Scribd Logo
Upload

Welcome to Scribd!

  • 5 Keamanan Jaringan

    Uploaded by

    Novia Arifah
    13 views20 pages
    This document outlines objectives and content for a basic security policy training module. It discusses defining security policy, using policy to manage risk, identifying existing policy, evaluating policy, and writing issue-specific policies. Example issue-specific policies covered include anti-virus, password assessment, backups, and proprietary information. The goal is to help readers understand the components and purpose of security policy.

    Original Description:

    Original Title

    5 keamanan jaringan

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines objectives and content for a basic security policy training module. It discusses defining security policy, using policy to manage risk, identifying existing policy, evaluating policy, and writing issue-specific policies. Example issue-specific policies covered include anti-virus, password assessment, backups, and proprietary information. The goal is to help readers understand the components and purpose of security policy.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    13 views20 pages

    5 Keamanan Jaringan

    Uploaded by

    Novia Arifah
    This document outlines objectives and content for a basic security policy training module. It discusses defining security policy, using policy to manage risk, identifying existing policy, evaluating policy, and writing issue-specific policies. Example issue-specific policies covered include anti-virus, password assessment, backups, and proprietary information. The goal is to help readers understand the components and purpose of security policy.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 20

    FORESEC Academy

    FORESEC Academy Security Essentials (II)

    BASIC SECURITY POLICY


    FORESEC Academy

    Preface

    It never ceases to amaze me - fact that you can’t take a class in


    Information Security without being told to do this or that in
    accordance with “your security policy," but nobody ever
    explains what the policy is, let alone how to write or
    evaluate it.

    That is why we undertook this research and education project


    on basic security policy. We hope you will find this module
    useful and that you will participate in its evolution. Consensus
    is a powerful tool. We need the ideas and criticisms from the
    information security community in order to make this, “The
    Roadmap,” a usable and effective policy. Thank you!
    FORESEC Academy

    Objectives

     Defining Security Policy


     Using Security Policy to Manage Risk
     Identifying Security Policy
     Evaluating Security Policy
     Issue-specific Security Policy
     Exercise: Writing a Personal Security
    Policy
     Contingency Planning within your Policy
    FORESEC Academy

    Documentation is Critical

     If it is not in writing it never


    happened.
     You must clearly document:
    - What is expected of users
    - What you plan on doing
    - How you plan on doing it
    - What other people are required to do
    FORESEC Academy

    Defining a Policy

     Policies direct the accomplishment of


    objectives
    - Program Policy
    - Issue-specific Policy
    - System-specific Policy

    An effective and realistic Security Policy is


    the key to effective and achievable security.
    FORESEC Academy

    Defining a Policy (2)

     What makes up a policy?


    -Purpose
    -Related documents
    -Cancellation
    -Background
    -Scope
    -Policy statement
    -Action
    - Responsibility
    FORESEC Academy

    Defining a Policy (3)

     Who can sign the policy?


     What process is used to:
    - draft a policy
    - approve a policy
    - implement a policy
    FORESEC Academy

    Risk Assessment

     What do you do?


    - The “important bid” story
    -When is it okay to violate or change
    policy?
    -Who has the authority to do it?
    -What are the risks involved?
    FORESEC Academy

    Managing Risks in Your Job

     Identify risks
     Communicate your findings
     Update (create) policy as needed
     Develop metrics to measure
    compliance
    FORESEC Academy

    Identifying Security Policy

     Who does the procedure?


     What is the procedure?
     When is the procedure done?
     Where is the procedure done?
     Why is the procedure done?
    FORESEC Academy

    Roles and Responsibilities

     Formal organizational structure


    - Who has the title
    - Who is listed at the top of the
    organizational chart
     Informal organizational structure
    - Who gets things done
    - Who really makes decisions
    FORESEC Academy

    Levels of Policy

     Recognize that policies can exist on


    different levels
    - Enterprise-wide/corporate policy
    - Division-wide policy
    - Local policy
    - Issue-specific policy
    - Procedures and checklists
    FORESEC Academy

    Checkpoint:
    Procedure Guidance
     Policies address the who, what,
    and why.
     Procedures address the how,
    where, and when.
    FORESEC Academy

    Evaluating Security Policy

     What if your existing policy is confusing and


    hard to read?
     What if it doesn’t cover all the
    bases?
     Use a checklist to evaluate your
    policy.
    FORESEC Academy

    Evaluating Security Policy (2)

     Use a checklist:
    - Does it contain the expected
    elements?
    - Is it clear?
    - Is it concise?
    - Is it realistic?
    - Does it provide sufficient guidance?
    FORESEC Academy

    Evaluating Security Policy (3)

     Checklist, continued...
    - Is it consistent?
    - Is it forward-looking?
    - Are there means to keep it current?
    - Is the policy readily available to those
    who need it?
    FORESEC Academy

    Issue-Specific Security Policy

     Anti-Virus
     Password Assessment
     Backups
     Proprietary Information
     Personal Security Policy
    FORESEC Academy

    Anti-virus Policy

     Define the problem


    - Various practices risk the introduction of
    viruses into systems and networks
     Develop a solution
    - Define the scope
    - Layer the defense strategy
    - Identify responsibilities
    - Measure the effectiveness
    FORESEC Academy

    Password Assessment Policy

     Define the problem


    - Password assessment is a necessary part of security,
    but may appear illegal if carried out without proper
    authority/safeguards
     Develop a solution
    - Identify the risks
    - Enumerate the countermeasures
    - Enable administrators to legally assess
    passwords
    - Escrow passwords for use during incidents
    FORESEC Academy

    Data Backup Policy

     Define the problem


    - Backups are critical to protect information
    and allow disaster recovery, but are often
    performed sporadically
     Develop a solution
    - Identify backups as critical
    - Empower system administrators
    - Provide for exceptions when necessary
    - Make sure the policy is implemented

    You might also like