Professional Documents
Culture Documents
CHAPTER 2.1 - 2.2 - Security Policies - Procedures - SHORT SEM 2021
CHAPTER 2.1 - 2.2 - Security Policies - Procedures - SHORT SEM 2021
• Explain common threats and attacks using various tools and techniques for secured environment in
organization. ( C3, PLO 2 )
CLO 2:
• Perform personal skills with proposed documentation in troubleshooting and solving on security issues.
( A2, PLO 7 )
2.1 Show Security Policy
2. Access
7. Appendices Control
8 SECURITY
POLICY
REQUIREMENTS
6. Encryption 3. Audit
5. Malicious 4. Network
Code Connectivity
Security Policy Requirements
1. Identification and Authentication
The security policy should define how users will be identified.
Generally, this means that the security policy should define a standard
for user IDs.
Logins (successful and failed)
Logouts
Failed access to files or system objects
Remote access (successful and failed)
Privileged actions (those performed by administrators, both successes and failures)
System events (such as shutdowns and reboots)
Security Policy Requirements
4. Network Connectivity
For each type of connection into the organization’s network, the
security policy should specify the rules for connection and the
protection mechanisms to be employed.
Dial-in Connections : The requirements for dial-in connections should specify the technical
authentication requirements for such connections.
Permanent Connections : Permanent network connections are those that come into the
organization over some type of permanent communication line.
Remote Access of Internal Systems : Often, organizations allow employees to access internal
systems from external locations. The security policy should specify the mechanisms to use when
this type of access is to be granted
Security Policy Requirements
5. Malicious Code
The security policy should specify where security programs that look for
malicious code (such as viruses and Trojan horse programs) are to be placed.
Appropriate locations include on file servers, on desktop systems, and on
electronic mail servers.
This may include a requirement for such security programs to examine specific
file types and to check files when they are opened or on a scheduled basis.
Security Policy Requirements
6. Encryption
The security policy should define acceptable encryption algorithms for
use within the organization and point back to the Information Policy to
show the appropriate algorithms to protect sensitive information.
Security Policy Requirements
7. Appendices
Detailed security configurations for various operating systems should
be placed in appendices or in separate configuration procedures. This
allows these detailed documents to be modified as necessary without
changing the organization’s security policy
Security Policy Requirements
8. Waivers/ Mengenepikan hak
There will be times when systems must be put into production that do
not meet the security requirements defined in the security policy.
The business need will be more important than making the systems
comply with the security policy.
• View video: Windows 10 And 8.1 File And Folder Permissions (ACL)
Tutorial Video
https://www.youtube.com/watch?v=FFZsXI9sq34
2.2 Show Security Procedures
Given that each incident will be different, the IRP should define who has
the authority and what needs to be done but not necessarily how things
should be done.
(d) Configuration Management Procedure