Scribd
Upload
7 views37 pages

Lec 2

The document discusses the importance of security policies in mitigating risks and supporting business processes within IT infrastructures. It emphasizes the need for alignment of security policies with business requirements, the role of organizational structure, and the necessity of engaging employees to ensure compliance. Additionally, it outlines various security controls and risk mitigation strategies across different IT domains.

Uploaded by

kaser7840
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views37 pages

Lec 2

The document discusses the importance of security policies in mitigating risks and supporting business processes within IT infrastructures. It emphasizes the need for alignment of security policies with business requirements, the role of organizational structure, and the necessity of engaging employees to ensure compliance. Additionally, it outlines various security controls and risk mitigation strategies across different IT domains.

Uploaded by

kaser7840
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Security Policies and

Implementation Issues

Lesson 2
Risk Mitigation and Business
Support Processes

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


www.jblearning.com
All rights reserved.
Focusing on Key Concepts
• Learning Objective
• Analyze how security policies help mitigate
risks and support business processes in
various domains of a typical IT
infrastructure.
• Analyze issues related to security policy
implementations and the keys to success.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


Security Policies and Implementation Issues www.jblearning.com Page 2
All rights reserved.
Key Concepts

• Seven domains of a typical IT infrastructure


• Aligning security policies with business
requirements
• Common security controls for each domain
• Mitigating risks within domains with security
policies
• Organizational hurdles to policy
implementation
• Impact of executive management support
TOP Business Risks and mitigations
TOP Business Risks and mitigations
TOP Business Risks and mitigations
People Are Key

• People must understand key concepts of security


policies
• Makes application of policy easier in unanticipated
circumstances
• People must be motivated to follow policy
• Pride
• Self-interest
• Success
People Are Key
Personality Types
Organizational Structure

• Affects employee behavior


• Provides insight into management priorities
• Influence and authority of the Information Security
Officer based on position in the org chart
• Down in the IT department, not much influence
and authority
• Reporting directly to CFO or CIO, more influence
and authority
Typical Organizational Chart
CISO Reporting Directly to CFO
CISO Organizational Chart
Identify Business Risks

• Risks vary by industry and by organization


• Using business requirements, follow the
data through the seven domains
• Map challenges and risks to domains
• Some challenges are common
Mitigate Risk through Policy

• Each of the seven IT domains has different


types of risks associated with them
• Policy can reduce or mitigate these risks
• Each policy must address as many risks in that
domain as possible
• Policies may cross domains
Overcoming User Apathy

• Engage leadership and adjust implementation


strategy to include role-based explanation of policy
• Reinforce importance and value of information
security through ongoing awareness program
• Leadership should set the expectation that policy will
be followed and monitor compliance
• Increase involvement by introducing redundancy -
don't rely on a single individual whenever possible
Role of Security Policies per Domain
Domain Security Control Examples
Authentication
• Validation of credentials
• Something you know :User ID/Password
• Something you have :Token) e.g ,.Smart Card(
• Something you are :Biometrics
• Single-factor 1 :type of credential
• Multi-factor :More than 1 type of credential
• Method must suit the business context
• Tokens + User ID/password to access Research &
Development workstations
• User ID/password to access Web site
Authorization and Access Control

• Determines who has access to what


• "Who" can be a user, a device, or a service
• Example: Role-Based Access Control (RBAC)
• Assign permissions to roles
• Assign individuals to roles
• Benefit:
• Reduces administrative overhead
• Improves compliance through reduced complexity
Role-Based Access Control Concept
Central Management System
Types of LANs: Flat vs. Segmented
Flat and segment

Segment Flat
Demilitarized Zone

• Sits between secure LAN and unsecure WAN


• Acts as a buffer
• Contains servers that provide public access
• Web servers
• Portals
LAN-to-WAN Topology with DMZ
Virtual Private Networks

• Types of WANs
• Public Internet
• Private WAN (ISDN, Frame relay, leased line)
• VPNs provide encrypted tunnels through non-secure
networks e.g ),.Internet)
• Benefits
• Cheaper than private WANs
• Rapid deployment
Basic Types of VPN connectivity
Data Loss Protection

• Also called data leakage protection (DLP)


• Goal of DLP program is to prevent confidential
information from leaving the organization accidentally
or maliciously
• Layers of defense
• Inventory: Identification of data at rest
• Perimeter: Monitoring of data in motion
• Encryption: Encryption of data outside the network
(e.g., mobile devices)
Automated Controls
Automated Controls
Why Organize Policies by Domain?

• Identify areas of policy overlap


• Examination of areas that might otherwise be
overlooked
• Align the entire IT environment with business
objectives
• Security policies for each domain support
layered defenses and improve the security
posture of the organization
Class Project

• Project Title
• Department of Defense DOD Audit
• This is a Team Project. You will create 3
teams.
• Deliverables or milestone drafts as
specified in the project content will be
submitted.

You might also like