Security management w.lilakiatsakun. Principles of Security Referred to as AIC/CIA triad - Referred to as AIC/CIA triad - Availability Availability Integrity

Security managementSecurity management

w.lilakiatsakunw.lilakiatsakun

Principles of SecurityPrinciples of Security

• Referred to as AIC/CIA triad - Referred to as AIC/CIA triad -

• AAvailability vailability

• IIntegrity ntegrity

• CConfidentialityonfidentiality

Availability (1/2)Availability (1/2)

• The system and networks should The system and networks should provide adequateprovide adequate capability in order capability in order to perform in a predictable mannerto perform in a predictable manner with an acceptable level of with an acceptable level of performanceperformance– Recover from disruption in a secure and Recover from disruption in a secure and

quick mannerquick manner– Single point of failure should be avoidedSingle point of failure should be avoided– Back up measures should be takenBack up measures should be taken

Availability (2/2)Availability (2/2)

– Redundancy mechanisms should be in Redundancy mechanisms should be in place when necessaryplace when necessary

– System should be protected from some System should be protected from some environmental issues like heat, cold, environmental issues like heat, cold, humidity static electricity and humidity static electricity and contamination.contamination.

– IDS should be used to protect Denial of IDS should be used to protect Denial of Service attackService attack

– Certain firewall and router configuration Certain firewall and router configuration can also reduce the threat of DoS attackscan also reduce the threat of DoS attacks

Integrity (1/3)Integrity (1/3)

• Integrity is upheld when the assurance of Integrity is upheld when the assurance of accuracy and reliability of information and accuracy and reliability of information and systems is provided and unauthorized systems is provided and unauthorized modification is preventedmodification is prevented

• Hardware, software and communication Hardware, software and communication mechanisms must work in a concerted mechanisms must work in a concerted manner to maintain and process data manner to maintain and process data correctly and move data to intended correctly and move data to intended destinations without unexpected destinations without unexpected alternationalternation


• The system and network should be The system and network should be protected from outside interference protected from outside interference and contaminationand contamination– Users mistakeUsers mistake– Threats such as virus, back door into a Threats such as virus, back door into a

systems or data systems or data

• Strict access control, intrusion Strict access control, intrusion detection and hashing can combat detection and hashing can combat threats threats


• Security should streamline the user’ Security should streamline the user’ capabilities and give them only certain capabilities and give them only certain choices and functionality so that error choices and functionality so that error become less common and less devastatingbecome less common and less devastating– System critical files should be restricted from System critical files should be restricted from

user view and access user view and access – Applications should provide mechanism that Applications should provide mechanism that

check for valid and reasonable input valuescheck for valid and reasonable input values– Databases should let only authorized Databases should let only authorized

individuals modify data and data in transit individuals modify data and data in transit should be protected by encryption or other should be protected by encryption or other mechanismmechanism

ConfidentialityConfidentiality (1/3)(1/3)

• Confidentiality ensures that the Confidentiality ensures that the necessary level of secrecy is enforced necessary level of secrecy is enforced at each junction of data processing at each junction of data processing and prevents unauthorized disclosureand prevents unauthorized disclosure

• Attacker can thwart confidentiality Attacker can thwart confidentiality mechanism by monitoring, shoulder mechanism by monitoring, shoulder surfing, stealing password files and surfing, stealing password files and social engineeringsocial engineering


• shoulder surfingshoulder surfing is when a person looks is when a person looks over another person ‘s shoulder and over another person ‘s shoulder and watches theirs keystrokes or views data as watches theirs keystrokes or views data as it appears on a computer screenit appears on a computer screen

• social engineeringsocial engineering is when one person is when one person tricks another person into sharing tricks another person into sharing confidential information by posing as confidential information by posing as someone authorized to have access to that someone authorized to have access to that informationinformation


