Professional Documents
Culture Documents
General Security Principles and Practices
General Security Principles and Practices
Security Principles
Common Security Principles Security Policies Security Administration Physical Security
Defense in Depth
Security Policies
Security objectives to:
Design specific controls Keep users informed of expected behavior
Security policies range from single documents to multiple documents for specialized use or for specific groups of users
Must be specific enough to guide user activity but flexible enough to cover unanticipated situations Should answer key questions
What activities are acceptable? What activities are not acceptable? Where can users get more information as needed? What to do if violations are suspected or have occurred?
User thinks:
Anything that is not prohibited is permitted
Backup Policy
Data backups protect against corruption and loss of data
To support the integrity and availability goals of security
Backup Policy
Backup types:
Cold site Warm site Hot site
Confidentiality Policy
Outlines procedures used to safeguard sensitive information Should cover all means of information dissemination including telephone, print, verbal, and computer Questions include
What data is confidential and how should it be handled? How is confidential information released? What happens if information is released in violation of the policy?
Implementing Policy
A major challenge for information security professionals Includes processes of developing and maintaining the policies themselves as well as ensuring their acceptance and use within the organization Activities related to policy implementation are often ongoing within an organization
Developing Policies
Team approach should be employed
Include members from different departments or functional elements within the organization
Develop a high-level list of business objectives Determine the documents that must be written to achieve objectives Revise documents drafts until consensus is achieved
Building Consensus
buy-in from employees is essential Policy implementers are employees. Without buy-in policy enforcement would falter Often the policies are promoted and advertised by senior management
Education
New policies implementation require sufficient training for employees Users should be aware of their responsibilities with regard to policies Two types of training
One-time initial training to all employees Periodic training to
Remind employees of their responsibilities Provide employees with updates of policies and technologies that affect their responsibilities
Policies should be strictly and uniformly enforced Policy changes occur as companies and technologies change Policies should contain provisions for modification through maintenance procedures
Essential to have mandated periodic reviews
Security checklists
Security professionals should review all checklists used in an organization for compliance with security procedures Security professionals may develop their own checklists for security-specific tasks
Security matrices
Used in development of security policies and implementation of particular procedures Helps focus amount of attention paid to particular goals
Security Matrices
Physical Security
Ensures that only authorized people gain physical access to a facility Protection from natural disasters such as fires and floods Large organizations outsource physical security Three common categories of physical security issues
Perimeter protection Electronic emanations Fire protection
Physical Security
Addresses security countermeasures using:
Design Implementation Maintenance
Perimeter Security
Perimeter security includes:
Fences Walls Gates Lighting Motion detectors Dogs Patrols
Access Control
Locks Manual Electronic Biometric Defense in depth principle Fences around the facility and biometrics for specific offices within a facility
Access Control
ID cards and badges Electronic monitoring Mantrap Alarms
Fire Safety
Fire detection
Thermal detection Fixed-temperature detection Rate-of-rise detection Smoke detection Photoelectric sensors
Class A less serious Class B combustible liquids Class C electrical fires Class D dangerous chemicals
Fire classes
Fire Safety
Fire suppression
Water sprinkler
Dry pipe Wet pipe Mist sprinkler Deluge system
Electrical Power
UPS
Standby Line-interactive True-online
Electronic Surveillance
Facility monitoring using surveillance video Check for electromagnetic signals leaking data
Electromagnetic signals can be picked up and interpreted outside facility Expensive to block electronic eavesdropping
Personnel Security
People are the weakest link in a security system Perform background investigations
Can include criminal record checks, reference evaluations
References
Curtis Dalton, Had a security physical lately? Business Communications Review, May 2002. Types of locks http://www.secmgmt.com/ UPS http://www.pcguide.com/ref/power/ext/ups/types.htm Eric Maiwald and William Sieglein, Security Planning and Disaster Recovery, McGrawHill/Osborne, NY, 2002.