Research paper on data breach

srk007

Chapter101.pptx

Home >Information Systems homework help >Research paper on data breach

Security Policies and Implementation Issues

Week 7

IT Infrastructure Security Policies

www.jblearning.com

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Key Concepts

Elements of an infrastructure security policy

Policies associated with various domains of a typical IT infrastructure

Best practices in creating and maintaining IT policies

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Key Purpose of an IT Infrastructure Policy

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Provide technical knowledge of:

The interaction of various layers of the network

The placement of key controls

The types of risks to be detected and guarded against

Three Ways to Organize Policies

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Domain

Logical way to review policies and requirements

The seven domains are a common taxonomy, or classification system, across the industry

Different domains may have different security requirements

Functional Area

Used in mature companies whose processes rarely change

Advantage: May be tailored to a specific audience

Disadvantage: Functional areas may change due to organization realignments

Layers of Security

Also known as defense in depth

Multiple security controls within network perimeter, operating system, applications, and database, for example

Constantly changing technology presents challenges

Number of layers of security required varies depending on needs of company

10/8/2017

Domain

Functional Area

Layers of Security

Seven Domains of a Typical IT Infrastructure

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Policy Organization

Requirements may cross domains

Malware protection

Password/Authentication requirements

Requirements may conflict between domains

Policies will vary among organizations

Use standard document types to identify domain security control requirements

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Creating Policy Documents

Documents should

Differentiate between core requirements and technological requirements

Follow a standard format

Remain relevant without constant modification

Not contain duplicate content

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Policy Documents

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Control Standards

Baseline Standards

Procedure Documents

Guidelines

Implementation processes; each baseline standard needs a procedure

Minimum security requirements for specific technologies

Policy statements concerned with core requirements

Recommendations

Dictionary

Used in the policies that define the scope and meaning of terms used

Workstation Domain

Control Standards

Device management

User permissions

Align with functional responsibilities

Baseline Standards

Specific technology requirements for each device

Review standards from vendors or organizations

Procedures

Step-by-step configuration instructions

Guidelines

Acquisitions (e.g., preferred vendors)

Description of threats and countermeasures

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Workstation

End user devices

Laptops, desktops, mobile devices

Focus on physical and logical security

Control Standards

Firewalls

Denial of Service

Align with functional responsibilities

Baseline Standards

Specific technology requirements for each device

Review standards from vendors or organizations

Procedures

Step-by-step configuration

Guidelines

Acquisitions (e.g., preferred vendors)

Description of threats and countermeasures

LAN Domain

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

LAN

Local area network infrastructure

Servers, network infrastructure

Focus on connectivity and traffic management

LAN-to-WAN Domain

Control Standards

Access control to the Internet

Traffic filtering

Baseline Standards

Specific technology requirements for perimeter devices

Procedures

Step-by-step configuration

Guidelines

DMZ, IDS/IPS, content filtering

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

LAN to WAN

Connects LAN to outside network (e.g., Internet)

Focus on securing resources that bridge internal and external networks

Control Standards

WAN management, Domain Name Services, router security, protocols, Web services

Baseline Standards

Review standards from vendors or organizations

Procedures

Step-by-step configuration of routers and firewalls

Change management

Guidelines

When and how Web services may be used

DNS management within the LAN and WAN environments

WAN Domain

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

WAN

Wide Area Network (e.g., Internet) services and hardware

Focus on WAN connection management, DNS

Control Standards

VPN connections

Multi-factor authentication

Baseline Standards

VPN gateway options

VPN client options

Procedures

Step-by-step VPN configuration and debugging

Guidelines

Description of threats

Security of remote computing environments, such as working from home

Remote Access Domain

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Focus on authentication and connection

End user remote connection technology

Remote Access

Control Standards

Firewalls

Denial of Service

Align with functional responsibilities

Baseline Standards

Specific technology requirements for each device

Review standards from vendors or organizations

Procedures

Step-by-step configuration

Guidelines

Acquisitions (e.g., preferred vendors)

Description of threats and countermeasures

System/Application Domain

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Focus on security issues associated with applications and data

Data processing and storage technology

System/Application

Control Standards

Protect with FIPS encryption

Segregation of data and voice networks

Baseline Standards

Specific technology requirements for each device

Review standards from vendors or organizations

Procedures

Step-by-step configuration

Guidelines

May include VoIP systems architecture and security guidelines

Telecommunications Policies

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Telecommunications

Technology, service, or system that provides transmission of electronic data and information

Best Practices for IT Infrastructure Security Policies

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Select a framework, such as ISO or COBIT

Develop requirements and standards based on the framework

Review what others have done and adapt that work to meet your needs before creating content

10/8/2017

Select a framework, such as ISO or COBIT

Develop requirements and standards based on the framework

Review and adapt

Best Practices for IT Infrastructure Security Policies (Continued)

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Make your policies and standards available to anyone expected to follow them

Keep content cohesive

Keep content coherent

Maintain the same “voice” throughout a single document

10/8/2017

Make policies/standards available to all

Keep content cohesive

Keep content coherent

Maintain the same “voice” throughout

Best Practices for IT Infrastructure Security Policies (Continued)

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Add only the information that is necessary to convey the information

Stay on the message

Make your library searchable

Federate ownership to where it best belongs

10/8/2017

Add only necessary information

Stay on message

Make your library searchable

Federate ownership to where it best belongs

Roles and Responsibilities

Information Security (IS) Manager

Policy creation, application, and alignment with organizational goals

IT Auditor

Ensuring that controls are in place per policy

System/Application Administrator

Applying controls to Workstation, LAN, and LAN-to-WAN Domains

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Lack of Controls

With lack of controls all of the following and more are possible:

Workstations would have different configurations

LANs would allow unauthorized traffic

WANs would have vulnerabilities

Network devices would not be configured the same

Users would have access to data they are not directly working with

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017

Case Studies

Smaller bank wants to clear checks with a larger bank

X9.37

3rd party used

Baseline standard change and procedural changes

State of Maryland

Online Health Records

Information Technology Support Division (ITSD) requirements

Controlled change statewide

HIPAA

Televent

Monitors and supports energy industry in US and Canada

Breach of their firewall and network

SCADA system – never intended be online

Did segmentation

Both test and production environments compromised

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Summary

Elements of an infrastructure security policy

Policies associated with various domains of a typical IT infrastructure

Best practices in creating and maintaining IT policies

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/8/2017