• Confidentiality can be provided byConfidentiality can be provided by– encrypting data as it is stored and encrypting data as it is stored and

transmitted transmitted – Strict access controlStrict access control– Data classificationData classification– Training personnel on the proper Training personnel on the proper

procedures procedures

Security definition (1/5)Security definition (1/5)• Vulnerability is a software, hardware or Vulnerability is a software, hardware or

procedural weaknessprocedural weakness that may provide an that may provide an attacker the open door he is looking for to attacker the open door he is looking for to enter a computer or network and have enter a computer or network and have unauthorized access to resources within unauthorized access to resources within environmentenvironment– Services running on a serverServices running on a server– Unpatched application or operating system Unpatched application or operating system

softwaressoftwares– Unrestricted modem dial-in accessUnrestricted modem dial-in access– An open port on a firewall An open port on a firewall – Physical security that allows anyone to enter a Physical security that allows anyone to enter a

server roomserver room– Nonforced password management on servers and Nonforced password management on servers and

workstationsworkstations

Security definition (2/5)Security definition (2/5)

• Threat Threat is any potential danger to is any potential danger to information or systemsinformation or systems

• Threat is somone or somethings Threat is somone or somethings (threat agent) (threat agent) will use a specific will use a specific vulnerability against individual or vulnerability against individual or companycompany


• Risk is the likelihood of a threat agent Risk is the likelihood of a threat agent taking advantage of the vulnerability taking advantage of the vulnerability and the corresponding business impactand the corresponding business impact – If a firewall has several ports open, an If a firewall has several ports open, an

intruder will use one to access the network intruder will use one to access the network in an authorized methodin an authorized method

– If users are not educated on processes and If users are not educated on processes and procedures, an employee will make an procedures, an employee will make an unintentional mistake that destroy dataunintentional mistake that destroy data

– If on IDS, an attack will go unnoticed until it If on IDS, an attack will go unnoticed until it is too lateis too late


• Exposure is an instance of being Exposure is an instance of being exposed to losses from a threat agentexposed to losses from a threat agent

• Vulnerability exposes an organization Vulnerability exposes an organization to possible damagesto possible damages– If password management is not used and If password management is not used and

password rules are not enforced, the password rules are not enforced, the company is exposed to possibility of company is exposed to possibility of having users’ passwords captured and having users’ passwords captured and used in unauthorized mannerused in unauthorized manner


• CountermeasureCountermeasure or safeguard is put into or safeguard is put into place place to mitigate the potential riskto mitigate the potential risk

• Countermeasure may be a software Countermeasure may be a software configuration, a hardware device or configuration, a hardware device or procedure that eliminates a vulnerability or procedure that eliminates a vulnerability or reduces the likelihood that a threat agent reduces the likelihood that a threat agent will be able to exploit a vulnerability will be able to exploit a vulnerability – Strong password managementStrong password management– a security guarda security guard– Access control mechanism Access control mechanism – Security awareness training Security awareness training

Security Management program Security Management program (1/3)(1/3)

• Objectives - To protect the company Objectives - To protect the company and its assetsand its assets

• A security program should use a A security program should use a Top-Top-down approachdown approach meaning that the meaning that the initiation, support and direction come initiation, support and direction come from top management and work their from top management and work their way through middle management way through middle management and then to staff membersand then to staff members


• The security policy works as a blueprintThe security policy works as a blueprint for the company’s security program and for the company’s security program and provides the necessary foundation to provides the necessary foundation to build uponbuild upon

• The next step is to develop and The next step is to develop and implement procedure, standards and implement procedure, standards and guidelinesguidelines that support the security that support the security policy and identify the security policy and identify the security countermeasures and methodcountermeasures and method


• Once these mentioned items are Once these mentioned items are developed, developed, the security program the security program increases in granularity by increases in granularity by developing baselines and developing baselines and configurations for the chosen configurations for the chosen security controls and methodssecurity controls and methods

Security administration and Security administration and supporting controlssupporting controls

Organizational security modelOrganizational security model (1/3)(1/3)

