Security+ Guide to Network Security Fundamentals, Third Edition

Chapter 14 Security Policies and Training

Objectives
Define organizational security policy List the types of security policies Describe how education and training can limit the impact of social engineering

Security+ Guide to Network Security Fundamentals, Third Edition

Organizational Security Policies

Plans and policies must be established by the organization
To ensure that users correctly implement the hardware and software defenses

One of the key policies is an organizational security policy

Security+ Guide to Network Security Fundamentals, Third Edition

What Is a Security Policy?

Security policy
A written document that states how an organization plans to protect the companys information technology assets

An organizations information security policy can serve several functions:

It can be an overall intention and direction It details specific risks and how to address them It can create a security-aware organizational culture It can help to ensure that employee behavior is directed and monitored
4

Security+ Guide to Network Security Fundamentals, Third Edition

Balancing Trust and Control

An effective security policy must carefully balance two key elements: trust and control Three approaches to trust:
Trust everyone all of the time Trust no one at any time Trust some people some of the time

Deciding on the level of control for a specific policy is not always clear
The security needs and the culture of the organization play a major role when deciding what level of control is appropriate
Security+ Guide to Network Security Fundamentals, Third Edition 5

Balancing Trust and Control (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

Designing a Security Policy

Definition of a policy
Standard
A collection of requirements specific to the system or procedure that must be met by everyone

Guideline
A collection of suggestions that should be implemented

Policy
Document that outlines specific requirements or rules that must be met

Security+ Guide to Network Security Fundamentals, Third Edition

Designing a Security Policy (continued)

A policy generally has these characteristics:
Policies communicate a consensus of judgment Policies define appropriate behavior for users Policies identify what tools and procedures are needed Policies provide directives for Human Resource action in response to inappropriate behavior Policies may be helpful in the event that it is necessary to prosecute violators

Security+ Guide to Network Security Fundamentals, Third Edition

Designing a Security Policy (continued)

The security policy cycle
The first phase involves a risk management study
Asset identification Threat identification Vulnerability appraisal Risk assessment Risk mitigation

The second phase of the security policy cycle is to use the information from the risk management study to create the policy The final phase is to review the policy for compliance
Security+ Guide to Network Security Fundamentals, Third Edition 9

Designing a Security Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

10

Designing a Security Policy (continued)

Steps in development
When designing a security policy many organizations follow a standard set of principles It is advisable that the design of a security policy should be the work of a team The team should first decide on the scope and goals of the policy Statements regarding due care are often included
The obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them
Security+ Guide to Network Security Fundamentals, Third Edition 11

Designing a Security Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

12

Designing a Security Policy (continued)

Many organizations also follow these guidelines while developing a policy:
Notify users in advance that a new security policy is being developed and explain why the policy is needed Provide a sample of people affected by the policy with an opportunity to review and comment on the policy Prior to deployment, give all users at least two weeks to review and comment Allow users the authority to carry out their responsibilities in a given policy
Security+ Guide to Network Security Fundamentals, Third Edition 13

Types of Security Policies

The term security policy becomes an umbrella term for all of the subpolicies included within it

Security+ Guide to Network Security Fundamentals, Third Edition

14

Security+ Guide to Network Security Fundamentals, Third Edition

15

Types of Security Policies (continued)

Most organizations have security policies that address:
Acceptable use Security-related human resources Password management and complexity Personally identifiable information Disposal and destruction Service level agreements Classification of information Change management Ethics
16

Security+ Guide to Network Security Fundamentals, Third Edition

Acceptable Use Policy (AUP)

Acceptable use policy (AUP)
Defines the actions users may perform while accessing systems and networking equipment May have an overview regarding what is covered by this policy

The AUP usually provides explicit prohibitions regarding security and proprietary information Unacceptable use may also be outlined by the AUP Acceptable use policies are generally considered to be the most important information security policies
Security+ Guide to Network Security Fundamentals, Third Edition 17

Security-Related Human Resource Policy

Security-related human resource policy
A policy that addresses security as it relates to human resources Includes statements regarding how an employees information technology resources will be addressed

Due process
The principle of treating all accused persons in an equal fashion, using established rules and principles

Due diligence
Any investigation into suspicious employee conduct will examine all material facts
Security+ Guide to Network Security Fundamentals, Third Edition 18

Password Management and Complexity Policy

Password management and complexity policy
Can clearly address how passwords are created and managed

The policy should also specify what makes up a strong password

Security+ Guide to Network Security Fundamentals, Third Edition

19

Password Management and Complexity Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

20

Password Management and Complexity Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

21

Personally Identifiable Information (PII) Policy

Personally identifiable information (PII) policy
Outlines how the organization uses personal information it collects

Security+ Guide to Network Security Fundamentals, Third Edition

22

Personally Identifiable Information (PII) Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

