I) -

Chnh sch bo mt l g? Nhng quy tc m ngi s dng phi tun th khi s dng cng ngh hoc truy Cc thit lp bo v h thng mng t cc cuc tn cng bn ngoi S cn thit ca Chnh sch bo mt. Gip cc nhn vin IT ph trch bo mt hiu qu hn. Gim nguy c b tn cng. Cung cp s bo v v php l cho cng ty. Chnh sch bo mt quy nh ngi

cp h thng thng tin ca mt t chc. II) -

dng phi s dng mng nh th no, phi x l i vi cc thng tin mt ra sao, qua gip gim trch nhim php l i vi cng ty khi xy ra s c. III) Cc bn th 3 hp tc vi cng ty thng yu cu c chnh sch bo mt. Cc tiu chun lin quan n bo mt thng tin s yu cu cc cng ty phi c Li ch ca chnh sch bo mt:

chnh sch bo mt : DSS, HIPAA, The HITECH Act, SOX, ISO, GLBA,

- Cung cp phng tin kim sot an ninh mng. - Ci tin k hoch bo mt. - Xc nh nhng hnh vi c php v khng c php. - nh ngha qu trnh x l s c an ninh mng. - Cho php thc hin an ninh ton cu v thc thi bng cch hnh ng nh mt tiu chun da cc trang web. - To ra c s php l. IV) Vn ca vic thit lp chnh sch bo mt. Vic thit lp chnh sch bo mt khng phi l mt cng vic d dng. N tn thi gian v tin bc. Cc cng ty thng c 2 la chn: Thu mt cng ty chuyn v bo mt vit cc chnh sch cho h.

T vit da trn cc thng tin tm c trn mng.

Vic thu cc cng ty c th tn n 10 ngn dollar, ty thuc vo phc tp v s lng chnh sch v c th tn nhiu thi gian t c hiu qu, mt chnh sch bo mt cn phi r rng v nht qun. Quan trng nht l phi ph hp vi c cu kinh doanh ca cng ty. V) Cc chc nng cn c ca mt chnh sch bo mt:

- Bo v thng tin ngi dng. - Thit lp cc quy tc i vi cc hnh vi ca ngi s dng, ngi qun tr h thng, ngi qun l v nhn vin an ninh. - Cho php nhn vin an ninh gim st, thm d v iu tra. - Xc nh trch nhim i vi ngi vi phm.

VI)

Cc thnh phn c bn ca mt chnh sch bo mt. Chnh sch bo mt phi c vit bng ngn ng r rng, d hiu, khng gy

nhm ln vi tt c ngi dng. Cc thnh phn c bn cn c: Policy Statement : m t khi qut v chnh sch bo mt nh mc ch Standard : a ra cc cch thc thc thi hay d on s tc ng ca chnh Guidelines Policy : trnh by cc hng dn, khuyn ngh hay nhng

ca chnh sch, phm vi p dng chnh sch... sch bo mt ln h thng. mt. Procedures : hng dn step-by-step v cch thc thc hin cc thnh phn ca 1 chnh sch bo mt, bao gm t vic thm d kin n trin khai thc s trn my tnh, th nghim nhng tc ng ln mi trng lm vic.v.v VII) Yu cu i vi ni dung chnh sch: phng php thc thi sao cho p ng c yu cn ra ca chnh sch bo

Ch cha cc ni dung tht s cn thit v ngn gn. Phi ph hp vi cc quy nh ca php lut. Cc chnh sch phi hp l ch khng nn qu p t i vi ngi dng. Phi ch ra r hnh ng no l vi phm chnh sch v s b x l nh th no khi

khng tun th.

