LO3 Test security and internet access

This learning guide is developed to provide you the

necessary information regarding the following content
coverage and topics.
 Security Policy.
Test and verify Security access levels base on security
policy.
 monitored and evaluated Capability and reliability of
security systems.
Changes the system protection against Known and
potential threats.
 Introduction
 information security policies can be used as an active part of an
organization's efforts to protect its valuable information assets.
 Policies allow organizations to set practices and procedures in place
that will reduce the likelihood of an attack or an incident and will
minimize the damage caused that such an incident can cause, should
one occur.
 policies should be the basis of acomprehensive Information Security
strategy, and how policies can be an effective, practical part of your
digital defense systems.
What is a Policy?
 "A plan or course of action, as of a government, political party, or
business, intended to influence and determine decisions, actions, and
other matters"
 In practical security terms, I define a policy as a published document
(or set of documents) in which the organization's philosophy, strategy,
policies and practices with regard to confidentiality, integrity and
availability of information and information systems are laid out.
 Thus, a policy is a set of mechanisms by means of which your
information security objectives can be defined and attained.
Basic information security objectives:
1 Confidentiality is about ensuring that only the people who are
authorized to have access to information are able to do so.
 It's about keeping valuable information only in the hands ofthose
people who are intended to see it.
2 Integrity is about maintaining the value and the state of information,
which means that it is protected from unauthorized modification.
 A major objective of information security to ensure that
informationis not modified or destroyed or subverted in any way.
3 Availability is about ensuring that information and information
systems are available and operational when they are needed.
the mechanisms through which these objectives can be achieved,
namely:
1 Philosophy This is the organization's approach towards information
security, the framework, the guiding principles of the information
security strategy.
 It will explain to future generations why you did,what you did.
2 Strategy The strategy is the plan or the project plan of the security
philosophy.
 A measurable plan detailing how the organization intends to achieve
the objectives that are laid out, either implicitly or explicitly, within
the framework of the philosophy.
3 PoliciesPolicies are simply rules. They're the dos and the don'ts of
information security, again, within the framework of the philosophy.
 What Benefits Do Policies Offer?

 Here are some of the things policies will do for you

that you'll struggle to achieve with technology.
A The Boss Can Do It
Most technological controls are the responsibility of the IS manager,
the network administrator.
B They Provide a Paper Trail in Cases of Due Diligence
 In some industries your company may have legal obligations with
respect to the integrity andconfidentiality of certain information.
 In many cases the only way you can prove due diligence in this
regard is by referring to your published policies.
C They Exemplify an Organization's Commitment
to Security
• Because a policy is typically published, and because it
represents executive decision, a policy may be just what
is needed to convince that potential client / merger
partner / investor exactly how clever you really are.
D They help ensure consistency
 A well-implemented policy helps to ensure consistency
in your security systems by giving a directive and clearly
assigning responsibility and, equally important, by
stipulating the consequences of failing to fulfill those
responsibilities.
 E They Serve as a Guide to Information Security
• A well-designed policy can become an IT
administrator's Bible.
G They Give Security Staff the Backing of Management
• Armed with a policy your security administrators can do
their jobs without having to continuously justify
themselves.
 Introduction to Security Policies, Part Two:Creating a
Supportive Environment
 policies in themselves are ineffective; their effectiveness is
directly proportional to the support they receive from the
organization.
 Thus it is crucial that the organization be aware of the importance
of security policies and create an environment in which security is
given a high priority.
 few of Supportive Environments that increase the efficacy of the
policies.
1 Management support
• One of the biggest challenges facing security people is to convince
management of the importance of their involvement in the
process.
• Without the buy-in of management at a high level the policy
 2 Organizational structure
 While the titles or acronyms may vary from organization
to organization, the roles, duties and obligations should
be fairly consistent throughout.
 security officer' or 'SO'. It is the responsibility of the
security officer to oversee the creation, distribution, and
implementation of security policies.
 In this sense, the SO plays the role of intermediary
between management and the user base.
 In large organizations “SO” often Responsible for
organizing and t creation of a security team or task force
(STF)
 The functions of the STF include

• Defining security strategy

• Creating a mission statement and project plan;The
investigation of a formal accreditation program (more on
this later);
• Defining the corporate security policy;
• Defining system specific policies (more on this also);
• A user awareness program; and,
• The appoint of Security Auditors.The structure of the STF is
depicted in the diagram below:
 3 Financial Support
 The security process will always require an
investment in time, human resources and
finance.Without sufficient financial commitment
any security effort is bound to fail.
 The same is true for the policy development
process.
 Using a Classification System
 In developing the information security policies, security personnel will
need to be able to distinguish between various groups of people,
computers and information that have differing value and differing
requirements in terms of security.
 This is a form of classifying information in terms of its accessability to
people within the organization
Formal Classification Systems
Let's briefly explore two such systems, just by way of example:
1. The Military Model [1]
In military circles, it is common for information to be classified into five
levels:
• top secret
• secret
• confidential
• restricted
• unclassified
• Users arealso assigned a classification, and the following
rule is applied: "To have access to a document, the user
must have a classification at the same level as, or higher
than, that of the document."
2. The Bell-LaPadula model [1]
 Bell-LaPadula is essentially a simplified version of the
Military model and is designed to be slightly more user-
friendly and appropriate to the commercial organizational
environment.
 rule states that information obtained from an object may
only be passed to another object if the classification of the
target object is at least as high as that of the source object.
 Your Own Classification System as “SO”
 As “SO”in charge of developing security policies should develop
a classification system as well as a supporting rule set that will
support the requirements and objectives of the organization.
Clearance
 Finally, all users and potential users should be
classified.
 A user's classification is called a Clearance Level and is
used to determine what data and resources a user may
have access to.
 In general, access is only allowed when the clearance is
the same level or higher than the classification of the
item being accessed (data, equipment or physical
locations).
 Security Levels

