Description
“Please adhere to all the requirements and make sure of them. Do not use artificial intelligence. I have attached the book and the course slides along with the project file. Please do not change anything in the project file.”
Project
Deadline: Sunday 01/12/2025 @ 23:59
[Total Mark is 14]
Student Details:
CRN:
Name:
Name:
Name:
ID:
ID:
ID:
Instructions:
• You must submit two separate copies (one Word file and one PDF file) using the Assignment Template on
Blackboard via the allocated folder. These files must not be in compressed format.
• It is your responsibility to check and make sure that you have uploaded both the correct files.
• Zero mark will be given if you try to bypass the SafeAssign (e.g. misspell words, remove spaces between
words, hide characters, use different character sets, convert text into image or languages other than English
or any kind of manipulation).
• Email submission will not be accepted.
• You are advised to make your work clear and well-presented. This includes filling your information on the cover
page.
• You must use this template, failing which will result in zero mark.
• You MUST show all your work, and text must not be converted into an image, unless specified otherwise by
the question.
• Late submission will result in ZERO mark.
• The work should be your own, copying from students or other resources will result in ZERO mark.
• Use Times New Roman font for all your answers.
Restricted – مقيد
Description and Instructions
Pg. 01
Description and Instructions
Project Description:
This project is an opportunity for you to practice your knowledge and skills. All you
need to do is choose one of the topics in the course from Module 3 to Module 12. After
that, each group should make a presentation and discussion panel. Presentations begin
in the ninth week during the first 50 minutes of the lecture time. The grading will be
separated into two parts:
–
The first grading will be on the day of the presentation, which includes the
presentation mark and your ability to manage the discussion panel with good
open questions.
–
The second grading will be during your classmates’ presentations by
participating in their discussion panel.
Total Marks = 14
Presentation
Creating and managing
Discussion panel
7 marks
•
Participating in classmate
3 marks
semester
4 marks
Before 15/10/2025 each group should select the module and the date for presentation
to your instructor.
Restricted – مقيد
Discussion panel during
•
Group Size = 2- 3 members.
•
The Modules:
▪
Module 03: Governance and Risk Management
▪
Module 04: Asset Management
▪
Module 05: Human Resources Security
▪
Module 06: Physical and Environmental Security
Description and Instructions
Pg. 02
▪
Module 08: Communications and Operations Security
▪
Module 09: Access Control Management
▪
Module 10: Information Systems Acquisition, Development, and Maintenance and
Information Security Incident Management (part1)
▪
Module 10: Information Systems Acquisition, Development, and Maintenance and
Information Security Incident Management (part2)
▪
Module 11: Business Continuity Management
▪
Module 12: Regulatory Compliance for Financial Institutions and Regulatory
Compliance for the Healthcare Sector (part1)
▪
Module 12: Regulatory Compliance for Financial Institutions and Regulatory
Compliance for the Healthcare Sector (part2)
•
Do not use lecture slides, be creative and create your own slides that cover your
selected module. You can use the course Textbook or any other sources that help you
for creating your presentation.
•
The chosen topic should be divided between members of the group.
•
Each member must present his part.
•
Marks will be awarded based on your explanation, the quality of the content, your
discussion skills, and the correctness of your answers.
•
The students must answer the questions in this activity individually to get discussion
marks.
•
One group member (group leader) should submit Presentation Slides on
Blackboard.
The Presentation Grading Criteria:
Complete content (Introduction, body, and conclusion)
Effective use of time (max. 8-10 minutes)
5 marks
1 mark
Voice projection and loudness/ Eye contact/ Confidence and 1 mark
attitude
Restricted – مقيد
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺴﻌﻮد�ﺔofاﻟﺠﺎﻣﻌﺔ
Bachelor
Science in
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ اﻟﺴﻌﻮد�ﺔ
Information Technology
IT476
IT Security and Policies
26/12/2021
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 1: Understanding Policy
Objectives
Describe the significance of policies
Evaluate the role policy plays in corporate culture and
civil society
Discuss information security policy
Identify the characteristics of a successful policy
Discuss Information Security Policy lifecycle
Copyright 2014 Pearson Education, Inc.
