Scribd Logo
Upload

Welcome to Scribd!

  • Networking

    Uploaded by

    Nyi Nyi Lin
    5 views10 pages
    This document discusses network security policy development. It outlines the security policy development life cycle, which includes assessing security requirements, defining the policy scope, and conducting feasibility studies. A key part of development involves identifying organizational assets, potential threats, vulnerabilities, and associated risks. This allows the organization to determine appropriate protective measures to include in the security policy.

    Original Description:

    networking

    Original Title

    networking

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses network security policy development. It outlines the security policy development life cycle, which includes assessing security requirements, defining the policy scope, and conducting feasibility studies. A key part of development involves identifying organizational assets, potential threats, vulnerabilities, and associated risks. This allows the organization to determine appropriate protective measures to include in the security policy.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views10 pages

    Networking

    Uploaded by

    Nyi Nyi Lin
    This document discusses network security policy development. It outlines the security policy development life cycle, which includes assessing security requirements, defining the policy scope, and conducting feasibility studies. A key part of development involves identifying organizational assets, potential threats, vulnerabilities, and associated risks. This allows the organization to determine appropriate protective measures to include in the security policy.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Networking

    Unit 17 – Local Area Network Security

     BUSINESS IMPACT
     SECURITY POLICY DEVELOPMENT
     VIRUS PROTECTION
     FIREWALLS
     AUTHENTICATION AND ACCESS CONTROL
     ENCRYPTION
     APPLIED SECURITY SCENARIOS
     GOVERNMENT IMPACT

    CMPC531\tc_17.ppt \\ page 17 - 1
    Networking
    BUSINESS IMPACT
     Network security is a business problem.
     The development and implementation of a sound network security policy
    must start with strategic business assessment followed by strong
    management support throughout the policy development and implementation
    stages.
     Enterprise network security goals must be set by corporate presidents and/or
    board of directors.

    CMPC531\tc_17.ppt \\ page 17 - 2
    Networking
    SECURITY POLICY DEVELOPMENT
     Security policy development life cycle (SPDLC). Figure 16-1.
     A cycle because evaluation processes validate the effectiveness of original
    analysis stages.
     Security Requirements Assessment
     Require a structured approach to ensure that all potential user group/information
    resource combinations have been considered.
     A network analyst can create a matrix grid mapping all potential user groups
    against all potential corporate information resources.
     Refer Figure 16-3.
     These security processes:
     Restrictions to information access imposed upon each user group
     Definition the responsibilities of each user group for security policy implementation
    and enforcement.
     It should be reviewed on a periodic basis through ongoing auditing, monitoring,
    evaluation, and analysis.

    CMPC531\tc_17.ppt \\ page 17 - 3
    Networking

    Figure 16-1 The Security Policy Development Life Cycle

    CMPC531\tc_17.ppt \\ page 17 - 4
    Networking
    SECURITY POLICY DEVELOPMENT
     Scope Definition and Feasibility Studies
     Define the scope or limitations of the project
     Feasibility studies gain vital information on the difficulty of the security policy
    development process as well as the assets (human and financial) required to
    maintain such a process.
     Need to decide on the balance between security and productivity.
     See Figure 16-4.
     Need to identify those key values that a corporation should be maintained.
     Five most typical fundamental values of network security policy development:
     Identification/Authentication: the process of reliably determining the genuine identity
    of the communicating computer (host) or user.
     Access Control / Authorization: authenticated users are only allowed to those
    information and network resources they are supposed to access.
     Privacy/Confidentiality: ensure tat data is disclosed only to intended recipients.
     Data Integrity: assure that data are genuine and cannot be changed without proper
    controls.
     Non-Repudiation: users cannot deny the occurrence of given events or transactions.

    CMPC531\tc_17.ppt \\ page 17 - 5
    Networking

    Figure 16-4 Security vs. Productivity Balance


    CMPC531\tc_17.ppt \\ page 17 - 6
    Networking
    SECURITY POLICY DEVELOPMENT
     Assets, Threats, Vulnerabilities, and Risks
     Most security policy development methodologies boil down to the following six
    major steps:
    1. Identify assets
    2. Identify threats
    3. Identify vulnerabilities
    4. Consider the risks
    5. Identify risk domains
    6. Take protective measures
     Assets: corporate property of some value that requires varying degrees of
    protection.
     Data or Information can be classified:
     Unclassified or Public
     Sensitive
     Confidential
     Secret
     Top Secret

    CMPC531\tc_17.ppt \\ page 17 - 7
    Networking
    SECURITY POLICY DEVELOPMENT
     Assets, Threats, Vulnerabilities, and Risks
     Threats: processes or people that pose a potential danger to identified assets.
     Vulnerabilities: manner or path by which threats are able to attack assets.
     Risks: probability of a particular threat successfully attacking a particular asset in a given amount of
    time via a particular vulnerability. E.g.
     Intruders or attackers may use social engineering or snooping to obtain user passwords
     An administrator may incorrectly create or configure user ids, groups, and their associated rights
    on a file server, resulting in file and login access vulnerabilities
     Network administrators may overlook security flaws in topology or hardware configuration
     Network administrators may overlook security flaws in operating system or application
    configuration;
     Lack of proper documentation and communication of security policies may lead to deliberate or
    inadvertent misuse of files or network access;
     Dishonest or disgruntled employees may abuse the file and access rights they’ve been given;
     A computer or terminal left logged into the network while its operator goes away may provide an
    entry point for an intruder;
     Users or even administrators choose passwords that are easy to guess;
     Authorized staff may leave computer room doors propped open or unlocked, allowing
    unauthorized individuals to enter;

    CMPC531\tc_17.ppt \\ page 17 - 8
    Networking
    SECURITY POLICY DEVELOPMENT
     Assets, Threats, Vulnerabilities, and Risks
     Staff may discard disks or backup tapes in “public” waste containers
     Administrators may neglect to remove access and file rights for employees
    who have left the organisation.
     Figure 16-7 shows the relationship between assets, threats,
    vulnerabilities, risks, and protective measures.

    CMPC531\tc_17.ppt \\ page 17 - 9
    Networking

    Figure 16-7 Assets,


    Threats,
    Vulnerabilities, Risks,
    and Protective
    Measures

    CMPC531\tc_17.ppt \\ page 17 - 10

    You might also like