Top Banner
INFORMATION SECURITY POLICIES & STANDARDS. IT Admin.
18
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: IT Policy

INFORMATION SECURITY POLICIES & STANDARDS.

IT Admin.

Page 2: IT Policy

2 Define security policies and standards. Measure actual security against policy. Report violations to policy. Correct violations to confirm with policy. Summarize policy compliance for the organization.

Challenges before us:

BUT

Where DO We Start?????

Page 3: IT Policy

3 What assets within the organization need protection? What are the risks to each of these assets? How much time, effort, and money is the organization

willing to expend to upgrade or obtain new adequate protection against these threats?

Basic Risk Assessment

Page 4: IT Policy

4

Physical items Sensitive data and other

information Computers, laptops, mobiles,

etc. Backups and archives. Manuals, books, and guides Communications equipment

and wiring. Personnel records. Audit records. Commercial software

distribution media.

Identifying the Assets: Non-physical items

Personnel passwords Public image and reputation Processing availability and

continuity of operations Configuration information. Data integrity Confidentiality of

information

Page 5: IT Policy

5

Component failure Misuse of software and hardware Viruses, Trojan horses, or worms Unauthorized deletion or modification Unauthorized disclosure of information Penetration ("hackers" getting into your machines) Software bugs and flaws Fires, floods, or earthquakes Riots

The risks:

Page 6: IT Policy

6

Sensitive :-

This classification applies to information that needs protection from unauthorized modification or deletion to assure its integrity. It is information that requires a higher than normal assurance of accuracy and completeness. Examples of sensitive information include organizational financial transactions and regulatory actions.

Data Sensitivity Classification:

Page 7: IT Policy

7

Confidential :-

This classification applies to the most sensitive business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its stockholders, its business partners, and/or its customers. Health care-related information should be considered at least confidential.

Data Sensitivity Classification:

Page 8: IT Policy

8

Private :-

This classification applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and/or its employees. Public :-

This classification applies to all other information that does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely affect the organization, its employees, and/or its customers.

Data Sensitivity Classification:

Page 9: IT Policy

9

Types of Security Policies:

Password policies Administrative

Responsibilities User Responsibilities E-mail policies

Internet policies

Backup and restore policies

Technologies to secure IT Infra:

Firewalls. Auditing. System Policies. IT admin policies.

Page 10: IT Policy

10

The use of e-mail to conduct official business ,which users should adhere to.

The use of e-mail for personal business is strictly prohibited. Access control and confidential protection of messages. The management and retention of e-mail messages. Official email ids should not be subscribed on any sort of websites. There should not be bulk emailing from any or all of the users

within the Organization. Spam emailing is against official policy and any email user doing

any such would be held against criminal offence.

E-mail Policies :

Page 11: IT Policy

11

Set of protocols and conventions used to traverse and find information over the Internet which should be followed by all the users.

 Browsers also introduce vulnerabilities to an organization which should be strictly prohibited.

Web servers can be attacked directly, or used as jumping off points to attack an organization's internal networks so users should be very careful while surfing and browsing.

Firewalls and proper configuration of routers and the IP protocol can help to fend off denial of service attacks.

Internet Policies:

Page 12: IT Policy

12

The backup polices should include plans for: Regularly scheduled backups. Types of backups. Most backup systems support, normal

backups, incremental backups, and differential backups. A schedule for backups. The schedule should normally be

during the night when the company has the least amount of users.

The information to be backed up. Type of media used for backups. Tapes, CD-ROMs, other hard

drives, and so forth.

Backup Policies:

Page 13: IT Policy

13

Firewall configuration. Audits at regular intervals. System Policies. Administrator Policies.

Secure Network Connectivity :

Page 14: IT Policy

14

Should block unwanted traffic. Should direct incoming traffic to more trustworthy internal systems. Should hide vulnerable systems that cannot easily be secured

from the Internet. Should can log traffic to and from the private network. Should hide information such as system names, network topology,

network device types, and internal user IDs from the Internet. Should provide more robust authentication than standard

applications might be able to do.

Firewalls:

Page 15: IT Policy

15

Logon and logoff information System shutdown and restart information File and folder access Password changes Object access Policy changes

Auditing :

Page 16: IT Policy

16

All the systems should be configured with proper firewall gateway.

Systems should strictly have licensed and only as per use Soft wares installed.

Every system should be allowed to login with complex passwords and authenticated users.

A password must be initially assigned to a user when enrolled on the system.

Users must remember their passwords. Users must enter their passwords into the system at

authentication time. Employees may not disclose their passwords to anyone

System Policies:

Page 17: IT Policy

17

A user's password must be changed periodically The system must maintain a "password database.“ All the systems must have user and administrator user

roles defined. Scheduled audits to ensure the IT security policies. Administrator passwords should not be shared . No spam and network violating activities within the

organization.

IT Admin Policies :

Page 18: IT Policy

18

PRESENTED BY

Senseware IT AdminResponsibilities: Managed IT.

Thank you for the time devoted.


Related Documents
IT Security Policy Framework. Policies IT Security Policy Framework Policies Standards.

IT Security Policy Framework. Policies IT Security Policy...

Category: Documents
Maharashtra IT Policy 2009

Maharashtra IT Policy 2009

Category: Documents
POLICY TITLE: IT Security

POLICY TITLE: IT Security

Category: Documents
Punjab IT Policy

Punjab IT Policy

Category: Documents
SIB Green IT Policy

SIB Green IT Policy

Category: Business
IT Computer Policy

IT Computer Policy

Category: Documents
Pakistan IT Policy - anf.gov.pk IT Policy and Action Plan.pdf · National IT Policy & Plan Government of Pakistan August 2000 . ... 4 Executive Summary 21 ... The cost of Internet

Pakistan IT Policy - anf.gov.pk IT Policy and Action...

Category: Documents
IT Policy - Himachal Pradeshadmis.hp.nic.in/himachal/hpridc/HPPWD IT Policy- Draft.pdf · •IT Policy Formulation Project Construction ... Manual of Order, Codes & Specifications,

IT Policy - Himachal...

Category: Documents
Cohesion policy 20142020 it

Cohesion policy 20142020 it

Category: Documents
Green It Policy

Green It Policy

Category: Documents
Information Technology (IT) Policy

Information Technology (IT) Policy

Category: Documents
Nagaland IT Policy 2004

Nagaland IT Policy 2004

Category: Documents