Information security has evolved from securing physical access to mainframes during World War II to modern concerns over networked and digital assets. It began with physical controls but now addresses software, data, networks and more. Effective security requires balancing protection with reasonable access and is best achieved through a structured methodology like SecSDLC that considers security in all phases from analysis to maintenance. Information security seeks to preserve the confidentiality, integrity and availability of information through technical, operational and personnel countermeasures.
2. 3
Introduction
Information security: a “well-informed sense
of assurance that the information risks and
controls are in balance.” —Jim Anderson,
Inovant (2002)
Necessary to review the origins of this field
and its impact on our understanding of
information security today
3. 4
The History of Information Security
The first mainframes, which used to aid code-
breaking computations during World War II
How the security was provided?
Physical controls to limit access to sensitive military
locations to authorized personnel: badges, keys,
and facial recognition by security guards
Primary threats to information security:
physical theft of equipment, spying against the
products of the systems, and sabotage
4. 5
Figure 1-1 – The Enigma
Principles of Information Security, 2nd Edition
5. 6
The History of Information
Security
1st documented problem that is not in physical
nature (Early 1960s)
One administrator editing a file and another
administrator was editing the password file
A software called glitch mixed the two files and
printed on every output file
6. 7
History of Internet
Objective: Link mainframes to share
information
Advanced Research Procurement Agency
(ARPA) began to examine feasibility of
redundant networked communications
Larry Roberts developed ARPANET from its
inception
ARPANET is the first Internet
7. 70s- 80s, ARPANET became popular and
more widely used
At the same time potential for its misuse
grew
Robert M.“Bob”Metcalfe (1973), identified
fundamental problems of ARPANET with
the development of the Ethernet
(networking protocol)
Principles of Information Security, 2nd Edition 9
8. 10
Drawbacks of ARPANET
Fundamental problems with ARPANET:
No safety procedures for dial-up connections to
ARPANET
Non-existent user identification and authorization to
system
9. 11
R-609- Formal Report of IS
Information security began with Rand Report R-
609 (paper that started the study of computer
security)
Defines mechanisms for protecting systems
Scope of computer security grew from physical
security to include:
Safety of data
Limiting unauthorized and random access to data
Involvement of personnel from multiple levels of an
organization in matters pertaining to information
security
10. 12
The History of Information
Security
Multics
Operating System
Security is the primary goal
Unix was developed
Late 1970s: Microprocessor invented and
expanded computing capabilities and security
threats
From mainframe to PC
Decentralized computing
Need for sharing resources increased
Major changed computing
11. 13
The 1990s
Internet was born (global network of networks)
Virtually all computers connected to the
Internet
In early Internet deployments, security was
treated as a low priority
Only the physical protection was considered
Now, data and information protection are the
highest priority.
12. 14
The Present
The Internet brings millions of computer
networks into communication with each
other—many of them unsecured
Ability to secure a computer’s data influenced
by the security of every computer to which it is
connected
13. 15
What is Security?
“The quality or state of being secure—to be
free from danger”
In other words, protection against adversaries
A successful organization should have multiple
layers of security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security
14. 16
What is Information Security
(InfoSec)?
“The protection of information and its critical
elements, including systems and hardware that
use, store, and transmit that information” by
NSTISSC
Necessary tools: policy, awareness, training,
education, technology
NSTISSC defined the model of IS:
C.I.A. triangle (key objectives confidentiality,
integrity, and availability)
17. Drawbacks of CIA Model
Does not adequately address the present
issues.
CIA model expanded
19
18. 20
Critical Characteristics of Information
The value of information comes from the
characteristics it possesses:
Availability
No interference or obstruction for authorized users
No delaying and in required format
Accuracy
No errors
Authenticity
Data origin: i.e., sender of an email
Confidentiality
Prevent discoursing information to unauthorized users
19. 21
Critical Characteristics of
Information
Integrity
Prevent unauthorized modifications or damages
Virus or worm can change the integrity
Transmission errors
Integrity checking mechanism: Size of the file, hash
values, error-correcting codes, retransmission
Utility
Meaning of information (format of information)
Applicability of information for some purposes
20. Critical Characteristics of
Information contd..