23

Disposal and Destruction Policy

Disposal and destruction policy
Addresses the disposal of resources that are considered confidential Often covers how long records and data will be retained Involves how to dispose of equipment

Security+ Guide to Network Security Fundamentals, Third Edition

24

Service Level Agreement (SLA) Policy

Service level agreement (SLA)
A service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service

Service level agreement (SLA) policy

An organizational policy that governs the conditions to be contained in an SLA

Many SLA policies contain tiers of service

Security+ Guide to Network Security Fundamentals, Third Edition

25

Service Level Agreement (SLA) Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition

26

Classification of Information Policy

Classification of information policy
Designed to produce a standardized framework for classifying information assets

Generally, this involves creating classification categories such as high, medium, or low
And then assigning information into these categories

Security+ Guide to Network Security Fundamentals

27

Change Management Policy

Change management
Refers to a methodology for making changes and keeping track of those changes, often manually Seeks to approach changes systematically and provide documentation of the changes

Change management policy

Outlines how an organization will manage changes in a rational and predictable manner so employees and clients can plan accordingly

Security+ Guide to Network Security Fundamentals, Third Edition

28

Ethics Policy
Values
A persons fundamental beliefs and principles used to define what is good, right, and just

Morals
Values that are attributed to a system of beliefs that help the individual distinguish right from wrong

Ethics
The study of what a group of people understand to be good and right behavior and how people make those judgments
Security+ Guide to Network Security Fundamentals, Third Edition 29

Ethics Policy (continued)

Ethics policy
A written code of conduct intended to be a central guide and reference for employees in support of dayto-day decision making Intended to clarify an organizations mission, values, and principles, and link them with standards of professional conduct

Security+ Guide to Network Security Fundamentals, Third Edition

30

Education and Training

Education and training involve understanding the importance of organizational training
And how it can be used to reduce risks, such as social engineering

Security+ Guide to Network Security Fundamentals, Third Edition

31

Organizational Training
All computer users in an organization share a responsibility to protect the assets of that organization
Users need training in the importance of securing information, the roles that they play in security, and the steps they need to take to ward off attacks

All users need:

Continuous training in the new security defenses To be reminded of company security policies and procedures
Security+ Guide to Network Security Fundamentals, Third Edition 32

Organizational Training (continued)

One of the challenges of organizational education and training is to understand the traits of learners

Security+ Guide to Network Security Fundamentals, Third Edition

33

Organizational Training (continued)

Training style also impacts how people learn Most people are taught using a pedagogical approach
However, for adult learners, an andragogical approach is often preferred

There are different learning styles

Visual learners Auditory learners Kinesthetic
Security+ Guide to Network Security Fundamentals, Third Edition 34

Reducing Risks of Social Engineering

Social engineering
Relies on tricking and deceiving someone to provide secure information

Phishing
One of the most common forms of social engineering Involves sending an e-mail or displaying a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information Both the e-mails and the fake Web sites appear to be legitimate
Security+ Guide to Network Security Fundamentals, Third Edition 35

Security+ Guide to Network Security Fundamentals, Third Edition

36

Reducing Risks of Social Engineering (continued)

Variations on phishing attacks:
Spear phishing Pharming Google phishing

Ways to recognize phishing messages include:

Deceptive Web links E-mails that look like Web sites Fake senders address Generic greeting Pop-up boxes and attachments
37

Security+ Guide to Network Security Fundamentals, Third Edition

Reducing Risks of Social Engineering (continued)

Ways to recognize phishing messages include: (continued)
Unsafe Web sites Urgent request

Some organizations have turned to creating regular reminders to users regarding phishing attacks

Security+ Guide to Network Security Fundamentals, Third Edition

38

Security+ Guide to Network Security Fundamentals, Third Edition

39

Reducing Risks of Social Engineering (continued)

Dumpster diving
Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away

Shoulder surfing
Watching an individual enter a security code or password on a keypad

Computer hoax
An e-mail message containing a false warning to the recipient of a malicious entity circulating through the Internet
Security+ Guide to Network Security Fundamentals, Third Edition 40

Summary
A security policy is a written document that states how an organization plans to protect the companys information technology assets A standard is a collection of requirements specific to the system or procedure that must be met by everyone, while a guideline is a collection of suggestions that should be implemented A policy is a document that outlines specific requirements or rules that must be met, and is the correct means to be used for establishing security
Security+ Guide to Network Security Fundamentals, Third Edition 41

Summary (continued)
Because a security policy is so comprehensive and often detailed, most organizations choose to break the security policy down into smaller subpolicies A personally identifiable information (PII) policy outlines how the organization uses information it collects To provide users with the knowledge and skills necessary to support information security, users need to receive ongoing training Social engineering relies on tricking and deceiving someone to provide secure information
Security+ Guide to Network Security Fundamentals, Third Edition 42