3. Understanding Administrative
Security
Administrative security policies:
Define the importance of information and information systems
to the company and its employees.
Define the resources required to accomplish appropriate risk
management activities.
Identify the individuals responsible for managing the
information security risk for the organization.
4. Understanding Administrative
Security
Administrative security policies fall under the following areas:
Policies and procedures.
Resources.
Responsibility.
Education.
Contingency plans.
5. Policies and Procedures
The most important policies that organizations must draft are:
Information policy - Defines the level of sensitivity of
information assets within the organization.
Security policy - Defines the technical controls and security
configurations to be implemented on all computer systems.
6. Policies and Procedures
The most important policies that organizations must draft
are (continued):
Use policy - Identifies the approved uses of organization
computer systems and the penalties for misusing such
systems.
Backup policy - Defines the frequency of information backups
and the method of moving backups to an off-site storage.
7. Policies and Procedures
Organizations must define the following procedures:
User management - Includes information about individuals
who can authorize access to the organization’s computer
systems.
System administration - Defines the process of implementing
the organization’s security policy on various systems.
Configuration management - Defines the steps for making
changes to production systems.
8. Resources
Determining required resources depends on:
The size of the organization.
The organization’s business.
The risk to the organization.
The full risk assessment of the organization.
The plan to manage risk.
10. Resources
The security department staff members should have the
following skills:
Security administration - A thorough understanding of day-
to-day administration of security devices.
Policy development - Hands-on experience in the
development and maintenance of security policies,
procedures, and plans.
Architecture - An understanding of network and system
architectures and implementation of new systems.
11. Resources
The security department staff members should have the
following skills (continued):
Research - The examination of new security technologies for
risk assessment.
Assessment - Experience in conducting risk assessment
activities, such as penetration and security testing.
Audit - Experience in conducting system and procedure audits.
12. Resources
An organization’s security budget is based on:
The scope and time frame of the security project.
The capital expenditures, current operations, and cost of
training.
The security project plans.
13. Responsibility
An executive-level position must own security
responsibilities within an organization.
They should have the authority to define the organization’s
policy and sign off on all security-related policies.
They should also have the authority to enforce policy.
They should develop metrics to track the progress toward
security goals.
14. Education
The best practices for education includes:
Preventive measures.
Enforcement measures.
Incentive measures.
15. Preventive Measures
Preventive measures can be used to explain the importance
and need to protect an organization’s information assets.
It will make employees comply with policies and procedures.
It includes awareness programs, publicity campaigns,
electronic mail messages, and pop-up windows.
16. Enforcement Measures
Enforcement measures force employees to abide by the
organization’s policies and procedures.
It can be enforced in the form of security-awareness
training.
Employees can also be provided copies of relevant policies.
They can also be asked to sign a security statement.
17. Incentive Programs
Incentive programs:
Can increase the reporting of security issues.
Can be in the form of monetary incentives or verbal
encouragement.
Can also be used for suggestions on how to improve security.
18. Contingency Plans
Contingency plans include:
Incident response - Defines the series of steps to be taken in
the event of a compromise.
Backup and data archival - Defines how and when backups are
to be taken. It also specifies the backup storage and restore
mechanisms.
Disaster recovery - Identifies the most critical resources and
states the need and objectives in the event of a disaster.
19. Security Project Plans
Best practices recommend that the security department
must establish the following plans:
Improvement plans - Address the risk areas and implement
appropriate changes to the environment.
Vulnerability assessment - Includes regular scans of the
organization’s systems. It also includes regular follow-up
with system administrators to ensure corrective actions are
being taken.
20. Security Project Plans
Best practices recommend that the security department
must establish the following plans (continued):
Assessment plans - Frequently assess the risk to the
organization.
Audit plans - Ensures policy compliance.
Training - Includes schedules for awareness training
classes and publicity campaigns.
Policy evaluation - Includes built-in review schedules.
23. Network Connectivity
To protect an organization from unwanted intrusions, the
following network connectivity practices are recommended:
Permanent connections - Network connection to other
organizations or the Internet is protected by a firewall. This
prevents damage in one network to spread to others.
Remote access connections - These connections can be
dial-in connections or connections across the Internet.
Two-factor authentication, such as dial-back modems or
dynamic passwords is recommended.