Possession
Ownership
Breach of confidentiality results in the breach of
possession, not the reverse
22
21. NSTISSC Security Model
National Training Standard for Information
Systems Security Professionals
(NSTISSC)
Documentation prepared by John
McCumber :
http://www.cnss.gov/Assets/pdf/nstissi_40
11.pdf
Graphical representation of this model :
McCumber Cube
27 cells representing areas that must be
23
22. 24
Figure 1-4 – NSTISSC
Security Model
NSTISSC Security Model
Principles of Information Security, 2nd Edition
23. 25
Components of an Information System
Software
Perhaps most difficult to secure
Bugs, weaknesses, or other fundamental problems create
security wholes
Hardware
Physical security policies
Securing physical location important
Laptops
Flash memory
24. 26
Components of an Information
System
Data
Often most valuable asset and main target of
intentional attacks
Use of DBMS to protect data
People
Always been threats to IS
Must be well trained, educated and informed
Procedures
Written instructions for accomplishing a
specific task
Unauthorized use of procedures
Educating employees about safeguarding the
25. Components of an Information
System
Networks
Locks and keys won’t work
Implementation of alarm and intrusion
systems to make system owners aware of
ongoing compromises
27
26. 28
Securing Components
Computer can be subject of an attack and/or
the object of an attack
When the subject of an attack, computer is
used as an active tool to conduct attack
When the object of an attack, computer is the
entity being attacked
2 types of attack
Direct
Hacker uses their computer to break into a system
Indirect
System is compromised and used to attack other systems
28. 30
Information Security Vs. Access
Impossible to obtain perfect security—it is a
process, not an goal
Security should be considered balance
between protection and availability
To achieve the balance, level of security must
allow reasonable access, yet protect against
threats
29. 31
Figure 1-6 – Balancing
Security and Access
Principles of Information Security, 2nd Edition
30. 32
Security implementation
mechanisms: Bottom-Up Approach
Incremental process that begins from
grassroots level : initiated by system admin
Needs coordination, time and patience
Advantages:
System administrator can gain technical expertise
Disadvantages:
Sometimes bottom-up approach is not working
Lack of participant support and organizational
31. 33
Security Implementation
Mechanisms: Top-down Approach
Initiated by upper management
Issue policy, procedures and processes
Dictate goals and expected outcomes of project
Determine accountability for each required
action
Formal Top-Down approach: Systems
Development Life Cycle (SDLC)
33. 35
Systems Development Life Cycle
(SDLC)
Systems Development Life Cycle (SDLC) is
methodology for designing and implementation
of information system
SDLC can be used for developing security
systems also: (SecSDLC)
Methodology contains structured sequence of
procedures
Traditional SDLC consists of six general phases
35. How to secure SDLC?
Each of the phases of the SDLC should
include security measurements
Investigation/Analysis Phases:
Security Categorization — defines three
levels (i.e., low, moderate, or high) of
potential impact on organizations or
individuals should there be a breach of
security.
Preliminary risk Assessment:
basic security needs of the system
define the threat environment in which the system 37
36. How to secure SDLC?
Logical/Physical Design Phases:
Risk Assessment: identifies the protection
requirements for the system through a formal
risk assessment process
Cost Considerations and Reporting: the
development cost of ISec system
Security Planning: provides complete
description of IS and reference materials of
ISec system.
Security Test and Evaluation: Design and
develop a complete security test plan
38
37. How to secure SDLC?
Implementation Phase:
Inspection and Acceptance: verifies that the
functionality described in the specification is
included in the deliverables
System Integration: System is integrated at
the operational site and all the security
controls are available
Security Certification: verify the security
controls are working properly
39
38. How to secure SDLC?
Maintenance & Change Phase:
Configuration Management and Control:
consideration of the potential security impacts
due to specific changes to an information
system or its surrounding environment.
