Professional Documents
Culture Documents
Administering Security
- By Getaneh T.
Security Plan
• A security plan is a document that describes how an organization will address its security
needs. The plan is subject to periodic review and revision as the organization’s security
needs change.
• Contents of a security plan
1. policy, indicating the goals of a computer security effort and the willingness
of the people involved to work to achieve those goals
2. current state, describing the status of security at the time of the plan
3. requirements, recommending ways to meet the security goals
4. recommended controls, mapping controls to the vulnerabilities identified in the
policy and requirements
5. accountability, describing who is responsible for each security activity
6. timetable, identifying when different security functions are to be done
7. continuing attention, specifying a structure for periodically updating the
security plan
1) Policy
• A security plan must state the organization’s policy on security.
• A security policy is a high-level statement of purpose and intent.
2) Requirements
• Requirements are usually derived from organizational needs.
• Requirements explain what should be accomplished, not how.
• Must have these characteristics : correctness, consistency, completeness,
realism, need, verifiability, traceability.
• May be constrained by budget, schedule, performance, policies,
government regulations and more.
4) Recommended Controls
• The security plan must also recommend what controls should be
incorporated into the system to meet the requirements.
6) Time Table - shows how and when the elements of the plan will be
performed. These dates also give milestones so that management can track
the progress of implementation.
Security Planning Team Members
• Computer hardware group
• System administrators
• Systems programmers
• Applications programmers
• Data entry personnel
• Physical security personnel
• Representative users
Business Continuity Plans
• Documents how a business will continue to function during a computer
security incident.
• An ordinary security plan covers computer security during normal times
and deals with protecting against a wide range of vulnerabilities from the
usual sources.
• A business continuity plan deals with situations having two
characteristics:
1) catastrophic situations, in which all or a major part of a computing
Ratings of Likelihood
Frequency Rating
More than once a day 10
Once a day 9
Once every three days 8
Once a week 7
Once in two weeks 6
Once a month 5
Once every four months 4
Once a year 3
Once every three years 2
Less than once in three years 1
4. Compute Expected Loss
• Determine the likely loss if the exploitation does indeed occur.
processes.
5. Ensure a safe and productive place to work.
6. Comply with applicable laws and regulations.
Contingency Planning
❑ Backup
• Offsite Backup
• Networked Storage
• Cold Site or shell - facility with power and cooling available, in which
a computing system can be installed to begin immediate operation.
•Hot site - computer facility with an installed and ready-to-run
computing system.
Legal And Ethical Issues
Protecting Programs and Data
1) Copyrights – designed to protect the expression of ideas.
✓ Applies to a creative work, such as a story, photograph, song, or
pencil sketch.
✓ Intention is to allow regular and free exchange of ideas.
✓ Gives the author exclusive right to make copies of the expression
and sell them in public.
▪ Intellectual Property
▪ Originality of work
▪ Fair use of Material – copyrighted object is subjected to fair use.
A purchaser has the right to use the product in the manner for
which it was intended and in a way that does not interfere with
the author's rights.
▪ Requirements for registering a copyright.
• Notice - Any potential user must be made aware that the work is copyrighted.
• Officially filed.
Copyright Infringement
• The holder of the copyright must go to court to prove that someone
has infringed on the copyright.
• The infringement must be substantial, and it must be copying, not
independent work.
• Registering a Patent
• Patent Infringement
A patent holder must oppose all infringement.
Failing to sue a patent infringement even a small one or one the
patent holder does not know about can mean losing the patent rights
entirely.
• Applicability of Patents to Computer Objects
3)Trade Secrets
• The information has value only as a secret, and an infringer is one who divulges the
secret. Once divulged, the information usually cannot be made secret again.
Legal protection Sue if unauthorized copy Sue if invention copied Sue if secret improperly
sold obtained
Protecting Hardware – Hardware can be patented.
Protecting Firmware - Trade secret protection is appropriate for the code
embedded in a chip.
Protecting Object Code Software - copyright protection is appropriate.
Protecting source code software – copyright or trade secret protection.
Protecting Documentation - A program and its documentation must be
copyrighted separately.
Protecting Web Content - most appropriate protection is copyright
Protecting Domain Names and URLs - Domain names, URLs, company names,
product names, and commercial symbols are protected by a trademark, which
gives exclusive rights of use to the owner of such identifying marks.
Characteristics of Information
• Information as an object
• Information is not depletable
• Information can be Replicated
• Information has a Minimal Marginal Cost
• The Value of Information is often Time Dependent
• Information is often transferred Intangibly