Research paper on data breach

srk007

Chapter91.pptx

Home >Information Systems homework help >Research paper on data breach

Security Policies and Implementation Issues

Chapter 9

User Domain Policies

www.jblearning.com

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Learning Objective

Describe the different information systems security (ISS) policies associated with the User Domain.

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Key Concepts

Reasons for governing users with policies

Regular and privileged users

Acceptable use policy (AUP) and privileged-level access agreement (PAA)

Security awareness policy (SAP)

Differences between public and private User Domain policies

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

The User as the Weakest Link in the Security Chain

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Social engineering can occur at any time within any organization

Human mistakes often occur and can lead to security breaches

People that use computers have different skill levels, thus have different perceptions on information security

The User as the Weakest Link in the Security Chain

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

One of the most significant threats come from within an organization from an “Insider”

Applications have weaknesses that are not known and these weaknesses can be exploited by users either knowingly or unknowingly

Security awareness training can remove this weakest link in the security chain

Different Types of Users Within an Organization

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Employees

System admins

Security personnel

Contractors

Vendors

Guests and general public

Control partners

Example of User Types

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Contingent and System Accounts

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Contingent Accounts

Need unlimited rights to install, configure, repair, and recover networks and applications, and to restore data

System Accounts

Need elevated privileges to start, stop, and manage system services

Credentials are prime targets for hackers

IDs are not assigned to individuals until a disaster recovery event is declared

Accounts can be interactive or non-interactive

System accounts are also referred to as “service accounts”

User Access Requirements

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Each user requires different levels of access to applications and information within the organization

Users require information from different systems across the organization to do their jobs

The data coming from different systems often has different security controls

The different role each user has within the organization can create security challenges

10/1/2017

Users require different access

Users require information from different systems

Data has different security controls

Differences and Similarities in User Domain Policies

Similarities

Private organizations may follow public-compliance laws depending on their governance requirements

Public organizations may be small is size and thus have similar control over their user populations

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Differences and Similarities in User Domain Policies

Differences

Public organizations must follow Sarbanes Oxley Compliance (SOX), Health Insurance Portability and Accountability Act (HIPAA), and other compliance laws

Private organizations are often smaller and easier to control from a user standpoint

Private organizations may not follow public-compliance laws

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Acceptable Use Policy (AUP)

Attempts to protect an organization’s computers and network

Addresses password management

Addresses software licenses

Addresses intellectual property management

Describes e-mail etiquette

Describes the level of privacy an individual should expect when using an organization’s computer or network

Describes noncompliance consequences

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Privileged-Level Access Agreement (PAA)

Acknowledges the risk associated with elevated access in the event the credentials are breached or abused

Asks user to promise to use access only for approved organization business

Asks user to promise not to attempt to “hack” or breach security

Asks user to promise to protect any output from these credentials such as reports, logs, files, and downloads

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Security Awareness Policy (SAP)

Addresses:

Basic principles of information security

Awareness of risk and threats

Dealing with unexpected risk

Reporting suspicious activity, incidents, and breaches

Building a culture that is security and risk aware

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Roles and Responsibilities: Who Needs Training?

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Executive Managers

Responsible for governance and compliance requirements, and funding and policy support

Program and Functional Managers

Responsible for security management, planning, and implementation; also risk management and contingency planning

IT Security Program Managers

Responsible for broad training in security planning, system and application security management, risk management, and contingency planning

Auditors

Responsible for broad training in security planning, system and application security management, risk management, and contingency planning

All Users

Responsible for basic security

10/1/2017

All Users

Program and Functional Managers

IT Security Program Managers

Auditors

IT Function Management and Operations Personnel

Executive Managers

Best Practices for User Domain Policies

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Attachments—Never open an e-mail attachment from a source that is not trusted or known

Encryption—Always encrypt sensitive data that leaves the confines of a secure server

Least privilege— Individuals should only have the access necessary to perform their responsibilities

Unique identity—All users must use unique credentials

Virus protection—Virus and malware prevention must be installed on every desktop and laptop computer

Layered defense—Use an approach that establishes overlapping layers of security

Patch management—All network devices should have the latest security patches

Lease Access Privilege and Best Fit Access Privilege

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Least Access Privileges

Customizes access to the individual

Best Fit Privileges

Customizes access to the group or class of users

Who Develops User Policies

Chief financial officer (CFO)

Chief operations officer (COO)

Information security manager

IT manager

Marketing and sales manager

Unit manager

Materials manager

Purchasing manager

Inventory manager

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Case Studies

Government Laptop compromised

Collapse of Barings Bank

Unauthorized access to Defense Department Systems

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Summary

Different user types and user access requirements in an organization

SAP, AUP, and PAA

Roles and responsibilities associated with user policies

User policies in public and private organizations

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017