Continuous Monitoring: Periodical tests for
assuring the security controls are working
40
39. 41
The Security Systems Development
Life Cycle
The same phases as traditional SDLC
Identification of specific threats and creating
controls to counter them
SecSDLC is a logical program rather than a
series of random, seemingly unconnected
actions
40. 42
The Security Systems Development
Life Cycle
Investigation
Identifies process, outcomes, goals, and
constraints of the project (initiated by the upper
management)
Begins with enterprise information security policy
Analysis
Existing security policies, legal issues
Perform risk analysis: the threats to the
organization’s security
41. 43
The Security Systems Development
Life Cycle
Logical Design
Creates and develops blueprints for information
security (IS)
Implements key policies that influence the IS
Design Incident response actions: Continuity
planning, Incident response, Disaster recovery
Feasibility analysis to determine whether project
should continue or be outsourced
Physical Design
42. 44
The Security Systems Development
Life Cycle
Implementation
Security solutions are acquired, tested,
implemented, and tested again
Personnel issues evaluated; specific training and
education programs conducted
Entire tested package is presented to management
for final approval
Maintenance and Change
Constant changing threats
Constant monitoring, testing updating and
implementing change
43. 45
Security Professionals and the
Organization
Wide range of professionals required to
support a diverse information security program
Senior management is key component; also,
additional administrative support and technical
expertise required to implement details of IS
program
44. 46
Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior
executives on strategic planning
Chief Information Security Officer (CISO)
Primarily responsible for assessment,
management, and implementation of IS in the
organization
Usually reports directly to the CIO
45. 47
Information Security Project Team
A number of individuals who are experienced
in one or more facets of technical and non-
technical areas:
Champion: Senior executive who promotes the
project
Team leader: project manager, departmental
level manager
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users
46. 48
Data Ownership
Data Owner: responsible for the security and
use of a particular set of information
Data Custodian: responsible for storage,
maintenance, and protection of information
Data Users: end users who work with
information to perform their daily jobs
supporting the mission of the organization
47. 49
Communities Of Interest
Group of individuals united by similar
interest/values in an organization
Information Security Management and
Professionals
Information Technology Management and
Professionals
Organizational Management and Professionals
49. 51
Critical infrastructure
From Wikipedia.
Critical infrastructure is a term used by governments to describe systems or material
assets that are essential for the functioning of a society and economy. Most
commonly associated with the term are facilities for:
electricity generation and distribution;
telecommunication;
water supply;
agriculture, food production and distribution;
heating (natural gas, fuel oil);
public health;
transportation systems (fuel supply, railway network, airports);
financial services;
security services (police, military).
Critical-infrastructure protection is the study, design and implementation of
precautionary measures aimed to reduce the risk that critical infrastructure fails as
the result of war, disaster, civil unrest, vandalism, or sabotage.
50. 52
Summary
Information security is a “well-informed sense
of assurance that the information risks and
controls are in balance.”
Computer security began immediately after
first mainframes were developed
Successful organizations have multiple layers
of security in place: physical, personal,
operations, communications, network, and
information.
51. 53
Summary
Security should be considered a balance
between protection and availability
Information security must be managed similar
to any major system implemented in an
organization using a methodology like
SecSDLC
Implementation of information security often
described as a combination of art and science
52. Model for Information
Assurance
Model for information security:
McCumber Cube by John McCumber
Information Systems Security (INFOSEC)
has evolved into Information Assurance
(IA)
Information Assurance not only expands
the coverage, but also responsibilities and
accountability of security professionals.
InfoSec Model needs changes
54
53. MSR Model
Has four dimensions:
Information States
Security Services
Security Countermeasures
Time
54. MSR Model: Information States
Three states
stored
processed
Transmitted
Information can be in two states at a time:
Eg: sending an email ( transmission and
storage states)
57. MSR Model: Time
Time has an impact of all the dimensions
of the model
Eg: introduction of new technology, over time,
requires modifications to other dimensions of
the integrated model in order to restore a
system to a secure state of operation.
human side of the time line leads to career
progression
58. Computer Forensics and
Techniques
What is Computer Forensics?
scientific study or research for the purpose of
gathering digital evidence in cases of cyber
crimes or for other scientific research
purposes.
Who can conduct Computer Forensics?
a government authorized computer forensic
agent
in SL - Digital Forensic Lab operated by SL
police
60
59. Computer Forensics and
Techniques
What are the offences under the
Computer Crime Act No. 24 of SL
constitute?
Hacking
Unauthorized access to the system and
manipulated Data
Collecting, Changing, Corruption and
destroying of data without approval.
Offences against National Security, National
Economy and Public Order.
Offences resulting in cheating amounting to 61
60. Computer Forensics and
Techniques
Digital evidence is just as any evidence
but the difference is it is digital evidence
exists in digital form like computer data,
disks, printed documents, etc.
Digital evidence could be encrypted or
hidden (not easy to access)
Need forensics techniques to analyze
digital evidences
62
62. Forensic Techniques: for
computer networks
Packet Sniffing: pulling out critical data
packets from these networks
Packets can contain useful information such
as username, password, incoming/out going
emails etc.
