lack of employee training (e.g. passwords on post-it
notes in drawers or under keyboards)
Risk Analysis
Threats

• Threats are potential causes of events which have

a negative impact.
– Threats exploit vulnerabilities causing impact to assets

• Examples
– Denial of Service (DOS) Attacks
– Spoofing and Masquerading
– Malicious Code
– Human Error
– Insider Attacks
– Intrusion
Risk Analysis
Sources of Threats

Source Examples of Reasons

• Espionage
External Hackers with Malicious Intent • Intent to cause damage
• Terrorism

External Hackers Seeking Thrill • Popularity

• Anger at company
Insiders with Malicious Intent
• Competition with co-worker(s)

Accidental Deletion of Files and Data • User errors

• Floods
Environmental Damage • Earthquakes
• Fires

Equipment and Hardware Failure • Hard disk crashes

Risk Analysis
Security Risk

• Risk is the probability that a specific threat will successfully

exploit a vulnerability causing a loss.
• Risks of an organization are evaluated by three distinguishing
characteristics:
– loss associated with an event, e.g., disclosure of confidential data,
lost time, and lost revenues.
– likelihood that event will occur, i.e. probability of event occurrence
– Degree that risk outcome can be influenced, i.e. controls that will
influence the event
• Various forms of threats exist
• Different stakeholders have various perception of risk
• Several sources of threats exist simultaneously
Risk Analysis
Physical Asset Risks

• Physical Asset Risks

– Relating to items with physical and tangible items
that have an associated financial value
Risk Analysis
Mission Risks

• Mission Risks
– Relating to functions, jobs or tasks that need to
be performed
Risk Analysis
Security Risks

• Security Risks
– Integrates with both asset and mission risks
Risk Analysis: Define Objectives
Standards

• ISO 17799
– Title: Information technology -- Code of practice for information security
management
– Starting point for developing policies
– http://www.iso.ch/iso/en/prods-
services/popstds/.../en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441
&ICS1=35
• ISO 13335
– Title: Information technology -- Guidelines for the management of IT Security --
Part 1: Concepts and models for IT Security
– Assists with developing baseline security.
– http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=2173
3&ICS1=35

• NIST SP 800-xx
– Different standards for various applications
– http://csrc.nist.gov/publications/nistpubs/
• Center for Internet Security
– Configuration Standards (benchmarks)
– http://www.cisecurity.org/
 Module-3

