SECURITY

POLICY,PRCEDURES AND
PRACTICES

Prepared by : Vjetha
Bhat

vijetha v bhat
03/10/17 canara_college_mangaluru 1
 security policy
A security policy is a formal statement of the
rules by which people with access to an
organization's technology and information
assets must abide, to ensure the security of
these assets.
It provides a framework for making specific
decisions such as which defense mechanisms
to use and how to configure services.
Basis for developing secure programming
guidelines and procedures, for users and
system administrators to follow.

vijetha v bhat
03/10/17 canara_college_mangaluru 2
A security policy generally covers the following
aspects:
High-level description of the technical
environment-of the site, the legal environment, the
authority of the policy, and the basic philosophy to
be used when interpreting the policy.
Risk analysis to identify the site's .
Guidelines for system administrators on how to
manage the systems.
vijetha v bhat
03/10/17 canara_college_mangaluru 3
 Definition of acceptable use for users .
Guidelines for reacting to a site compromise .
A successful security policy involves many
contributing factors like management commitment,
technological support for enforcing the policy,
effective dissemination of the policy, and the security
awareness of all users.

vijetha v bhat
03/10/17 canara_college_mangaluru 4
Management assigns responsibility for security and ensures

that security personnel are adequately trained.

Security policy includes options like:

Challenge/response systems for authentication.

Encryption systems for confidential storage and transmission

of data.

Network tools such as firewalls and proxy servers.

Auditing systems for accountability and event reconstruction

vijetha v bhat
03/10/17 canara_college_mangaluru 5
Security Related Procedures
Procedures are specific steps to be followed,

based on the security policy.

Procedures address topics such as connecting to

the site's system from home or while traveling,

retrieving programs from the network, using

encryption, authentication for issuing accounts,

configuration, and monitoring.

vijetha v bhat
03/10/17 canara_college_mangaluru 6
 Security Practices
System administration practices play a key role in
network security.

Some commonly recommended practices are:

Implement a one-time password system, ensure that
all accounts have a password and these passwords
are difficult to guess.
Use strong cryptographic techniques to ensure the
integrity of system software on a regular basis.
Use safe programming techniques when writing
software.
vijetha v bhat
03/10/17 canara_college_mangaluru 7
 Make appropriate changes to the network

configuration when vulnerabilities become known .

keep the systems current with upgrades and patches.

check for security alerts and technical advice

regularly.

audit systems and networks, and regularly check logs

for detecting an intrusion.

vijetha v bhat
03/10/17 canara_college_mangaluru 8
 SITE SECURITY
A site is any organization that has network-related resources
like host computers that users use routers, terminal servers,
PCs, or other devices that are connected to internet.

A site may be service provider such as a mid-level network

or an end user of internet services.
It is important that the services hosted by the site provide
the intended functionality to legitimate clients, without any
breakdown.

Occasionally, a hacker may try to break-in and disrupt the

services or alter the contents of the site, which may be
embarrassing to the
organization.

vijetha v bhat
03/10/17 canara_college_mangaluru 9
 Separation of Services
A site may wish to provide many services to its
users, some of which may be external.
The services may have different levels of access
needs and models of trust.
Services which are essential to the security or
smooth operation of a site would be better off being
placed on a dedicated machine with very limited
access, rather than on a machine that is used for
providing greater accessibility and other services
that may be prone to security lapses.
vijetha v bhat
03/10/17 canara_college_mangaluru 10
 There are two conflicting, underlying philosophies that
can be adopted when defining a security plan.

The choice between them depends on the site and its

needs for security.

1. The "deny all" model suggests turning off all services

and then selectively enabling services on a case by
case basis as required.

2. The" allow all" model is based on the logic of simply

turning on all services, usually with the default at the
host level; and allowing all protocols to travel across
network boundaries, usually with the default at the
router level.
vijetha v bhat
03/10/17 canara_college_mangaluru 11
 Each of these models can be applied to different

portions of the site, depending on factors like

functionality requirements, administrative control, and

site policy.

Ex: "allow all" policy may be adopted for traffic between

a LAN's internal to the site, but a "deny all" policy can be

adopted between the site and the internet.

vijetha v bhat
03/10/17 canara_college_mangaluru 12
THANK YOU

vijetha v bhat
03/10/17 canara_college_mangaluru 13