IP Address Tracing: to identify the
data/message origin
Email Address Tracing: this can be
achieved by analyzing email headers
64
63. Forensic Techniques: for
Computer Systems
File Structure
Look for suspicious files: which are
encrypted, hidden, hashed with some
algorithms.
Storage Media
Erase or formatted data
Advance techniques to recover data
Sometimes, data fragment is sufficient for
digital evidences
65
64. Forensic Techniques: for
Computer Systems
Steganography
Hiding information in images, sounds or any
other file format
Extremely difficult to recover the original
format
Steg-Analysis and decryption techniques are
useful for data recovery
Prints are print outs which are taken from
a computer printer device
66
65. Tools used in computer
forensic
Hex Editors
Disassemblers
Disk Analyzers
Decryptors
Packet Sniffers
DNS Tools
67
66. Computer Forensics Jobs
A computer forensics investigator
combats against crimes which range from
damaged file system recovery on
computers to crimes against children.
The need for computer forensic specialists
is rising due to rising number of cyber
crimes
Duties of a computer forensic specialist:
recovering, assessing, and presenting the
computer data in such a way that they can
68
70. Active Attacks
Masquerade: One entity pretends to be a
different entity
Replay: Passive capture of data units and
subsequent retransmission
Modification of Messages: Some potion of
original message is altered. Eg: “ Allow
Floria Serban to read the file accounts” is
modified to mean “ Allow Dorothie Rinhard
to read the file accounts”
71.
72.
73.
74.
75. Active Attacks Contd..
Denial of Services: Prevents the normal
use of communication facilities.
Eg: direct all the messages to another
destination, disruption of all the network
by overloading to degrade performances
or disabling the network
76. Active attacks Vs. Passive
attacks
Passive attacks: difficult to detect, but
measures are available to prevent
Active attacks: Quite difficult to prevent
absolutely
The goal is to detect active attacks and
recover from any distruption
77. Security Services
X.800 defines a security service as a
service that provided by the protocol layer
81. Cryptographic System
classification
Type of operations used for transforming
plain text into ciphertext
Number of keys used
Single key : Symmetric encryption
Multiple keys: Asymmetric encryption (public-
key)
The way in which the plain text is
processed (block or characters)
82. Cryptanalysis
The process of attempting to identify the
plain text or key
Cryptanalyst: Who analyses the encrypted
message
83. Feistal Cipher Structure
Described by Horst Feistel of IBM in 1973
Feistal structure is a model for most of
symmetric block cipher
86. Weakness of DES
In July 1998 Electronic Frontier
Foundation (EFF) had broken DES
87. Public-key Cryptography and
Message Authentication
Encryption protects against passive attacks
Message authentication protects against
active attacks
88. Message Authentication
without Message Encryption
No encrypted message, but authentication
tag is merged to the message
The message can be read independent of
authentication tag
Applications: if the recipient heavily
overloaded usually then decrypting each
message would cost more time. In such a
case only authentication is sufficient
89. Message Authentication
Code (MAC)
Use common secret key Kab
MACM =F(Kab ,M): Number of methods
available for generating MAC
MAC is calculated by both parties to
check the authenticity
Assumption: secret key is shared through
secure channel
90.
91. Function F:
F can be of encrypting the message with
DES and the MAC is the last 16 or 32 bits.
92. One-Way Hash Function
Fixed–size message digest: H(M), where
M is variable size message
No secret key
H(M) attached with the message and the
recipient compares the message digest
with the computed one
H(M) can be encrypted using symmetric
(single key) or asymmetric (public key)
method
93. No encryption but uses a hash function
that concatenates a secret value(Sab) with
message. Secret value is sheared through
a secure channel.
MDM =H(Sab|| M) and send [M || MDM ]
This method is known as HMAC and adapted
for IP security.
94. Public-Key Cryptography
Alternate to the symmetric encryption
First proposed by Diffe and Hellman
(1976)
Based on mathematical function rather
than bit wise operations
Use two keys: public and private
No key shring
95. Ingredients
Plain text
Encryption algorithm
Public, private key
Cipher text
Decryption algorithm
96. Essential Steps
User creates a pair of keys
Place one key in public register (public
key), other key in private place (private
key)
Eg: Bob sending message to Alice, Bob
encrypts the message using Alice’e public
key and when the message receives to
Allice, she decrypts it using her private
key
97. Properties of PKC
No key distribution
User can replace the private and public
key at any time
98. Application for Public-key
Cryptosystems
Encryption/Decryption: encryption using
recipients public-key
Digital signature: sender signs a message
with its private key.