24. Malicious Code Protection
To protect systems from computer viruses or Trojan horse
programs:
Use anti-virus programs for servers, desktops, and e-mail
systems.
Allow frequent signature updates and the delivery of
updates.
25. Authentication
The following are the recommended best practices for
password usage:
Passwords must be a minimum of eight characters in
length.
The last ten passwords should not be reused.
It should always be stored in encrypted form, which is
inaccessible to normal users.
It should not be more than 60 days old.
It should be composed of alphanumeric characters.
26. Authentication
The following are the recommended best practices for
password usage (continued):
Dynamic passwords or other two-factor authentication
mechanisms offer added security.
Systems should be configured to start a screen saver while
the employee is away. The system should require re-
authentication to access the system.
27. Monitoring
Auditing is a mechanism of monitoring actions that occur on a
computer system. The audit log or files must keep track of the
following events:
Login/logoff.
Failed login attempts.
Dial-in connection attempts.
Supervisor/administrator/root login.
Supervisor/administrator/root privileged functions.
Sensitive file access.
28. Monitoring
Intrusion detection systems (IDS) monitor networks or
systems.
They trigger an alarm when security is compromised.
Host-based IDS may be used to examine log files.
Network-based IDS helps monitor the network for attacks
or unusual traffic.
29. Encryption
Encrypt information while transmitting over unsecured lines
or electronic mail.
Choose an algorithm that matches the sensitivity of the
information being protected. Use well-known and well-
tested encryption algorithms.
30. Encryption
Use link encryption for transmission lines between
organization facilities.
Follow regulatory standards, such as HIPAA while
transmitting over open networks.
31. Patching Systems
Patches correct vulnerabilities.
Install patches only after testing.
Install patches according to the organization’s change
control procedures.
Check for new patches frequently.
32. Backup and Recovery
Information on servers should be backed up regularly.
Verify all backups to determine if the backup successfully
copied the important files.
Establish regular schedules of tests.
Backups must be accessible to restore systems in the event
of system failures.
Backups should be stored off-site for protection.
33. Physical Security
The following physical security mechanisms are
recommended:
Physical access - Restrict access to data center, where all
sensitive computers are kept.
Climate - Configure climate control units to notify
administrators if a failure occurs.
34. Physical Security
The following physical security mechanisms are
recommended (continued):
Fire suppression - Configure fire-suppression systems to
prevent any damage to the systems in the data center.
Electrical power - Size battery backups to provide sufficient
power for computer systems to shut down.
35. Making Use of ISO 17799
The Information Technology - Code of Practice for
Information Security Management (ISO 17799) covers the
following areas:
Security policy - Covers the need for a security policy. It
also recommends regular reviews and evaluation of the
document.
36. Making Use of ISO 17799
The Information Technology - Code of Practice for
Information Security Management (ISO 17799) covers the
following areas (continued):
Organizational security - Covers how information security
functions are managed within an organization.
Asset classification and control - Covers the need to
properly protect both physical and information assets.
37. Making Use of ISO 17799
ISO 17799 key concepts include:
Personal security - Discusses the need to manage the risk
within the hiring process and ongoing employee education.
Physical and environmental security - Discusses the need to
protect all physical assets from theft, fire, and other hazards.
Communication and operations management- Covers the need
for documented management procedures for computers and
networks.
38. Making Use of ISO 17799
ISO 17799 key concepts include (continued):
Access control - Discusses the control of access to information,
systems, networks, and applications.
Systems development and maintenance - Discusses the
inclusion of security in development projects.
39. Making Use of ISO 17799
ISO 17799 key concepts include (continued):
Business continuity management - Discusses the risks of
business interruptions and various alternatives for continuity
management.
Compliance - Discusses how the organization should enforce
policy and check compliance.
40. Summary
Administrative security practices include policies and
procedures, resources, responsibility, education, and
contingency plans.
The security department must establish plans for
improvement, assessment, vulnerability assessment, audits,
training, and policy evaluation.
41. Summary
Technical security measures deal with the implementation
of security controls on computers and networked systems.
ISO 17799 standards help establish an effective security
program.
42. BS7799 簡介
BS7799 Code of Practice for
Information Security
資訊安全應用與稽核的標準
定義一套完整的政策、程序、實施與組
織化的架構
1995 年由英國標準協會提出
已成為國際標準:ISO17799