VIII) Cc tiu chnh chnh ca mt chnh sch. - Acceptable Use : Khi thc hin cc chnh sch bo mt th ngi u tin xem xt v ph duyt lun l ngi qun l cp cao nht ca t chc. Tuy nhin, vic trin khai mang li hiu qu th chng ta cn c s thm d t c s chp thun ca a s ngi dng. V d, cc bn khng th ngn nga vic truy cp Internet i vi b phn nghin cu pht trin v iu gip cho cng vic ca h thun li hn. Bn cnh , chng ta cng cn lu n cc quyn c nhn khi vit nhng chnh sch khi thc hin khng xy ra tnh trng xung t nh hng gia quyn li cc nhn v quyn li ca t chc. - Due Care : y l tin trnh iu tra hay nh gi s tc ng, hiu qu cng nh tng ph khi thc hin cc chnh sch bo mt. Nhm mc tiu mang li hiu qu cao nht v cc mt kinh t, thi gian v s thun tin i vi ngi dng, khng nh hng n cc quyn ring t ca c nhn Trc y, tng c mt cng ty ti chnh M b cc nhn vin kin vi phm quyn t do c nhn khi t sniffer thu gi cc thng ip chat ca nhn vin. R rng trong tnh hung ny tin trnh Due care khng c thc hin y trong vic ln k hach v thc hin chnh sch bo mt thng tin. - Privacy : Cc chnh sch cn phi m bo c tnh ring t v b mt ca d liu, thng tin. - Separation of Duties (Separation of Roles) : trong mt h thng khng c tp trung qu nhiu quyn hn hay trch nhim vo mt c nhn no m cn c s phn quyn r rng, tiu ch ny ca chnh sch bo mt cht ch v em li s an tan cho h thng nhiu hn. Ly v d nu tt c mi cng vic vn hnh h thng thng tin ch

ph thuc vo mt c nhn no th khi gp s c tc ng ca n s ln hn rt nhiu nu nh trch nhim v cng vic c chia s cho nhiu thnh vin khc nhau. Mt trong nhng mc tiu quan trng nht ca tiu ch Separation of Duties l lm gim s thit hi khi c s c xy ra i vi mt mt xch no ca h thng. - Need to Know : tiu ch ny ca chnh sch bo mt quy nh quyn hn ti thiu i vi ngi dng. thc hin iu ny chng ta cn t cu hi khi phn quyn th ngi dng c c cp qu nhiu quyn hn so vi nhu cu s dng hay khng. - Least Privilege : tng t nh tiu ch Need to Know, cc c nhn hay dch v ch c gn nhng quyn ti thiu da trn cng vic hay chc nng ca h. Cc bn lu s tng ng gia hai khi nim Need to Know v Least Privilege. IX) Phn loi chnh sch bo mt Mi cng ty khc nhau s c cc chnh sch bo mt khc nhau. Di y l danh sch cc chnh sch c bn cn c i vi 1 cng ty - Nhm 1 : nhng chnh sch bo mt c bn cn c: 1) Statement of authority and scope : xc nh ngi chu trch nhim thit lp chnh sch bo mt, ngi chu trch nhim thc hin v phm vi p dng chnh sch. 2) Acceptable use policy (AUP): quy nh vic s dng cc ti nguyn vt l v ti nguyn thng tin ca h thng. V d: - Mn hnh my tnh cn ci t ch screensaver hay kha mn hnh khi ri khi my tnh. - Cc vn bn bng giy t cn p mt xung bn trnh s dm ng ca ngi khc. - Cc bn tha k hoch phi s dng my hy giy, khng c vt vo st rc. 3) Identification and authentication policy : xc nh cng ngh m cng ty s dng m bo ch ngi c thm quyn mi c php truy cp vo d liu.

4) Internet access policy : xc nh quyn hn i vi vic s dng kt ni internet ca nhn vin. V d: Ngn chn nhn vin s dng mng cng ty truy cp vo cc trang web khng c php. 5) Campus access policy: nh ngha vic s dng hp l cc ngun ti nguyn trong mng campus i vi nhn vin v khch. 6) Remote access policy : nh ngha cch thc truy cp t xa n d liu ca cng ty i vi ngi dng. V d: a) b) c) Tng quan: nh ngha cc tiu chun cho vic kt ni n h thng mng ca t Mc ch: c thit k ngn chn s ph hoi n h thng mng hoc h Yu cu i vi my tnh kt ni t xa: + My tnh phi ci t chng trnh dit virus v ci t ch d bo v thi gian thc. ++ Khng ai c th dng chng trnh dit virus ngoi tr ngi qun tr my ch. +++ My tnh phi c bo v bi tng la khi n kt ni n Internet. d) Yu cu i vi kt ni t xa: Ngi dng kt ni t xa s s dng Dial-in hoc VPN. (VPN ngi dng s kt ni n ISP v to ra 1 ng kt ni t ISP n mng ca cng ty). e) Yu cu i vi VPN:

chc v cc tiu chun bo mt i vi cc my tnh c php kt ni. thng my tnh v ngn chn s sa i hoc nahs cp d liu.

+ VPN client phi s dng tng la v chng trnh dit virus. Nu VPN client khng p ng c cc tiu chun th s khng c php kt ni hoc ch c php truy cp vo 1 s khu vc hn ch. ++ Cc la chn kt ni l PPTP, L2TP, IPSec v SSL. Kt ni s s dng IPSec m ha d liu v gi i. 7) Incident handling procedure : xc nh cch thc v ngi x l khi c s c. -Nhm 2: nhng chnh sch bo mt khc: 1) Wireless policy: mng khng dy em li thun li rt ln nhng cng tim n nhiu nguy c v an ninh v khng th qun l n ging nh i vi h thng cp. V vy cn c chnh sch quy nh vic s dng i vi mng khng dy. a) Tng quan : nh ngha vic s dng thit b khng dy trong t chc v quy nh cc thit b khng dy c cu hnh nh th no khi s dng. b) Mc ch : bo v ti nguyn ca t chc khi nhng k ph hoi khi s dng mng khng dy. c) Phm vi : c p dng cho tt c cc thit b khi kt ni n mng khng dy ca t chc. d) C ch xc thc : tt c cc thit b khng dy phi c trin khai cht ch. C ch xc thc s c ngn chn nhng ngi khng c php truy cp vo mng. e) M ha : c ch m ha i vi t c cc thit b khng dy phi c kim tra nghim ngt. c ch m ha s c s dng bo v d liu khi b nahs cp khi n truyn qua mi trng truyn. f) Cu hnh : cc SSID ca thit b khng dy khng c php cha hoc ch ra bt k thng tin no v t chc, cc phng ban, thng tin nhn vin.

g) Access point: tt c cc im truy cp khng dy v cc thit b khng dy kt ni n mng ca t chc phi c ng k v chp thun bi b phn qun l. h) Thm quyn : hnh ng ca CIO hoc cc thnh vin cao cp nht ca b phn qun l IT c thm quyn cui cng trong vic qun l v bo v cc thit b khng dy v mng khng dy. Ngi ny cn c nhiu kinh nghim v c o to trong lnh vc CNTT cng vi s hiu bit ng k v cc khi nim bo mt my tnh v phi chu trch nhim v hot ng ca mng. i) Cc thit b c php s dng mng khng dy: - Ch nhng thit b c ph duyt. - Tt c cc thit b khng dy phi c kim tra cu hnh ph hp trc khi a vo s dng v phi c kim tra nh k sau . k) Thi hnh : ngi dng c th s dng mng khng dy tn cng v xm nhp h thng, s dng c thm quyn v s dng cng ngh khng dy ph hp l rt quan trng i vi an ninh ca t chc v c nhn. Nhn vin khng tun th chnh sch ny c th b x l k lut bao gm c sa thi. 2) Account access request policy: quy nh v hp php ha qu trinh yu cu truy cp ta khon ngi dng. 3) Acquisition assessment policy: Quy nh trch nhim lin quan n v mua li cng ty v xc nh cc yu cu ti thiu ca mt nh gi mua li rng nhm bo mt thng tin phi hon thnh. 4) Audit policy: y l chnh sch yu cu pah ghi li cc thng tin s dng 1 h thng hay d liu no vi mc ch khi cn c th truy cu hay d tm nguyn nhn n n cc s c. V d:

Mt cng ty chuyn v o to thc hin chnh sch ny i vi c chuyn mc bi ging v gio trnh kim sot vic truy cp v thay i ca cc ging vin. 5) Information sensitivity policy : xc nh cc yu cu v phn loi v bo mt thng tin ph hp vi mc nhy cm. 6) Password policy : xc nh cc tiu chun cho vic to, bo v v thay i mt khu. a) Tng quan : mi c nhn truy cp vo h thng my tnh ca t chc pah tn trng chnh sch password bo v an ton tnh bo mt cu h thng mng, bo v d liu v h thng my tnh. b) Mc ch : bo v ti nguyn ca t chc trn mng bng vic yu cu password mnh,cng vi vic bo v nhng password ny v thit lp khong thi gian ti thiu gia cc ln thay i password c) Phm vi : p dng cho tt c c nhn khi ng k ti khon trn h thng mng ca t chc. d) Bo v password: - Khng gi mt khu qua email, - Khng s dng chc nng remember password trong cc chng trnh - Khng s dng tn ng nhp trong password - Khng s dng s in thoi, s CMND trong password e) Yu cu i vi password: - Kch thc ti thiu 8 k t. - phc tp ti thiu nn s dng 3 trong 4 lao k t: ch thng, ch hoa, s, cc k t c bit. - Ti khon s b kha nu qu 4 ln ng nhp khng thnh cng. 7) Risk assessment policy: xc nh cc yu cu v cung cp quyn cho i an ninh xc nh, nh gi v khc phc ri ro i vi c s h tng thng tin lien quan hot ng kinh doanh.

8) Global web server policy : xc nh tiu chun theo yu cu cu tt c cc my ch web. - Nhm 3: chnh sch lin quan n th in t: 1) Automatically forwarded e-mail policy : hn ch t ng chuyn tip th in t n mt a ch bn ngoi cng ty m khng c s chp thun t ngi qun l. 2) E-mail policy : xc nh cc tiu chun ni dung trong th in t ngn chn vic lm xu i hnh nh ca cng ty. a) Mc ch : ngn chn vic lm xu i hnh nh ca cng ty cng ty bi v khi mt email c gi i t h thng email ca cng ty, cng chng thng c xu hng xem l 1 tuyn b chnh thc ca cng ty. b) Phm vi : c p dng vi bt k ngi s dng email gi t a ch email ca cng ty c) Chnh sch : - Ngn cm s dng h thng th in t ca cng ty khng c s dng email vo mc ch xu (spam mail, nh km virus,). Nhn vin no nhn c email c ni dung ny t bt k a ch email no ca cng ty th phi bo co cho ngi qun l. - S dng email ca cng ty cho mc ch c nhn l c php nhng email c nhn phi c t trong th mc ring bit vi email lin quan n cng vic. e) Gim st : cc email ca nhn vin c th b cng ty theo di m khng thng bo trc . f) Thc thi : bt k nhn vin no pht hin vi phm chnh sch ny u b x l bao gm c vic b buc thi vic. 3) Spam policy : xc nh cch cc ngi gi spam mail s c bo co v x l. - Nhm 4: chnh sch i vi truy cp t xa:

1) Dial-in access policy: xc nh cch thc truy cp quay s thch hp c s dng bi ngi c thm quyn. 2) VPN security policy: xc nh cc yu cu i vi kt ni VPN n h thng mng ca t chc. - Nhm 5 : mt vi loi chnh sch khc : Information Classification Security Policy Minimum Access Policy Acceptable Encryption Policy Web Server Security Policy Extranet Policy Application Service Provider Policy Authentication Credentials Policy Application Container Policy Database Credential Coding Policy Database Execution Environment Policy Highly Sensitive Application Server Policy Inter-process Communication Policy Internet DMZ Equipment Policy DMZ Application Server Policy Internet DMZ Web Entitlement Policy DMZ Lab Security Policy Account Access Request Policy Acquisition Assessment Policy Risk Assessment Policy Router and Switch Security Policy Server Security Policy Lab Anti-virus Policy

 Internal Lab Security Policy