Key exchange: exchange a session key
99. Requirements for Public Key
Encryption
Easy to generate key pair public and
private
Easy to encrypt a message using public
key
Easy to decrypt using private key
Not easy to decide private key using public
key
Not easy to recover private key for given
cipher and the public key
100. Not easy to recover the original message
from the cipher and the public key
102. Authentication of Public Keys
104
Digital certificates prevent impersonation/man-
in-the middle attack
Certification agency: which is a trusted third party
that creates digital certificate (encrypted using it’s
private key)
Verifies site identity by external means first!
Site sends certificate to customer
Customer uses public key of certification agency to
decrypt certificate and finds the site’s public key
Man-in-the-middle cannot send fake public key
Site’s public key is used for setting up secure
communication
103. Intrusion Detection
Systems (IDS)
What is the Intrusion Detection?
Indentifies possible attacks
How is it done?
collecting information from a variety of
systems and network sources
analyzing the information for possible security
problems
105
104. Tasks of IDS
Monitoring and analysis of user and
system activity
Auditing of system configurations and
vulnerabilities
Assessing the integrity of critical system
and data files
Statistical analysis of activity patterns
based on the matching to known attacks
Abnormal activity analysis
Operating system audit
106
105. IDS Operations
It uses three kinds of information:
long-term information related to the technique
used to detect intrusions (a knowledge base
of attacks)
Configuration information about the current
state of the system
Audit information describing the events that
are happening on the system (log
information)
107
106. Symptoms of an intrusion or vulnerabilities
can be detected by comparing current
state and security-related actions taken
during normal usage of the system
108
107. Efficiency of intrusion-
detection systems
Accuracy: absence of false alarms
Performance: the rate at which audit
events are processed
Completeness: detect all attacks
Fault tolerance: should itself be resistant
to attacks
Timeliness: how much quick in responding
for an attack
109
109. Knowledge-based intrusion
detection
Accumulate Knowledge about specific
attacks and system vulnerabilities
Looks behaviors similar to attacks and
raises alarms
Accuracy: good
Completeness: not good (regular update of
knowledge about attacks)
Easy to take preventive actions (the type of
attack is known)
111
110. knowledge-based intrusion
detection: Experts Systems
Characterized attacks as set of rules
Audit events are then translated into facts
Inference engine draws conclusions using
these rules and facts
112
111. Behavior-based intrusion
detection
Intrusion is detected by observing a
deviation from the normal or expected
behavior of the system or the users
Advantages:
Complete
Observe new attacks or vulnerabilities (new
knowledge)
Disadvantages:
Not accurate (high false alarm rate)
113
112. How to build behavior-based
IDS
Statistics
System behavior is measured by a number of
variables sampled over time
Eg: login and logout time of each session,
the resource duration, and the amount of
processor- memory disk, resources
consumed during the session
Compare the deviation from the current state and the
normal state
Too simple method but still effective
114
113. How to build behavior-based
IDS contd..
Expert systems:
A set of rules that describe proper usage
policy
Prevent any action that does not fit the
acceptable patterns
Neural networks:
Learn the relationship between the two sets
of information (Independent and target
variable)
Disadvantage: Computationally expensive
115
114. Operational Issues
A useful policy and mechanism must
balance the benefits of the protection
against the cost of designing,
implementing, and using the mechanism.
This balance can be determined by
analyzing the risks of a security attacks
and the likelihood of it occurring.
Analysis is subjective
116
115. Cost-Benefit Analysis
Computer security are weighed against
their total cost
Eg: If the data or resources are of less
value, than their protection then no
protections (reconstruction of data is more
cheaper than protection).
This case is very rare
Eg: Database that provides salary
information for a second system which
prints the checks.
Integrity of the data has to protected 117
116. When analysis is not clear
Eg: The need for confidentiality of the
salaries in the database
Financial lost should be determined if the
salaries are disclosed
Financial lost: including potential loss from
lawsuits, changes in policies, procedures
and personals and the effect on future
business.
118
117. Overlapping Benefits
Integrity mechanism can be used to
provide confidentiality.