3
Introduction
■
Policy: “A definite course of action or procedure
selected from among alternatives and in light of
given conditions to guide and determine present
and future decisions”**
(** per www.merriamwebster.com)
Copyright 2014 Pearson Education, Inc.
4
Looking at Policy Through the Ages
■
The role of the Torah and Bible as written policy
■ Holy Quran has served as policy document for
Muslims over a time of 1400 years.
3000-year old documents include business rules still
in practice today.
■ First documented attempt at creating a code to
preserve order can be found from times of Romans
and Greeks.
■
Copyright 2014 Pearson Education, Inc.
5
→Looking at Policy Through the Ages
Cont.
❑
The U.S. Constitution as a Policy Revolution
■
■
❑
A collection of articles and amendments that codify all aspects
of American government along with citizens’ rights and
responsibilities
A rule set with a built-in mechanism for change
Both the Constitution and the Torah have a similar
goal:
■
Serve as rules that guide behavior
Copyright 2014 Pearson Education, Inc.
6
→Information Security Policy
■
A document that states how an organization plans to protect
its information assets and information systems and ensure
compliance with legal and regulatory requirements
❑
Asset
■
❑
Resource with a value
Information asset
■
■
*Any information item, regardless of storage format, that represents
value to the organization
Customer data, employee records, IT information, reputation, and brand
7
Successful Policy Characteristics
■
■
■
■
■
■
■
Endorsed
❑
Management supports the policy
❑
The policy is applicable and supports the goals of the organization
❑
The policy makes sense
❑
The policy can be successfully implemented
❑
The policy can be changed
❑
Controls that can be used to support and enforce the policy exist
❑
The policy scope includes all relevant parties
Relevant
Realistic
Attainable
Adaptable
Enforceable
Inclusive
Defining the Role of Policy in Government
Government regulation is required to protect its critical
infrastructure and citizens
❑ Two major information security-related legislations were
introduced in Saudi Arabia
• Anti-Cyber Crime ACT.
❑
•
•
crimesAct.aspx
Electronic Transactions ACT
•
onicTransactionsLaw.aspx
9
→Information Security Policy Lifecycle
• Regardless of the type of policy, its success depends on how the
organization approaches the process of development, publishing,
adopting and reviewing the policy.
• This process is referred as the Policy Lifecycle.
10
Information Security Policy Lifecycle cont.
1) Policy development: There are six main tasks involved in policy
development:
a) planning – identifying the need and context of the policy,
b) researching –defining legal, regulatory requirements,
c) writing – making a document according to the audience,
d) vetting- examining,
e) approving – by all concerned department, and
f) authorizing- approval from the management.
11
Information Security Policy Lifecycle cont.
2) Policy Publication: Policies should be communicated and made
available to all parties they apply to. The company should provide
training to reinforce the policies. Creating a culture of compliance
can ensure all parties understand the importance of the policy and
actively support it.
3) Policy Adoption: The policy is implemented, monitored, and
enforced.
4) Policy Review: Policies are reviewed annually, and outdated
policies are updated or retired.
12
Summary
Policies apply to governments as well as to business
organizations.
When people are grouped to achieve a common goal, policies
provide a framework that guides the company and protects the
assets of that company.
The policy lifecycle spans four phases: develop, publish, adopt,
and review.
Copyright 2014 Pearson Education, Inc.
Thank You
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺴﻌﻮد�ﺔofاﻟﺠﺎﻣﻌﺔ
Bachelor
Science in
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ اﻟﺴﻌﻮد�ﺔ
Information Technology
IT476
IT Security and Policies
26/12/2021
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 2: Policy Elements and Style
Objectives
Distinguish between a policy, a standard, a baseline, a
procedure, a guideline, and a plan
Identify policy elements
Include the proper information in each element of a
policy
Know how to use “plain language”
Policy Hierarchy
■
■
■
Policies need supporting documents for context and application
❑ Standards, baselines, guidelines, and procedures support policy
implementation
The relationship between a policy and its supporting documents is known as the
policy hierarchy
Policies reflect the guiding principles and organizational objectives
GUIDELINES
GUIDING
PRINCIPLES
Policy
STANDARDS
PROCEDURES
BASELINES
4
Policy Hierarchy cont.