• It is a framework made up of many It is a framework made up of many entities, protection mechanisms, entities, protection mechanisms, logical (technical), administrative, logical (technical), administrative, and physical components, and physical components, procedures, business processes and procedures, business processes and configurationsconfigurations that all work together that all work together in a synergistic way to provide in a synergistic way to provide security level for an environmentsecurity level for an environment

Organizational security modelOrganizational security model (2/3)(2/3)

Organizational security modelOrganizational security model (3/3)(3/3)• Daily goals or operational goalsDaily goals or operational goals focus on focus on

productivity and task-oriented activities to productivity and task-oriented activities to ensure that the company functions in a ensure that the company functions in a smooth and predictable mannersmooth and predictable manner

• Midterm goals or tactical goalsMidterm goals or tactical goals could be to could be to integrate all workstations and resources integrate all workstations and resources into one domain so that more central into one domain so that more central control can be achieved control can be achieved

• Long-term goals or strategic goalsLong-term goals or strategic goals could be could be to move all the branches from dedicated to move all the branches from dedicated communication lines to frame relay, communication lines to frame relay, implement IPsec VPN for all remote users implement IPsec VPN for all remote users and integrate wireless technology with and integrate wireless technology with necessary measures into the environmentnecessary measures into the environment

Security program Security program componentcomponent

• The most commonly used standard is The most commonly used standard is ISO 17799 (BS7799)ISO 17799 (BS7799)– Part 1 is an implementation guide with Part 1 is an implementation guide with

guidelines on how to build a guidelines on how to build a comprehensive information security comprehensive information security infrastructure (ISO 27002)infrastructure (ISO 27002)

– Part2 is an auditing guide based on Part2 is an auditing guide based on requirement that must be met for an requirement that must be met for an organization to be compliant with ISO organization to be compliant with ISO 17799 (Currently - ISO 27001)17799 (Currently - ISO 27001)

ISO27002 (1/2)ISO27002 (1/2)

• The content sections are: The content sections are:– Structure Structure– Risk Assessment and Treatment Risk Assessment and Treatment– Security Policy Security Policy– Organization of Information Security Organization of Information Security– Asset Management Asset Management– Human Resources Security Human Resources Security

ISO27002 (2/2)ISO27002 (2/2)

• Physical Security Physical Security

• Communications and Ops Management Communications and Ops Management

• Access Control Access Control

• Information Systems Acquisition, Develop Information Systems Acquisition, Develop ment, Maintenance ment, Maintenance

• Information Security Incident management Information Security Incident management

• Business Continuity Business Continuity

• Compliance Compliance

ISO 27001ISO 27001

• The content sections of the standard are The content sections of the standard are : :– Management Responsibility Management Responsibility– Internal Audits Internal Audits– ISMS Improvement ISMS Improvement– - Annex A Control objectives and controls - Annex A Control objectives and controls– - Annex B OECD principles and this internati - Annex B OECD principles and this internati

onal standard onal standard– - Annex C Correspondence between ISO - Annex C Correspondence between ISO90090011 , ISO , ISO1400114001 and this standard and this standard

Security policySecurity policy (1/4)(1/4)

• A security policy is an A security policy is an overall general overall general statement that dictates what role statement that dictates what role security plays within an organizationsecurity plays within an organization

• A security policy can be an A security policy can be an organization security policy, issue-organization security policy, issue-specific policy or system-specific specific policy or system-specific policypolicy


• Organization security policyOrganization security policy address address relative laws, regulations and liability relative laws, regulations and liability issues and how they are to be satisfiedissues and how they are to be satisfied

• Organization security policyOrganization security policy has several has several characteristics such ascharacteristics such as– Business objectives should drive the policy ‘s Business objectives should drive the policy ‘s

creation, implementation and enforcement creation, implementation and enforcement – It should be developed and used to integrated It should be developed and used to integrated

security into all business function and processsecurity into all business function and process– It should beIt should be derived from and support all derived from and support all

legislation and regulation applicable to the legislation and regulation applicable to the companycompany


