Professional Documents
Culture Documents
BUSINESS IMPACT
SECURITY POLICY DEVELOPMENT
VIRUS PROTECTION
FIREWALLS
AUTHENTICATION AND ACCESS CONTROL
ENCRYPTION
APPLIED SECURITY SCENARIOS
GOVERNMENT IMPACT
CMPC531\tc_17.ppt \\ page 17 - 1
Networking
BUSINESS IMPACT
Network security is a business problem.
The development and implementation of a sound network security policy
must start with strategic business assessment followed by strong
management support throughout the policy development and implementation
stages.
Enterprise network security goals must be set by corporate presidents and/or
board of directors.
CMPC531\tc_17.ppt \\ page 17 - 2
Networking
SECURITY POLICY DEVELOPMENT
Security policy development life cycle (SPDLC). Figure 16-1.
A cycle because evaluation processes validate the effectiveness of original
analysis stages.
Security Requirements Assessment
Require a structured approach to ensure that all potential user group/information
resource combinations have been considered.
A network analyst can create a matrix grid mapping all potential user groups
against all potential corporate information resources.
Refer Figure 16-3.
These security processes:
Restrictions to information access imposed upon each user group
Definition the responsibilities of each user group for security policy implementation
and enforcement.
It should be reviewed on a periodic basis through ongoing auditing, monitoring,
evaluation, and analysis.
CMPC531\tc_17.ppt \\ page 17 - 3
Networking
CMPC531\tc_17.ppt \\ page 17 - 4
Networking
SECURITY POLICY DEVELOPMENT
Scope Definition and Feasibility Studies
Define the scope or limitations of the project
Feasibility studies gain vital information on the difficulty of the security policy
development process as well as the assets (human and financial) required to
maintain such a process.
Need to decide on the balance between security and productivity.
See Figure 16-4.
Need to identify those key values that a corporation should be maintained.
Five most typical fundamental values of network security policy development:
Identification/Authentication: the process of reliably determining the genuine identity
of the communicating computer (host) or user.
Access Control / Authorization: authenticated users are only allowed to those
information and network resources they are supposed to access.
Privacy/Confidentiality: ensure tat data is disclosed only to intended recipients.
Data Integrity: assure that data are genuine and cannot be changed without proper
controls.
Non-Repudiation: users cannot deny the occurrence of given events or transactions.
CMPC531\tc_17.ppt \\ page 17 - 5
Networking
CMPC531\tc_17.ppt \\ page 17 - 7
Networking
SECURITY POLICY DEVELOPMENT
Assets, Threats, Vulnerabilities, and Risks
Threats: processes or people that pose a potential danger to identified assets.
Vulnerabilities: manner or path by which threats are able to attack assets.
Risks: probability of a particular threat successfully attacking a particular asset in a given amount of
time via a particular vulnerability. E.g.
Intruders or attackers may use social engineering or snooping to obtain user passwords
An administrator may incorrectly create or configure user ids, groups, and their associated rights
on a file server, resulting in file and login access vulnerabilities
Network administrators may overlook security flaws in topology or hardware configuration
Network administrators may overlook security flaws in operating system or application
configuration;
Lack of proper documentation and communication of security policies may lead to deliberate or
inadvertent misuse of files or network access;
Dishonest or disgruntled employees may abuse the file and access rights they’ve been given;
A computer or terminal left logged into the network while its operator goes away may provide an
entry point for an intruder;
Users or even administrators choose passwords that are easy to guess;
Authorized staff may leave computer room doors propped open or unlocked, allowing
unauthorized individuals to enter;
CMPC531\tc_17.ppt \\ page 17 - 8
Networking
SECURITY POLICY DEVELOPMENT
Assets, Threats, Vulnerabilities, and Risks
Staff may discard disks or backup tapes in “public” waste containers
Administrators may neglect to remove access and file rights for employees
who have left the organisation.
Figure 16-7 shows the relationship between assets, threats,
vulnerabilities, risks, and protective measures.
CMPC531\tc_17.ppt \\ page 17 - 9
Networking
CMPC531\tc_17.ppt \\ page 17 - 10