Information Security Management

DATA BACKUP
 Backup
• Activity of copying files or databases so that they will
be preserved in case of equipment failure or other
catastrophe.
• Retrieval of files you backed up I called restoring
• All electronic information considered of institutional
value should be copied onto secure storage media on
a regular basis (i.e., backed up), for disaster recovery
and business resumption.
• Allows business processes to be resumed in a
reasonable amount of time with minimal loss of data
 Types of Backup
• Full backup
• Incremental backup
• Differential backups
• Mirror backup
• Full PC backup
• Local backup
• Online backup
• Remote backup
• Cloud backup
• FTP backup
• Full backup
– Backup all files and folders
– initial or first backup followed with subsequent
incremental or differential backups
– Adv:
• Restores are fast and easy to manage as the entire list
of files and folders are in one backup set.
• Easy to maintain and restore different versions
– Disadv:
• take very long as each file is backed up again every time
the full backup is run
• Consumes the most storage space compared to
incremental and differential backups.
• Incremental backup
– backup of all changes made since the last backup
– one full backup is done first and subsequent backup
runs are just the changed files and new files added
since the last backup.
– Adv:
• Much faster backups
• Efficient use of storage space as files is not duplicated
– Disadv:
• Restores are slower than with a full backup and differential
backups.
• Restores are a little more complicated
• Differential backups
– fall in the middle between full backups and
incremental backup
– backup of all changes made since the last full
backup
– one full backup is done first and subsequent
backup runs are the changes made since the last
full backup
– Adv:
• Much faster backups then full backups
• More efficient use of storage space then full backups
since only files changed since the last full backup will be
copied on each differential backup run.
• Disadv:
– Backups are slower then incremental backups
– Not as efficient use of storage space as compared
to incremental backups.
– Restores are slower than with full backups.
– Restores are a little more complicated than full
backups but simpler than incremental backups.
• Mirror backups
– mirror of the source being backed up
– when a file in the source is deleted, that file is
eventually also deleted in the mirror backup
– Adv:
• The backup is clean and does not contain old and obsolete
files
– Disadv:
• files in the source deleted accidentally, by sabotage or
through a virus may also be deleted from the backup mirror
• Full PC backup
– backup of full computer backup typically involves
backing up entire images of the computer’s hard
drives rather than individual files and folders.
– restore the hard drives to its exact state when the
backup was done
– sometimes called “Drive Image Backups”
– Adv:
• A crashed computer can be restored in minutes with all
programs databases emails etc intact. No need to install the
operating system, programs and perform settings etc.
– Disadv:
• Any problems that were present on the computer (like
viruses, or mis-configured drivers, unused programs etc.) at
the time of the backup may still be present after a full
restore
• Local Backup:
– storage medium is kept close at hand
– Adv:
• Offers good protection from hard drive failures, virus
attacks, accidental deletes and deliberate employee
sabotage on the source data.
• Very fast backup and very fast restore
• Storage cost can be very cheap when the right storage
medium is used like external hard drives
• Data transfer cost to the storage medium can be
negligible or very cheap
• Full internal control over the backup storage media and
the security of the data on it. There is no need to
entrust the storage media to third parties.
• Disadv:
– does not offer good protections against theft, fire,
flood, earthquakes and other natural disasters
• Offsite backup:
– Any backup where the backup storage medium is kept
at a different geographic location from the source
– Adv:
• Offers additional protection when compared to local backup
such as protection from theft, fire, flood, earthquakes,
hurricanes and more.
– Disadv:
• it requires more due diligence to bring the storage media to
the offsite location
• May cost more as people usually need to rotate between
several storage devices
• Online Backup:
– a backup done on an ongoing basis to a storage
medium that is always connected to the source being
backed up
– “online” refers to the storage device or facility being
always connected.
– does not involve human intervention to plug in drives
and storage media for backups to run
– Adv:
• Offers the best protection against fires, theft and natural
disasters.
• Because data is replicated across several storage media, the
risk of data loss from hardware failure is very low
• Because backups are frequent or continuous, data loss is
very minimal compared to other backups that are run less
frequently.
• requires little human or manual interaction after it is setup.
• Disadv:
– expensive option then local backups.
– Can be slow to restore.
– Initial or first backups can be a slow process
spanning a few days or weeks depending on
Internet connection speed and the amount of
data backed up.
• Remote Backup:
– form of offsite backup with a difference being that you
can access, restore or administer the backups while
located at your source location or other physical
location.
– refers to the ability to control or administer the
backups from another location.
– Adv:
• Much better protection from natural disasters than local
backups.
• Easier administration as it does not need a physical trip to
the offsite backup location.
– Disadv:
• More expensive then local backups
• Can take longer to backup and restore than local backups
• Cloud backup
– Loosely and interchangeably with Online Backup and
Remote Backup
– data is backed up to a storage server or facility
connected to the source via the Internet
– “cloud” refers to the backup storage facility being
accessible from the Internet
– Adv:
• offers protection from fire, floods, earth quakes and other
natural disasters.
• Able to easily connect and access the backup with just an
Internet connection
• service is managed and protection is un-paralleled.
– Disadv:
• More expensive then local backups
• Can take longer to backup and restore
• FTP backup
– backup is done via the File Transfer Protocol (FTP)
over the Internet to an FTP Server.
– Adv:
• it offers protection from fire, floods, earth quakes and
other natural disasters.
• Able to easily connect and access the backup with just
an Internet connection.
– Disadv:
• More expensive then local backups Can take longer to
backup and restore.
• Backup and restore times are dependent to the
Internet connection
 Backup Procedures
• 3-2-1 rule
– 3 copies of any important file (a primary and two
backups)
– files on 2 different media types (such as hard drive
and optical media), to protect against different
types of hazards
– 1 copy should be stored offsite (or at least offline)
• data backup procedures must include
– frequency,
– data backup retention
– testing
– media replacement
– recovery time
– roles and responsibilities
• Local data backup procedures must include
– Data Backup Retention. Retention of backup data must meet
System and institution requirements for critical data
– Testing - Restoration of backup data must be performed and
validated on all types of media in use periodically.
– Media Replacement - Backup media should be replaced
according to manufacturer recommendations.
– Recovery Time - The recovery time objective (RTO) must be
defined and support business requirements.
– Roles and Responsibilities - Appropriate roles and
responsibilities must be defined for data backup and restoration
to ensure timeliness and accountability
• Offsite Storage - Removable backup media taken offsite must be
stored in an offsite location that is insured and bonded or in a
locked media rated, fire safe
• Onsite Storage - Removable backup media kept onsite must be
stored in a locked container with restricted physical access.
• Media Destruction - How to dispose of data storage media in
various situations.
• Encryption - Non-public data stored on removable backup media
must be encrypted.
• Third Parties - Third parties' backup handling & storage procedures
must meet System, or institution policy or procedure requirements
related to data protection, security and privacy.
 Definitions
• Archive:
– collection of historical data specifically selected for long-term retention and
future reference
• Backup:
– A copy of data that may be used to restore the original in the event
the latter is lost or damaged beyond repair.
• Critical Data:
– Data that needs to be preserved in support of the institution's ability
to recover from a disaster or to ensure business continuity
• Data:
– Information collected, stored, transferred or reported for any
purpose, whether in computers or in manual files
• Destruction:
– Destruction of media includes: disintegration, incineration, pulverizing,
shredding, and melting. Information cannot be restored in any form
following destruction.
• Media Rated, Fire Safe:
– A safe designed to maintain internal temperature and humidity levels
low enough to prevent damage to CDs, tapes, and other computer
storage devices in a fire.
• Information Technology Resources:
– Facilities, technologies, and information resources used for
System information processing, transfer, storage, and
communications.
• Recovery Point Objective (RPO):
– Acceptable amount of service or data loss measured in time.
The RPO is the point in time prior to service or data loss that
service or data will be recovered to.
• Recovery Time Objective (RTO).
– Acceptable duration from the time of service or data loss to the
time of restoration
 Types of storage
• Local storage options
– External hard drive
– Solid state drive (SSD)
– Network attached storage
– USB thumb drive or flash drive
– Optical drive(CD/DVD)
• Remote storage options
– Cloud storage
Features of a good backup storage
• features to aim for when designing your backup
strategy:
– Able to recover from data loss in all circumstances like
hard drive failure, virus attacks, theft, accidental deletes or
data entry errors, sabotage, fire, flood, earth quakes and
other natural disasters.
– Able to recover to an earlier state if necessary like due to
data entry errors or accidental deletes.
– Able to recover as quickly as possible with minimum
effort, cost and data loss.
– Require minimum ongoing human interaction and
maintenance after the initial setup. Hence able to run
automated or semi-automated
• Planning your backup strategy:
– What to backup?
– Where to backup?
– When to backup?
– Backup types
– Compression & encryption
– Testing your back up
– Backup utilities & services
 Module-3