 We've already listed the levels typically used in the

military model. Another approach may be as follows:
1 Unclassified: Considered publicly accessible. There are no
requirements for access control or confidentiality.
2 Shared: Resources that are shared within groups or with
people outside of your organsiation.
 This can include mail servers that are accessible from the
Internet, servers that are accessible from customers and
routers that link you to your ISP.
 Data that is legitimately accessed by outside people or
groups can be classified as shared
3 Company Only: Access to be restricted to your
internal employees only.
4 Confidential: Access to be restricted to a specific
list of people.
 For someone to have access to data or resources
classified as 'Confidential' they must be cleared at this
level and they must be included in the access list for this
resource.
• NB Not only data but also Users are clearedaccording to
this system. Every user requiring access to your systems
must receive clearance first. This includes employees,
contractors, consultants etc.
 Rules for technology
• The matrix above deals with user access to objects. To
describe where equipment is connected to the network,
there is a very simple rule:
 Security Policies, Structuring
Security Policies
 the development of policies will still require a lot of
work.
 It is essential that the policies be structured and
packaged in such a way that they are as light as
possible.
 By "light" I mean that they should be:
• Light, not weighing. Not using too many trees.
• Simple and practical.
• Easy to manage and maintain.
• Easy to access by people seeking specific information.
 To meet these requirements, I typically recommend that a
policy be split into a number of smaller policies and that
these be arranged in a hierarchical fashion.
The Security Framework Document
 Although each position paper may be written by a
different author - typically a specialist in that field - we
still want all the papers to subscribe to some fundamental
principles. These principles (what I call the security
philosophy)
 The Security Framework document should cover at least
the following important points:
1. The value of information and the organization's commitment
to information security.
2. The classification system, which was discussed in the second
article in this series.
3. The principle of accountability that states clearly that users
and administrators will be held accountable for behavior that
impacts the security of information.
4. The designation of authority to the Security Officer and
security-related people in the organization as is appropriate.
5. The principle of individual responsibility of all system users
for the security of information resources.
6. The organization's approach to security reviews; for example,
how often they will take place, who will perform them, etc.
 The SO assumes ultimate responsibility for security in the
organization. It is his or her job to guide, advise and review the
organization's security policies and procedures.
 The Security Framework document thus usually falls under the
SO's jurisdiction.
Position Papers
 Position papers are written to address the a specific aspect of
the security policy such as the security of some specific
technology, or security in a particular situation.
 For example, one might have a position paper covering the
secure configuration of Windows 2000 member servers that are
connected to the Internet.
 as well one describing the process to be followed in the event
of a breach of security measures (commonly known as a
security incident.)
 What Topics should the Position Papers Cover?
Here's a list of position papers that should exist for most
organizations:
• Physical Security
• Network Security
• Access Control
• Authentication
• Encryption
• Key Management
• Auditing and Review
• Security Awareness
• Incident Response & Disaster Contingency Plan
• Acceptable Use Policy
• Software Security
 Policy Owner
 The Policy Owner is the person responsible for the
maintenance and integrity of a given policy document.
 No changes may be made to a document without the
express permission of the Policy Owner.
 The name of the Policy Owner must be clearly displayed
on the document and the document should always be
dated and signed by the owner.
Technical Guides
 Technical guides are another set of useful documents,
although they are not actually policies.
 Technical guides outline the implementation, operation,
configuration and administration of specific systems.
 Assessing Policies

 Once an organization has a system of security policies in

place, it will be necessary to determine the efficacy of
thepolicies within the context of the organization.
 The following is a list of simple questions security
personnel can use to assess how effective the policy will
be for their particular organization
1. Does the policy have a clearly defined scope?
2. Is the policy comprehensive in terms of the defined scope
it means to address? Are all systems and issues sufficiently
covered?
3. Does the policy clearly define responsibilities? Is it clear to
the end-user, the line-manager and the various
administrators exactly what his or her responsibilities are?
4. Is the policy enforceable? Can it be applied in a concrete
manner so that the compliance is measurable?
5. Is the policy adaptable? Can it be easily changed to
address new risks and new technologies?
6. Is the policy having its desired effects?
7. Is the policy universally known and understood within
the organization?
8 Does the policy comply with law and with duties to third
parties? Is the organization fulfilling its statutory
obligations?
END LO 3 AND LO 4