■
■
Standards (details in next slide)
❑ Dictate specific minimum requirements in policies
❑ They are specific.
❑ *Determined by management and can be changed without the Board of
Director authorization
■ *Note that standards change more often than policies
Baselines
❑ An aggregate of implementation standards and security controls for a
specific category or grouping such as platform (for example, Windows 7,
Mac), device type (iPad, Laptop)
5
Example of password policy vs. password standard
■
Password policy
All users must have a unique user ID and password
❑ Users must not share their password with anyone
❑ If a password is suspected to be compromised, it must be changed
immediately
❑
■
Password standard
Minimum of 8 upper- and lowercase alphanumeric
❑ Must include at least one special characters (such as *, &, $, #, !, or @)
❑ Must not include repeating characters ex. 111
❑ Must not include the user’s name, company name
❑
6
Policy Hierarchy cont.
■
Guidelines
Guidelines are best thought of as teaching tools.
❑ Suggestions / advice for the best way to accomplish a given task
❑
■
■
■
■
*Guidelines are created primarily to assist users in their goal to implement the policy
They are not mandatory
EXAMPLE: “A good way to create a strong password is to think of a phrase, song title, or
other group of words that is easy to remember and then convert it, like this:
■
I first went to Disneyland when I was 4 years old and it made me happy
I1stw2DLwIw4yrs&immH
Procedures (details in next slide)
❑
Method, or set of instructions, by which a policy is accomplished
■
❑
*A step-by-step approach to implementation
Four commonly used formats for procedures
■
Simple step, hierarchical, graphic, flowchart
7
Example of procedure to change a windows password
■ Simple step procedure to change a user’s windows
password
Press and hold the Ctrl+Alt+Delete keys
❑ Click the change password option
❑ Type your current password in the top box
❑ Type your new password in both the second and third boxes
❑ Click OK and then log with your new password
❑
8
Policy Hierarchy cont.
■ Plans and Programs
Plans and programs are used interchangeably
❑ Plans are closely related to policies
❑ *Provide strategic and tactical instructions on how to execute an
initiative or respond to a situation
❑ For example, an Incident Response Policy will generally
include the requirement to publish, maintain, and test an
Incident Response Plan
❑
9
Policy Format
■
■
■
■
■
Writing policy documents can be challenging.
Polices are complex documents that must be written to withstand legal and
controlling study while at the same time be easily read and understood by the
reader.
Starting point for choosing a format is identifying the policy audience.
*The style and format of a policy will change based on the target audience of said
policy
■ Identify and understand the audience
■ Identify the culture shared by the target audience
Plan the organization of the document before you start writing it.
■ One document with multiple sections?
❑ Consolidated/Combined policy sections
■ Several individual documents?
❑ Singular policy
10
Policy Components
■ Policy components
Policies include many different
sections and components
❑ Each component has a different
purpose
❑ *Clearly identify the purpose of
each element in the planning
phase before the writing part
starts
❑
Copyright 2014 Pearson Education, Inc.l
11
Version Control
■
■
■
■
■
Used to keep track of the changes to the policy
Usually identified by a number or letter code
Major revisions advance by a number or letter
❑ 1.0, 2.0, 3.0
Minor revisions advance by a subsection
❑ 1.1, 1.2, 1.3
Version control documentation includes:
1. Change date
2. Name of the person(s) making the change
3. Brief synopsis of the change
4. Who authorized the change
5. The effective date of the change
Copyright 2014 Pearson Education, Inc.l
12
Introduction
■
■
■
■
■
■
Provides context and meaning
Explains the significance of the policy
Explains the exemption process and the
consequences of noncompliance
*Reinforces the authority of the policy
*A separate document for a singular policy
*Follows the version control table and
serves as a preface for consolidated policy
13
Policy Headings
■
■
■
Identifies the policy by name and provides an overview of the policy topic or category
Heading serves as a section introduction and includes an overview
The format and content depends on the policy format
❑ *Singular policy includes:
■ Name of the organization or the division
■ Category, section, and subsection
■ Name of the author and effective date of the policy
■ Version number and approval authority
❑ *Consolidated/Combined policy document
■ *Heading serves as a section introduction and includes an overview
14
Policy Goals and Objectives
■
■
■
■
■
What is the goal of the policy?
