Download ppt - Policies CIT 380: Securing Computer SystemsSlide #1

Policies

CIT 380: Securing Computer Systems Slide #1

http://it.nku.edu/itsecurity/docs/acceptableusepolicy.pdf

CIT 380: Securing Computer Systems 2

Confidentiality IntegrityAvailability


Keeping information secret Bank records Medical records Student records Personally identifiable information


Accuracy and reliability of information You are charged correctly for a purchase Your bank balance is correct You register for the correct class


Reliable and timely access Email is accessible Can access airline reservation system


National Defense Confidentiality

Banking Integrity


1. Planning to address security needs.2. Risk assessment.3. Crafting policies to reflect risks and

needs.4. Implementing security.5. Audit and incident response.


Security professionals generally don’t refer to a computer system as being “secure” or “unsecure.”

Trust – level of confidence that a computer system will behave as expected.


1. Identify assets and their value2. Identify risk to assets3. Calculate risk


1. What assets are you trying to protect?

2. What are the risks to those assets?3. How well does each potential security

solution mitigate those risks?4. What other risks does the security

solutions impose on me?5. What costs and trade-offs do the

security solutions create?CIT 380: Securing Computer Systems Slide #11

Home computer systemLaptopE-commerce web serverNKU computer systems


Tangibles Computers Data Backups Printouts Software media HR records

Intangibles Privacy Passwords Reputation Goodwill Performance


Home computer systemLaptopE-commerce web serverNKU computer systems


Loss of key personnel Loss of key vendor or service provider Loss of power Loss of phone / network Theft of laptops, USB keys, backups Introduction of malware Hardware failure Software bugs Network attacks


Cost-Benefit Analysis Cost of Loss Probability of Loss Cost of Prevention

Levels of importance High, Medium, Low

Best Practices


Cost of a Loss Direct cost of lost hardware. Cost of idle labor during outage. Cost of time to recover. Cost to reputation.

Probability of a Loss Insurance/power companies have some stats. Records of past experience.

Cost of Prevention Remember that most risks cannot be eliminated.


Update your risks regularly Business, technology changes alter risks.

Too many risks to defend against. Rank risks to decide which ones to

mitigate. Insure against some risks. Accept other risks.


Risk Analysis is difficult and uncertain.

Follow best practices or due care Firewall require as insurance co. due

care. Update patches, anti-virus. Organizations differ in what they need.

Combine best practices + risk analysis.


Security is not free.MBA’s understand cost and benefitsMBA’s mistrust technology


Policy helps to define what you consider to be valuable, and it specifies which steps should be taken to safeguard those assets.


1. What is being protected2. Who is responsible3. Provides ground on which to

interpret and resolve later conflicts.


Should be general and change little over time.

How does the NKU Acceptable Use Policy for Technology Resources meet these roles?


Security policy partitions system states into: Authorized (secure)

▪ These are states the system is allowed to enter.

Unauthorized (nonsecure)▪ If the system enters any of these states, it’s a

security violation.Secure system

Starts in authorized state. Never enters unauthorized state.CIT 380: Securing Computer

Systems Slide #24

Security Policy Statement that divides system into

authorized and unauthorized states.

Mechanism Entity or procedure that enforces

some part of a security policy.


Assign an ownerBe positive

People respond better to do than don’t.Remember that employees are

people too They will make mistakes They value privacy

Concentrate on educationStandards for training and retraining


PrivacyChange controlEmployment agreement, ethics Internet acceptable useRemote accessOutsourcingAccess controlData classification


Codify successful security practicesStandards for backupsStandard anti-virus product

throughout the organizationEncryption algorithmPlatform independentMetric to determine if met


Interpret standards for a particular environment.

RecommendationsFollow tested procedures or best

practicesWindow Server backups


HIPAA Medical Privacy - National Standards to Protect

the Privacy of Personal Health Information Sarbanes Oxley

Protecting of financial and accounting information

Federal Information Security Management Act (FISMA) IT controls and auditing


Have authority commensurate with responsibility

Spaf’s first principle of security administration: If you have responsibility for security,

but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.


Be sure to know you security perimeter Laptops and PDAs Wireless networks Computer used at home Portable media

▪ Flash drives, CDs, DVDs


Perimeter defines what is within your control.

Historically Within walls of building or fences of

campus. Within router that connects to ISP.

Modern perimeters are more complex Laptops, PDAs. USB keys, CDs, DVDs, portable HDs. Wireless networks. Home PCs that connect to your network.


1. Decide how important security is for your site.

2. Involve and educate your user community.

3. Devise a plan for making and storing backups of your system data.

4. Stay inquisitive and suspicious.


Formulating policy is not enough by itself. It is important to determine regularly if the policy is being applied correctly, and if the policy is correct and sufficient.


Audit your systems and personnel regularly.

Audit failures may result from Personnel shortcomings

▪ Insufficient education or overwork

Material shortcomings▪ Insufficient resources or maintenance

Organizational shortcomings▪ Lack of authority, conflicting responsibilities

Policy shortcomings▪ Unforeseen risks, missing or conflicting policies


In-house staffFull-time or part-time consultants

Choosing a vendor▪ “Reformed hacker”


Policy divides system into Authorized (secure) states. Unauthorized (insecure) states.

Policy vs Mechanism Policy: describes what security is. Mechanism: how security policy is enforced.

Written policy and enforced policy will differ. Compliance audits look for those differences.

Security Perimeter Describes what is within your control. Defense in depth: defend perimeter and inside.


1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.

2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003.

3. NKU, Acceptable Use Policy, http://it.nku.edu/itsecurity/docs/acceptableusepolicy.pdf, 2009.

4. SANS, SANS Security Policy Project, http://www.sans.org/resources/policies/
