Transcript CYBER SECURITY FOR EDUCATIONAL LEADERS: A

CYBER SECURITY FOR
EDUCATIONAL LEADERS:
A GUIDE TO UNDERSTANDING AND
IMPLEMENTING TECHNOLOGY
POLICIES
Chapter 11
Cyber Risk Assessment
Instruments
© Routledge
Richard Phillips and Rayton R. Sianjina
TABLE OF CONTENTS
Risk Assessment Profile Checklist
Acceptable use policy
Authentication policy
Internet-use policy
Access policy
Auditing policy
Physical policy
Analysis policy
Privacy policy
© Routledge
ACCEPTABLE USE POLICY

Employee signed acceptable use policy

Acceptable use policy (reviewed by attorney)
© Routledge
INTERNET-USE POLICY
Internet-use policies utilizing filters
 Download rule
 Explicit materials rule
 Video and media streaming rule
 Pop-ups and advertising rule
 Music rule
 Games rule
 Dating rule
 Email rule
 Other organizational rules

© Routledge
AUTHENTICATION POLICY


Authentication policy for SSL, ciphers, and
encryption
Site certificate
© Routledge
ACCESS POLICY
Password and logon requirements and
complexities
 Monitoring and auditing network access logons
 Logon limit hours and locations
 Rights and privileges
 two or more open network ports
 Unattended idle configuration
 Wireless access
 Wireless access tools
 Remote access
 Are workstations frozen with Deepfreeze or Clean
Slate
 Biometrics

© Routledge
AUDITING POLICY

Data protection
© Routledge
PHYSICAL POLICY
Is there a secure physical access to network
equipment?
 Is there secure network data?
 Are individual computers locked?
 Do computers leave the premises? (laptops,
notebooks)

© Routledge
ANALYSIS POLICY
TCP packet analysis
 OS hardening
 Router security
 Firewall systems (access control list)
 Encryption (IP security)(Point-to-Point Tunneling
Protocol)
 Network address translation
 Intrusion detection/prevention systems
 Virus, Malware, Worm, Spyware, Backdoor, spam,
and pop-up protection
 Disaster recovery plan on or off site

© Routledge
Privacy policy
______Privacy statement
PRIVACY POLICY

Privacy statement
© Routledge
Privacy policy
______Privacy statement
QUESTIONS YOU SHOULD BE ABLE TO
ANSWER
Who is the ISP?
Does your organization utilize an intranet or extranet?
How many users are there?
Does your company have a computer inventory list or technology
inventory?
Are files and folders shared on the network (permissions)?
Are there scheduled audits?
When and how often does your company back up the system?
Are there regular scheduled software and system updates?
What percentage of technology does your company outsource? Please list.
CONCLUSION


The Cyber Risk Assessment Profile and
Questionnaire is a vital tool for organizations,
businesses, and educational institutions for
finding risk management solutions and a
structured way of safeguarding client‘s critical
electronic assets.
© Routledge