Introduces the employee to the policy content and conveys the intent of the policy
*One policy may have several objectives
*Singular policy objectives are located in the policy heading or in the body of the
document
*Consolidated policy objectives are grouped after the policy heading
15
Policy Statement
Why does the policy exist?
❑ What rules need to be followed?
❑ How will the policy be implemented?
❑
16
*Policy Statement
■ High-level directive or strategic roadmap
Focuses on the specifics of how the policy will be implemented
❑ It’s a list of all the rules that need to be followed
❑ Constitutes the bulk of the policy
❑ Standards, procedures, and guidelines are not a part of the Policy
Statement. They can, however, be referenced in that section
❑
Policy Exceptions
■
■
■
■
Not all rules are applicable 100% of the time.
*Exceptions do not invalidate the rules, as much as they complement them by
listing alternative situations.
Language used in this section must be clear, accurate, and concise so as not to
create loopholes/ambiguity.
Keep the number of exceptions low.
Policy Enforcement Clause
■
■
■
Rules and penalty for not following them should be listed in the same document
The level of the severity of the penalty should match the level of severity and
nature of the infraction/violation
Penalties should not be enforced against employees who were not trained on the
policy rules they are expected to follow
Copyright 2014 Pearson Education, Inc.l
19
Administrative Notations
■
■
Provides a reference to an internal resource or refers to additional information.
Include regulatory cross-references, the name of corresponding document
(standard, guideline, and so on), supporting documentation (annual reports, job
descriptions), policy author name and contact information
Policy Definitions
The glossary of the policy document
❑ Created and included to further enhance employee understanding of the policy
and rules
❑ *Renders the policy a more efficient document
❑ *The target audience(s) should be defined prior to the creation of the glossary
❑ *Useful to show due diligence of the company in terms of explaining the rules to
the employees during potential litigation
❑
Writing Style and Technique
■ *Sets the first impression
■ Policies should be written using plain language
■ Plain language means:
Simplest, most straightforward way to express an idea
• Follow The Plain Language Action and Information Network (PLAIN)
guidelines (
❑ A group of federal employees from many different agencies
and specialties, who support the use of clear communication
in government writing
❑
The Plain Language Action and
Information Network (PLAIN) guidelines
Write for your audience
■ Write short sentences
■ Limit a paragraph to one subject
■ Be concise
■ Don’t use jargon/nonsense or technical terms
■ Use active voice
■ Use must not shall
■ Use words and terms consistently through your document
■
Summary
The structure of the policy documents ease the maintenance and
creation of the overall document.
❑ A successful policy sets forth requirements (standards), ways for
employees to act according to the policy (guidelines) and actual
procedures.
❑ A policy is a complex set of individual documents that build upon
each other to convey the message to all employees of the
organization in an efficient fashion.
❑
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺴﻌﻮد�ﺔ
اﻟﺠﺎﻣﻌﺔin
Bachelor
of Science
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ اﻟﺴﻌﻮد�ﺔ
Information Technology
IT476
IT Security and Policies
26/12/2021
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 3: Information Security Framework
Objectives
Recognize the importance of the CIA security model and
describe the security objectives of confidentiality, integrity,
and availability
Discuss why organizations choose to adopt a security
framework
Recognize the values of NIST resources
Understand the intent of ISO/IEC 27000-series of information
security standards
Outline the domains of an information security program
CIA
�
The CIA Triad ()ﺛﻼي
or CIA security model
ي
Stands for Confidentiality, Integrity, and Availability
An attack against either or several of the elements of the CIA triad is
an attack against the Information Security of the organization.
Protecting the CIA triad means protecting the assets of the company.