• Issue-specific policyIssue-specific policy, also called , also called functional implementing policy functional implementing policy addresses specific security issues addresses specific security issues that management feels need more that management feels need more attentionattention

• For example - Email security policy For example - Email security policy – policy states that employees cannot use policy states that employees cannot use

email to share confidential information email to share confidential information


• System-specific policySystem-specific policy presents the presents the management ‘s decision that are specific to management ‘s decision that are specific to the actual computers, networks, application the actual computers, networks, application and data.and data.

• ExampleExample

• This type of policy may provide an This type of policy may provide an approved software list for a workstation.approved software list for a workstation.

• How computers are to be lock downedHow computers are to be lock downed

• How printers, scanners are to be usedHow printers, scanners are to be used

Type of policiesType of policies

• Regulatory – ensure that the organization is Regulatory – ensure that the organization is following standard set by specific industry following standard set by specific industry regulationsregulations– Financial institutions, health care facilities Financial institutions, health care facilities

• Advisory – strongly advise employees regarding Advisory – strongly advise employees regarding which types of behaviors and activities should and which types of behaviors and activities should and should not take place within organizationshould not take place within organization– How to handle financial transactions or process How to handle financial transactions or process

confidential informationconfidential information

• Informative – inform employees of certain topics , it Informative – inform employees of certain topics , it is not an enforceable policyis not an enforceable policy– How the company interact with partners, company ‘s goal How the company interact with partners, company ‘s goal

or missionor mission

Definitions (1)Definitions (1)

• Standards refers to mandatory activities, Standards refers to mandatory activities, actions, rules, or regulationsactions, rules, or regulations

• Standards could be internal and external Standards could be internal and external mandated (regulations and government laws)mandated (regulations and government laws)– Organization security standards may specify how Organization security standards may specify how

hardware and software products are to be usedhardware and software products are to be used– Expected user behaviorExpected user behavior

• These rules are usually compulsory within These rules are usually compulsory within company and needed to be enforcedcompany and needed to be enforced


• A baseline refers to a point n time that A baseline refers to a point n time that is used as a comparison for future is used as a comparison for future changeschanges

• Baselines are used to define minimum Baselines are used to define minimum level of protection that is requiredlevel of protection that is required

• In security, specific baselines can be In security, specific baselines can be defined per system type which defined per system type which indicates the necessary setting and indicates the necessary setting and the level of protection requiredthe level of protection required


• Guidelines Guidelines are recommended actions and are recommended actions and operational guides to users, IT ‘ staff, operational guides to users, IT ‘ staff, operations staffs and others when a specific operations staffs and others when a specific a standard does not applya standard does not apply– A policy state that access to confidential data A policy state that access to confidential data

must be auditedmust be audited– A supporting guideline could further explain that A supporting guideline could further explain that

audit should contain sufficient information to audit should contain sufficient information to allow for reconciliation with prior reviewsallow for reconciliation with prior reviews

– A supporting procedure would outline the A supporting procedure would outline the necessary steps to configure, implement and necessary steps to configure, implement and maintain this type of auditingmaintain this type of auditing


• ProceduresProcedures are detailed step by step are detailed step by step tasks that should be performed to tasks that should be performed to achieve a certain goalachieve a certain goal

• How to install operating systems, How to install operating systems, configure security mechanisms, configure security mechanisms, implement access control list implement access control list

Network security policy:Network security policy:best practicesbest practices

Ref: document ID 13601Ref: document ID 13601

www.cisco.comwww.cisco.com

ProcessProcess

• PreparationPreparation– Create usage policy statementCreate usage policy statement– Conduct a risk analysisConduct a risk analysis– Establish a security team structureEstablish a security team structure

• PreventionPrevention– Approving security changesApproving security changes– Monitoring security of your networkMonitoring security of your network

