Transcript session_8_slidesx

EECS 4482 Fall 2014
Session 8 Slides
IT Security Standards and Procedures
• An information security policy is at a corporate,
high level and generally is not detailed enough for
day to day operations and system configuration.
• Standards and corporate procedures should be
developed to take the information security policy
to a lower level as a basis for defining system
requirements, guiding employee behavior,
educating system users, configuring system
software and writing operation procedures.
IT Security Standards and Procedures
• Each standard or corporate procedure should
address a specific subject such as password and
firewall.
• Organizations can refer to professional sources
like Control Objectives for Business and
Information Technology (COBIT) and International
Standards Organization (ISO) as benchmarks to
assess the comprehensiveness of their security
standards. ISO 17779 provides guidelines and a
framework for organizations to implement
information security.
IT Security Standards and Procedures
• Standards should be supplemented with local
procedures that fit each division and
computing platform.
• In addition to standards, there are corporate
security procedures for certain areas where
there is little fluctuation among operating
areas, such as procedures for reporting loss of
equipment.
Standards & Procedures Topics
• Anti-virus.
• Appropriate use of information and information
technology procedures.
• Cryptography.
• Data centre.
• Procedures for installation of hardware and
software.
• Procedures for disposal of data, media and
equipment
Standards and Procedures Topics
•
•
•
•
•
•
•
•
eBusiness
Email
Firewall
Incident response procedures
Information classification
Intrusion detection and prevention
Loss reporting procedures
Mobile computing
Standards and Procedures Topics
•
•
•
•
•
•
•
•
Password
Patching
Routers
Servers
Software design
Virtual private network
Wireless
Workstations
Secenario 1
A local system administrator (SA) receives a call
from a law enforcement officer requesting any
information that can be provided for a specific IP
number. The situation sounds very serious and
the officer is explaining that this information is
critical to determine how to proceed. Which
policy, standard or procedures will guide this?
What should the SA do? Who should approve the
action? Approval before or after?
Scenario 2
An administrative assistant has filed a complaint
with the university legal department that her boss
spends an enormous amount of time surfing the
web and searching for porn. There have been no
previous complaints concerning this activity and
the individual being accused has a good university
record. Which policy, standard or procedures will
guide this? What questions need to be answered?
What steps should be taken? What should be
represented in policy?
Scenario 3
A small group of graduate students are not overly happy
with the networking arrangements they have in their work
space. They have complained to the local network
administrator but the situation has still not been resolved to
their satisfaction. One of the graduate students purchases
a small wireless access point and installs it in the work
space for others to use. Which policy, standard or
procedures will guide this? What questions need to be
answered? What steps should be taken? What should be
represented in policy?