CIA
The Federal Information Security Management Act (FISMA) defines the
relationship between information security and the CIA triad as follows:
“Information security” means protecting information and information systems
in order to provide:
Integrity
Confidentiality and
Availability
Organizations may consider all three
components of the CIA triad equally
important, *in which case resources
must be allocated proportionately.
What Is Confidentiality?
When you tell a friend something “in confidence,” you expect them to keep the information
private and to not share what you told them with anyone else without your permission.
Confidentiality is the ability not to release information to unauthorized persons,
programs, or processes.
Confidentiality means preserving authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary information.
*Not all data owned by the company should be made available to the public
Failing to protect data confidentiality can be disastrous for an organization:
Dissemination of Protected Health Information (PHI) between doctor and patient
Dissemination of Protected Financial Information (PFI) between bank and customer
Dissemination of business-critical information to rival company
What Is Confidentiality? Cont.
Only authorized users should gain access to information.
Information must be protected when it is used, shared,
transmitted, and stored.
Information must be protected from unauthorized users
both internally and externally.
Information must be protected whether it is in digital or
paper format.
What Is Confidentiality? Cont.
The threats to confidentiality must be identified.
They include:
1. Hackers and hacktivists
A hacker could break into a computer for monetary gain or demonstrate their
talents. A hacktivist, on the other hand, is someone who is aiming to achieve a
social or political goal by getting access to a computer network and stealing
sensitive data.
2. Shoulder surfing
3.
4.
5.
6.
Act of looking over someone’s shoulder to see what is displayed on a monitor or
device.
Lack of shredding of paper documents
Malicious Code (Virus, Worms, Trojans)
Unauthorized employee activity
Improper access control
What Is Confidentiality? Cont.
The information security goal of confidentiality is to protect
information from unauthorized access and misuse
The best way to do this is to implement safeguards and
processes that increase the work factor and the chance of
being caught.
*A spectrum of access controls and protections as well as
ongoing monitoring, testing, and training
What Is Integrity? Cont.
Integrity is protecting data, processes, or systems from intentional or
accidental unauthorized modification
Data integrity – A requirement that information and programs are changed
only in a specified and authorized manner
System integrity – A requirement that a system “performs its intended
function in an unimpaired ( )ﻏﯾر ﻣﻌﺎقmanner, free from deliberate ( )ﻣﺗﻌﻣدor
inadvertent ( )ﻏﯾر ﻣﺗﻌﻣدunauthorized manipulation of the system
A business that cannot trust the integrity of its data is a business that cannot
operate
An attack against data integrity can mean the end of an organization’s
capability to conduct business
What Is Integrity? Cont.
Threats to data integrity include:
1. Human error
2. Hackers
3. Unauthorized user activity
4. Improper access control
5. Malicious code
6. Interception and alteration of data during transmission
What Is Integrity? Cont.
Controls that can be deployed to protect data integrity include:
Access controls:
Encryption
Digital signatures
Process controls:
Code testing (free from bugs)
Monitoring controls:
File integrity monitoring
Log analysis
Behavioral controls:
Separation of duties
Rotation of duties
End user security training
What Is Availability?
Availability is the assurance that the data and systems are accessible
when needed by authorized users
The Service Level Agreement (SLA) is a type of agreement between a
service provider and a customer that specifically addresses availability of
services. (99.999% uptime)
*What is the cost of the loss of data availability to the organization?
*A risk assessment should be conducted to more efficiently protect data
availability.
What Is Availability? Cont.
Threats to data availability include:
1. Natural disaster
2. Hardware failures
3. Programming errors
4. Human errors
5. Distributed Denial of Service attacks
6. Loss of power
7. Malicious code
8. Temporary or permanent loss of key personnel
*Ask Yourself about CIA
What purpose does the CIA Triad serve in information
security?
What is required for a network professional to ensure the
availability of data or devices?
If you want to protect the confidentiality of data being
transmitted from an IoT device, which of these strategies
might be a good choice?
The Five A’s of Information Security
Supporting the CIA triad of information security are five key
information security principles, commonly known as the Five
A’s:
Accountability
Assurance
Authentication
Authorization
Accounting
The Five A’s of Information Security Cont.