• ResponseResponse– Security violationSecurity violation– RestorationRestoration– ReviewReview

Preparation: Create usage Preparation: Create usage policy statementpolicy statement (1)(1)

• Outline user’s roles and responsibilities with Outline user’s roles and responsibilities with regard to securityregard to security

• General policyGeneral policy : cover all network system : cover all network system and data within your company, by and data within your company, by providing :providing :– Understanding of the security policy, its purposeUnderstanding of the security policy, its purpose– Guidelines for improving their security practicesGuidelines for improving their security practices– Definitions of their security responsibilitiesDefinitions of their security responsibilities– Identify specific action that could result in Identify specific action that could result in

punitivepunitive


• Partner acceptable use statement Partner acceptable use statement : it : it provides provides – Partner with an understanding of the Partner with an understanding of the

information that is available to theminformation that is available to them– The expected disposition of that information The expected disposition of that information – The conduct of the employee of your The conduct of the employee of your

companycompany– Clearly explain any specific acts that have Clearly explain any specific acts that have

been identified as security attacks and the been identified as security attacks and the punitive action punitive action


• Administrator acceptable use statementAdministrator acceptable use statement: to explain: to explain– The procedures for user account administrationThe procedures for user account administration– Policy enforcementPolicy enforcement– Privilege reviewPrivilege review

• It should be clearly presented specific policies It should be clearly presented specific policies concerning user passwords and handling data concerning user passwords and handling data

• Check the policy with the partner acceptable use Check the policy with the partner acceptable use and user acceptable use statement to ensure and user acceptable use statement to ensure uniformityuniformity

• Make sure that admin requirement listed in policy Make sure that admin requirement listed in policy are reflected in are reflected in training plan and performance training plan and performance evaluationevaluation

Preparation: Conduct a risk Preparation: Conduct a risk analysis (1)analysis (1)

• A risk analysis should identify the risk toA risk analysis should identify the risk to– Network , resources and data Network , resources and data

• To identify portion of your network, assign a To identify portion of your network, assign a threat rating to each portion and apply threat rating to each portion and apply appropriate level of securityappropriate level of security

• Each network resources can be assigned as Each network resources can be assigned as 3 risk level3 risk level– Low risk: Low risk:

• system or data that if compromised would not disrupt system or data that if compromised would not disrupt the business or cause legal or financial ramification, not the business or cause legal or financial ramification, not provide further access to other systemprovide further access to other system

• The targeted system or data can be easily restoredThe targeted system or data can be easily restored


– Medium riskMedium risk•system or data that if compromised would system or data that if compromised would

cause a moderate disruption in the business cause a moderate disruption in the business or minor legal or financial ramification, or minor legal or financial ramification, provide further access to other systemprovide further access to other system

•The targeted system or data requires a The targeted system or data requires a moderate effort to restore moderate effort to restore

•The restoration process is disruptive to the The restoration process is disruptive to the systemsystem

Preparation: Conduct a risk Preparation: Conduct a risk analysis (3)analysis (3)– High riskHigh risk

•system or data that if compromised would cause system or data that if compromised would cause an extreme disruption in the business or major an extreme disruption in the business or major legal or financial ramification, legal or financial ramification,

•Threaten the health and safety of a personThreaten the health and safety of a person

•provide further access to other systemprovide further access to other system

•The targeted system or data requires a The targeted system or data requires a significant effort to restore significant effort to restore

•The restoration process is disruptive to the The restoration process is disruptive to the business or the other systemsbusiness or the other systems


• Identify the type of users as 5 most Identify the type of users as 5 most common types:common types:– Administrators : internal users responsible Administrators : internal users responsible

for network resourcesfor network resources– Privileged: internal users with a need for Privileged: internal users with a need for

greater accessgreater access– Users: internal users with a general accessUsers: internal users with a general access– Partners: external users with a need to Partners: external users with a need to

access some resourcesaccess some resources– Others: external users or customerOthers: external users or customer