Cost can be reduced
Cost depends on the selected mechanism
Implement security mechanism in design
phase is much more cheaper than adding
them into existing systems
119
118. Risk Analysis
To determine whether an asset should be
protected
What level
Likelihood of attacks
If an attack is unlikely, protecting against
it has a lower priority than protecting
against a likely one.
But, unlikely attacks could cause more
damage than likely attacks
Then, priority should be given to unlikely
120
119. Risk Analysis contd..
Eg: Salary printing system
The risk of unauthorized changed could
happen in three places
Database level
Network level
Printing level
In LAN: untrustworthy internal personnel
IN WAN: untrustworthy worldwide
personnel
121
120. Risk Analysis contd..
This example illustrates some finer points
of risk analysis: First point
is a function of environment
Threats to LAN: Internal people
Threats to WAN: Internal + external people
If the company’s payroll system is
paralyzed:
Employees lost their faith
Company could not hire anyone
Investors would not fund the company
The risk arises from the environments in 122
121. Risk Analysis contd..
Second point
Risks change with time.
Eg: LAN becomes WAN (if the LAN is
connected to the Internet)
123
122. Risk Analysis contd..
Third point:
Many risks are quite remote but still exist
Eg: risk of connecting to the Internet
This risk is "acceptable" but not nonexistent
Usually, people do not worry about
acceptable risk, but the people worry when it
becomes unacceptable risk.
124
123. Laws and Customs
Laws restrict the availability and use of
technology and affect procedural controls
Policy and any selection of mechanisms
must take into account legal
considerations
Laws are not the only constraints on
policies and selection of mechanisms but
customs
Eg: (1) provide DNA samples for
authentication purposes is legal but not
socially acceptable
125
124. Laws and Customs contd..
These practices provide security but at an
unacceptable cost
Drawback: encourage users to avoid or
overcome the security mechanisms
126
125. Security Policies
What is a Security Policy?
Why is a Security Policy necessary?
What are the problems in designing
policies?
What a policy should cover?
Types of policies
Policy content
Policy implementation
Policy review
127
126. What is a Security Policy?
It is a strategy for how company
implements Information Security principles
and technologies
It provides high level guidelines related to
IT security
But, it does not provide any procedures or
mechanisms
It specifically accomplishes three
objectives:
Confidentiality
128
127. Why is a Security Policy Necessary?
Security policy is a plan and it is essential
to accomplish a complex task of providing
IT security
Security policy aware management and
the staff about their commitment of
protecting data and information
Security policy provides legal protection to
company
Security policy often required by clients of
organization
Security policy maintains standards
129
128. What are the problems in designing
policies?
Not a trivial task
Time consuming
Expensive (hiring security professionals)
Different opinions from different experts
(more subjective)
130
129. What a Policy Should
Cover
Policy should be clear for target audients.
Minimum section of policy
Overview: Provides background information
on the issue that the policy will address.
Purpose: Specifies why the policy is needed.
Scope: Lays out exactly who and what the
policy covers.
Target Audience: Advises for whom the policy
is intended.
131
130. What a Policy Should
Cover contd.
Policies: This is the main section of the
document, and provides statements on each
aspect of the policy. For example, an
Acceptable Use Policy might have individual
policy statements relating to Internet use,
email use, software installation, network
access from home computers, etc.
Definitions: For clarity, any technical terms
should be defined.
Version: To ensure consistent use and
application of the policy, include a version
number that is changed to reflect any 132
131. Types of Policies
Essential for most organizations:
Acceptable Use Policy
Authentication Policy
Backup Policy
Confidential Data Policy
Incident Response Policy
Mobile Device Policy
Network Access Policy
Network Security policy
Password Policy
133
132. Policy Content
A security policy should be no longer than
is absolutely necessary
A security policy should be written in
“plain English”
A security policy must be consistent with
applicable laws and regulations
A security policy should be reasonable
A security policy must be clear : permitted
and not permitted actions
134
133. Policy Implementation
Hardest part
Must be backed by company’s senior
management
Officially adapted as company policy
Create a position Information Security
Officer or IT Security Manager
Check whether the required technology is
available at the company
User education is critical to a successful
security policy implementation 135
135. Policy Review
Should be periodically reviewed
To check whether the policies have been
strictly followed by the uses.
To check whether the policies meet the
current requirements
137