Accountability:
The process of tracing actions to their source
All actions should be traceable to the person who
committed them.
Logs should be kept, archived, and secured.
Intrusion detection systems should be deployed.
*Computer forensic techniques can be used retroactively.
*Accountability should be focused on both internal and
external actions.
The Five A’s of Information Security Cont.
Assurance:
The processes, policies, and controls used to develop confidence that
security measures are working as intended.
Security measures (such as: VPN, Antivirus, Backup, Firewall) need to be
designed and tested to ascertain that they are efficient and appropriate
The knowledge that these measures are certainly efficient is known as
assurance
*The activities related to assurance include:
Auditing and monitoring
Testing
Reporting
The Five A’s of Information Security Cont.
Authentication:
Assurance and confirmation of a user’s identity
Authentication is the cornerstone/basis of most network
security models.
It is the positive identification of the person or system seeking
access to secured information and/or system.
Examples of authentication models:
User ID and password combination
Tokens
Biometric devices
The Five A’s of Information Security Cont.
Authorization:
Act of granting users or systems actual access to information
resources.
*Note that the level of access may change based on the user’s
defined access level.
Examples of access level include the following:
Read only
Read and write
Full
The Five A’s of Information Security Cont.
Accounting:
Defined as the logging of access and usage of resources.
Keeps track of who accesses what resource, when, and
for how long.
An example of use:
Internet café, where users are charged by the minute of
use of the service.
CIA plus the Five A’s are fundamental objectives and
attributes of an information security program.
Who Is Responsible for CIA?
Information owner:
An official with legal or operational authority for specified information.
The owner of information is the person responsible for the business
use of the information.
Has the responsibility for ensuring information is protected from
creation through destruction.
Information custodian:
Maintain the systems that store, process, and transmit the
information.
Information Security Framework
Security framework ھﯾﻛلis a series of documented processes that define policies and
procedures around the implementation and management of information security
controls.
*Security framework is a collective term given to guidance on topics related to:
information systems security
predominantly regarding the planning
Implementing
Managing and auditing of overall information security practices
Two of the most widely used frameworks are:
Information Technology and Security Framework by NIST
Information Security Management System by ISO
NIST Functions
Founded in 1901
Non regulatory federal agency
Its mission is to develop and promote measurement, standards and
technology to enhance productivity, facilitate trade, and improve quality of
life
NIST defines information security as:
The protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification, or
destruction in order to provide CIA.
Published more than 300 information security-related documents including:
*Federal Information Processing Standards.
*Special Publication 800 series.
*ITL bulletins.
NIST Functions
The Computer Security Division (CSD) is one of eight divisions within
NIST’s Information Technology Laboratory
The mission of NIST’s CSD is to improve information systems security as
follows:
1. By raising awareness of IT risks, vulnerabilities, and protection
requirements, particularly for new and emerging technologies.
2. By researching, studying, and advising agencies of IT vulnerabilities
and devising techniques for the cost-effective security and privacy of
sensitive federal systems.
3. By developing standards, metrics, tests, and validation programs
4. By developing guidance to increase secure IT planning,
implementation, management, and operation.
ISO Functions
A network of national standards institutes of 146 countries
Nongovernmental organization that has developed more than
13,000 international standards.
The ISO/IEC 27000 series represents information security
standards published by ISO and Electro-technical Commission
(IEC)
ISO 27002:2013 series (Code of Practice)
Comprehensive set of information security recommendations on best practices in
information security.
ISO 27002:2013 is organized in the following domains:
1. Information security policies (Section 5) – This domain focuses on
information security policy requirements and the need to align policy with
organizational objectives.
2. Organization of Information Security (Section 6) – This domain focuses on
establishing and supporting a management structure to implement and manage
information security within, across, and outside the organization.
3. Human Resources Security Management (Section 7) – This domain focuses
on integrating security into the employee lifecycle, agreements, and training.
Human nature is to be trusting.
4. Asset Management (Section 8) – This domain focuses on developing
classification schema, assigning classification levels, and maintaining accurate
inventories of data and devices.