Preparation: Establish team Preparation: Establish team structurestructure

• Create a cross functional security led by a Create a cross functional security led by a Security Manager with participants from each of Security Manager with participants from each of your company’s operational area your company’s operational area

• The security team has 3 areas of responsibilitiesThe security team has 3 areas of responsibilities– Policy development : Policy development : establishing and reviewing establishing and reviewing

security policiessecurity policies for the company for the company – Practice:Practice: conduct conduct the risk analysis, the approval of the risk analysis, the approval of

security change requests, review security alerts from security change requests, review security alerts from both vendor and the CERT (Community Emergency both vendor and the CERT (Community Emergency Response Team) and Response Team) and turn the policy to turn the policy to implementationsimplementations

– Response: Response: to do the troubleshooting and fixingto do the troubleshooting and fixing of such of such a violation, each team member should know in detail a violation, each team member should know in detail the security features provided by the equipmentthe security features provided by the equipment

Prevention: Approving Prevention: Approving security changes (1)security changes (1)

• Recommendation on reviewing the Recommendation on reviewing the following types of changes:following types of changes:– Any changes to the firewall configurationAny changes to the firewall configuration– Any change to access control list (ACL)Any change to access control list (ACL)– Any change to Simple Network Management Any change to Simple Network Management

Protocol (SNMP) configurationProtocol (SNMP) configuration– Any change or update in software that Any change or update in software that

differs from the approved software revision differs from the approved software revision level listlevel list

Prevention: Approving Prevention: Approving security changes (2)security changes (2)

• Recommended guidelinesRecommended guidelines– Change passwords to network devices on a Change passwords to network devices on a

routine basisroutine basis– Restrict access to network devices to an Restrict access to network devices to an

approved list of personnelapproved list of personnel– Ensure that the current software revision Ensure that the current software revision

levels of network equipment and server levels of network equipment and server environments are in compliance with the environments are in compliance with the security configuration requirementsecurity configuration requirement

Prevention: Monitoring Prevention: Monitoring security of your network (1)security of your network (1)

• Similar to network monitoring except Similar to network monitoring except it it focuses on detecting changesfocuses on detecting changes in the network in the network that indicating a security violationthat indicating a security violation

• In the Risk analysis matrixIn the Risk analysis matrix– the firewall is considered as high risk network the firewall is considered as high risk network

device – monitor it in real timedevice – monitor it in real time

• From the Approving security changesFrom the Approving security changes– Any changes to the firewall should be monitoredAny changes to the firewall should be monitored– It means SNMP agent should monitor such things It means SNMP agent should monitor such things

as failed login attempts, unusual traffic, changes as failed login attempts, unusual traffic, changes to the firewall, access granted to the firewall and to the firewall, access granted to the firewall and connection set up through the firewallconnection set up through the firewall

Prevention: Monitoring Prevention: Monitoring security of your network (2)security of your network (2)

• Following this example, create a Following this example, create a monitoring policy for each area monitoring policy for each area identified in your risk analysisidentified in your risk analysis– Low-risk equipment : monitoring weeklyLow-risk equipment : monitoring weekly– Medium-risk equipment : monitoring dailyMedium-risk equipment : monitoring daily– High-risk equipment : monitoring hourlyHigh-risk equipment : monitoring hourly

• Lastly, security policy should address Lastly, security policy should address how to notify the security team of how to notify the security team of security violationssecurity violations such as email, SMS such as email, SMS

Response: Response: Security violation (1)Security violation (1)

