DFT20083

SECURITY BASICS AND IT PROFESSIONAL

2.0 SECURITY POLICIES AND PROCEDURES

 COURSE LEARNING OUTCOME (CLO)
CLO 1:

• Explain common threats and attacks using various tools and techniques for secured environment in
organization. ( C3, PLO 2 )
CLO 2:

• Perform personal skills with proposed documentation in troubleshooting and solving on security issues.
( A2, PLO 7 )
 2.1 Show Security Policy

2.1.1 Explain Security Policy

2.1.2 Identify Security Policy requirement
2.1.3 Apply usernames and password
2.1.4 Discover password requirements
2.1.5 Apply file and folder permission
 WHAT IS POLICY?
A policy is a document that outlines specific
requirements or rules that must be met.

A policy is considered the correct tool for an

organization to use when establishing security
because a policy applies to a wide range of
hardware or software (it is not a standard) and is
required (it is not just a guideline).
Policy
Policy provides the rules that govern how systems should be configured
and how employees of an organization should act in normal
circumstances and react during unusual circumstances.

As such, policy performs two primary functions:

 Policy defines how security should be within an organization.

 Policy puts everyone on the same page so everyone understands what

is expected
2.1.1 Security Policy
• A security policy is a document or series of
documents that clearly defines the defence
mechanisms an organization will employ in order to
keep information secure.
• It is a written document that states how an
organization plans to protect the company’s
information technology assets.
• For example : A security policy for an operating
system may outline which security settings must be
turned on and how they are to be configured.
Security Policy
• The security policy defines the technical
requirements for security on computer systems
and network equipment.

• It defines how a system or network

administrator should configure a system with
regard to security.
2.1.2 Security Policy Requirements
The security policy should define the requirements to be placed on each system
implementation.
1. Identification and
8. Waivers
Authentication

2. Access
7. Appendices Control

8 SECURITY
POLICY
REQUIREMENTS
6. Encryption 3. Audit

5. Malicious 4. Network
Code Connectivity
Security Policy Requirements
1. Identification and Authentication
The security policy should define how users will be identified.
Generally, this means that the security policy should define a standard
for user IDs.

The security policy should also define the primary authentication

mechanism for system users and administrators. If this mechanism is
the password, then the policy should also define the minimum password
length, the maximum and minimum password ages, and password
content requirements.
Security Policy Requirements
2. Access Control
The security policy should define the standard requirement for access
controls to be placed on electronic files.

Two requirements should be defined: the mechanism that is required

and the default requirement for new files.
The mechanism may note that some form of user-defined access
control must be available for each file on a computer system.
The default configuration for a new file should specify how the
permissions will be established when a new file is created.
Security Policy Requirements
3.
Audit
The audit section of the security policy should define the types of events to be audited on all

systems. Normally, security policies require the following events to be audited:


Logins (successful and failed)

Logouts

Failed access to files or system objects

Remote access (successful and failed)

Privileged actions (those performed by administrators, both successes and failures)

System events (such as shutdowns and reboots)
Security Policy Requirements
4. Network Connectivity
For each type of connection into the organization’s network, the
security policy should specify the rules for connection and the
protection mechanisms to be employed.

 Dial-in Connections : The requirements for dial-in connections should specify the technical
authentication requirements for such connections.
 Permanent Connections : Permanent network connections are those that come into the
organization over some type of permanent communication line.
 Remote Access of Internal Systems : Often, organizations allow employees to access internal
systems from external locations. The security policy should specify the mechanisms to use when
this type of access is to be granted
Security Policy Requirements
5. Malicious Code

The security policy should specify where security programs that look for
malicious code (such as viruses and Trojan horse programs) are to be placed.
Appropriate locations include on file servers, on desktop systems, and on
electronic mail servers.
This may include a requirement for such security programs to examine specific
file types and to check files when they are opened or on a scheduled basis.
Security Policy Requirements
6. Encryption
The security policy should define acceptable encryption algorithms for
use within the organization and point back to the Information Policy to
show the appropriate algorithms to protect sensitive information.
Security Policy Requirements
7. Appendices
Detailed security configurations for various operating systems should
be placed in appendices or in separate configuration procedures. This
allows these detailed documents to be modified as necessary without
changing the organization’s security policy
Security Policy Requirements
8. Waivers/ Mengenepikan hak
There will be times when systems must be put into production that do
not meet the security requirements defined in the security policy.

The business need will be more important than making the systems
comply with the security policy.

When this happens, the security policy should provide a mechanism to

assess the risk to the organization and to develop a contingency plan.
This is where the waiver process comes in.
2.1.3 Usernames and Password
• A username and password are two pieces of information that user
need to log on to a computer.
2.1.4 Password Requirements
**There 8 password requirements:

1) Minimum length – 8 Characters

2) Maximum length – 14 Characters
3) Minimum complexity – no dictionary words included
4) Password are case sensitive but username is NOT case sensitive
5) Unique password – should not less than 24
6) Maximum password age – 60 days
7) Minimum password age – 2 days
8) Store password using reversible encryption
2.1.5 How to apply file & folder
permissions
• View video: How to Change File Permissions in Windows 10
https://www.youtube.com/watch?v=yio0IYrZhtw

• View video: Windows 10 And 8.1 File And Folder Permissions (ACL)
Tutorial Video
https://www.youtube.com/watch?v=FFZsXI9sq34
 2.2 Show Security Procedures

2.2.1 Identify Security Procedures

2.2.2 Apply protecting data
Security Procedures
a) User Management Procedures
b) System Administration Procedure
c) Incident Response Procedure
d) Configuration Management Procedure
(a) User Management Procedures
• New Employee Procedure
A procedure should be developed to provide new employees with the proper access to computer resources.

• Transferred Employee Procedure

Every organization should develop a procedure for reviewing employees’ computer access when they
transfer within the organization.

• Employee Termination Procedure

When Human Resources identifies an employee who is leaving, the appropriate system administrator should
be notified a head of time so that the employee’s accounts can be disabled on the last day of employment.
(b) System Administration Procedure

The system administration procedure defines how Security and System

Administration will work together to secure the organization’s systems.
It comprises of :
 Software Upgrades
 Vulnerability Scans
 Policy Reviews
 Log Reviews
 Regular Monitoring
(c) Incident Response Procedure
An Incident Response Procedure (IRP) defines how the organization will
react when a computer security incident occurs.

Given that each incident will be different, the IRP should define who has
the authority and what needs to be done but not necessarily how things
should be done.
(d) Configuration Management Procedure

• The configuration management procedure defines the steps that will be

taken to modify the state of the organization’s computer systems.

• The purpose of this procedure is to identify appropriate changes so

that appropriate changes will not be misidentified as security
incidents and so the new configuration can be examined from a
security perspective.
PRACTICAL ACTIVITY
• Apply Usernames and Passwords
• Discover Password Requirements
• Apply File and Folder Permissions
• Apply Protecting Data
• Apply Protecting against malicious software
• View video: What is Malware ? | Malicious Software Explained |
Learn about Malware
https://www.youtube.com/watch?v=fvoKO4y4JI4
End of Chapter 2.1 & 2.2