Information Security Policies, Procedures,

Standards and Guidelines
 Module-3: Information Security Policies,
Procedures, Standards and Guidelines
• Information Security Policies
• Key Elements of Security Policy
• Security Standards, Guidelines & Frameworks
• Security Standards Organizations
• Information Security Laws, Regulations and
Guidelines
 Information Security Policies
• Security policies are the foundation of your
security infrastructure.
• Without them, you cannot protect your company
from possible lawsuits, lost revenue and bad
publicity, not to mention basic security attacks.
• A security policy is a document or set of documents
that describes, at a high level, the security controls
that will be implemented by the company.
 Information Security Policies
• Policies are not technology specific and do
three things for an organization:
i. Reduce or eliminate legal liability to employees
and third parties.
ii. Protect confidential, proprietary information
from theft, misuse, unauthorized disclosure or
modification.
iii. Prevent waste of company computing resources.
 Information Security Policies
• Types of basic security policies:
1. Technical security policies: these include how
technology should be configured and used.
2. Administrative security policies: these include
how people (both end users and management)
should behave/ respond to security.
 Information Security Policies
• Persons responsible for the implementation of
the security policies are:
– Director of Information Security
– Chief Security Officer
– Director of Information Technology
– Chief Information Officer
 Information Security Policies

• Guidelines for Effective Policy

– Developed using industry-accepted practices
– Distributed using all appropriate methods
– Reviewed or read by all employees
– Understood by all employees
– Formally agreed to by act or assertion
– Uniformly applied and enforced
 Information Security Policies

• Developing Information Security Policy

1. Investigation Phase
2. Analysis Phase
3. Design Phase
4. Implementation Phase
5. Maintenance Phase
 Information Security Policies

1) Investigation Phase
– Support from senior management
– Support and active involvement of IT
management
– Clear articulation of goals
– Participation by the affected communities of
interest
– Detailed outline of the scope of the policy
development project
 Information Security Policies
2) Analysis Phase
– A new or recent risk assessment or IT audit
documenting the information security needs of
the organization.
– Gathering of key reference materials – including
any existing policies
 Information Security Policies
3) Design Phase
– Users or organization members acknowledge they
have received and read the policy
• Signature and date on a form
• Banner screen with a warning
 Information Security Policies

4) Implementation Phase
– Policy development team writes policies
– Resources:
• The Web
• Government sites such as NIST
• Professional literature
• Peer networks
• Professional consultants
 Information Security Policies
5) Maintenance Phase
– Policy development team responsible for
monitoring, maintaining, and modifying the policy
 Information Security Policies
• Policy Distribution
– Hand policy to employees
– Post policy on a public bulletin board
– E-mail
– Intranet
– Document management system
 Information Security Policies
• A security policy should determine rules and
regulations for the following systems:
– Encryption mechanisms
– Access control devices
– Authentication systems
– Firewalls
– Anti-virus systems
– Websites
– Gateways
– Routers and switches
– Necessity of a security policy
Information Security Policies
Information Security Policies