• First action after detection of an intrusion is First action after detection of an intrusion is the the notification of the security teamnotification of the security team– Define a procedure in security policy that is Define a procedure in security policy that is

available 24 hours a day, 7 days a weekavailable 24 hours a day, 7 days a week

• Next Next define the level of the authoritydefine the level of the authority given to given to the security team to make changes, possible the security team to make changes, possible corrective actions arecorrective actions are– Implementing changes to prevent further access to Implementing changes to prevent further access to

the violationthe violation– Isolating the violated systemsIsolating the violated systems– Contacting the carrier or ISP in an attempt to trace Contacting the carrier or ISP in an attempt to trace

the attackthe attack


– Using recording devices to gather evidenceUsing recording devices to gather evidence– Disconnecting violated systems or the Disconnecting violated systems or the

source of the violationsource of the violation– Contacting the police or other government Contacting the police or other government

agenciesagencies– Shutting down violated systemShutting down violated system– Restoring system according to a prioritized Restoring system according to a prioritized

listlist– Notify internal managerial and legal Notify internal managerial and legal

personnelpersonnel


• Lastly, collecting and maintaining information Lastly, collecting and maintaining information during security attackduring security attack– To determine the extent to which systems have To determine the extent to which systems have

been compromisedbeen compromised– To prosecute external violationsTo prosecute external violations

• To determine the extent of the violationTo determine the extent of the violation– Record the event by obtaining sniffer traces of the Record the event by obtaining sniffer traces of the

network, copies of log files, active user accounts network, copies of log files, active user accounts and network connectionsand network connections

– Limit further compromise by disabling account, Limit further compromise by disabling account, disconnecting the network equipment from the disconnecting the network equipment from the network and disconnecting from the internetnetwork and disconnecting from the internet


– Back up the compromised system to aid in Back up the compromised system to aid in a detailed a detailed analysis of the damage and analysis of the damage and method of attackmethod of attack

– Look for other signs of compromise.Look for other signs of compromise.•Often when system is compromised there are Often when system is compromised there are

other systems or accounts involvedother systems or accounts involved

– Maintain and review security device log Maintain and review security device log files and network monitoring log files and files and network monitoring log files and the often provide clues to the method of the often provide clues to the method of attackattack

Response: RestorationResponse: Restoration

• Define in the security policy how to Define in the security policy how to conduct secure and make available conduct secure and make available normal backupnormal backup

• As each system has its own means and As each system has its own means and procedures for backing up the procedures for backing up the security security policy should act as a meta-policypolicy should act as a meta-policy– detailing for each system security condition detailing for each system security condition

that require restoration from backupthat require restoration from backup

• If approval is required before restoration If approval is required before restoration can be done include the process for can be done include the process for obtaining approval as wellobtaining approval as well

Response:Response: Review (1)Review (1)

• It is the final effort in creating and It is the final effort in creating and maintaining a security policymaintaining a security policy

• 3 things to be reviewed 3 things to be reviewed – Policy / Posture / PracticePolicy / Posture / Practice

• Security policySecurity policy should be a living should be a living documentdocument– Reviewing against known best practices Reviewing against known best practices – Check the CERT website for useful tips, Check the CERT website for useful tips,

practices security improvement and alertpractices security improvement and alert


• Review network postureReview network posture in comparison in comparison with the desired security posturewith the desired security posture– Outside firm that specializes in security can Outside firm that specializes in security can

attempt to penetrate the network and testattempt to penetrate the network and test not only the posture of the network but the not only the posture of the network but the security response of organization as wellsecurity response of organization as well

– For high-availability networks, recommend For high-availability networks, recommend conducting such a test conducting such a test annuallyannually


• Finally, Finally, practice is defined as a testpractice is defined as a test of of the support staff to insure that they the support staff to insure that they have clear understanding of what to have clear understanding of what to do during a security violationdo during a security violation– Often the test is Often the test is unannounced and done unannounced and done

conjunction with the network posture testconjunction with the network posture test– It show the It show the gaps in procedure and gaps in procedure and

training of personneltraining of personnel so that corrective so that corrective action can be takenaction can be taken

Documents

Security management w.lilakiatsakun. Principles of Security Referred to as AIC/CIA triad - Referred to as AIC/CIA triad - Availability Availability Integrity