ISO 27002:2013 series (Code of Practice)
5. Access Control (Section 9) – This domain focuses on managing authorized
access and preventing unauthorized access to information systems and extends
to remote locations, home offices, and mobile access
6. Cryptography (Section 10) – This domain was added in the 2013 update and it
focuses on proper and effective use of cryptography to protect the CIA of
information.
7. Physical and Environmental Security (Section 11) – This domain focuses on
designing and maintaining a secure physical environment to prevent
unauthorized access, damage, and interference to business premises.
8. Operations Security (Section 12) – This domain focuses on data centre
operations, integrity of operations, vulnerability management, protection against
data loss, and evidence-based logging.
ISO 27002:2013 series (Code of Practice)
9. Communications Security (Section 13) – This domain focuses on the protection
of information in transit
10. Information Systems Acquisition, Development, and Maintenance (Section 14)
– This domain focuses on the security requirements of information systems,
applications, and code from conception to destruction.
11. Supplier Relationships (Section 15) – This domain was added in the 2013
update. The domain focuses on service delivery, third-party security requirements,
contractual obligations, and oversight.
12. Information Security Incident Management (Section 16) – This domain focuses
on a consistent and effective approach to the management of information security
incidents, including detection, reporting, response, escalation, and forensic
practices
ISO 27002:2013 series (Code of Practice)
13. Business Continuity (Section 17) – This domain focuses on availability and the secure
provision essential services during a disruption of normal operating conditions.
14. Compliance Management (Section 18) – This domain focuses on conformance with
internal policy; local, national, and international criminal and civil laws; regulatory or
contractual obligations ( ;)اﻻﻟﺗزاﻣﺎت اﻟﺗﻌﺎﻗدﯾﺔintellectual property rights (IPR); and copyrights
Summary
The CIA triad is the blueprint of what assets needs to be
protected to protect the organization.
Protecting the organization’s information security can seem
vague and too conceptual. Protecting the confidentiality,
integrity, and availability of the data is a concrete way of
saying the same thing.
• Standards such as the ISO 27002 exist to help
organizations better define appropriate ways to protect their
information assets.
Thank You
ت
اﻟﺴﻌﻮد�ﺔ اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ
Bachelor
of Science in
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ اﻟﺴﻌﻮد�ﺔ
Information Technology
IT476
IT Security and Policies
26/12/2021
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 4: Governance and Risk Management
Objectives
Explain the importance of strategic alignment
Know how to manage information security policies
Describe information security-related roles and responsibilities
Identify the components of risk management
Create polices related to information security policy,
governance, and risk management
Understanding Information Security Policies
The goal of the information security policies is to protect the
organization from harm:
Policies should be written.
Policies should be supported by management
Policies should help companies align security with business
requirements and relevant laws and regulations
ISO 27002:2013 can provide a framework for developing
security policies.
What Is Meant by Strategic Alignment?
Treating security functions as a business enabler that adds value:
• It requires recognizes the value of information security,
• Invests in people, processes and treats security in the same fashion as
every other business requirement.
Recognizing that the true value of information security is protecting the
business from harm and achieving organizational objectives.
Two approaches to information security:
Parallel approach
Assigns responsibility for being secure to the IT department, views
compliance as optional and has little or no organizational
accountability.
Integrated approach
Recognizes that security and success are intertwined ()ﻣﺗﺷﺎﺑك
User Versions of Information Security Policies
Policies can serve as teaching documents to influence
behavior.
Document and corresponding agreement should be developed
specifically for distribution to the user community.
Acceptable Use Policy:
Users needs to acknowledge that they understand their
responsibilities and confirm their individual commitment ()اﻟﺗزام.
Vendor Versions of Information Security Policies
Vendors (often referred to as “third parties”) that store, process, transmit, or
access information assets.
Companies should create vendor versions of information security policies.
Vendor should be required to have controls that meet or, in some cases,
exceed organizational requirements
*Policies should be authorized by executive management.
*Policies should be updated on regular basis.
One of the most efficient ways to evaluate vendor security is to provide them
with a vendor version of organizational security policies and require them to
attest/prove to their compliance.
*The vendor version should only contain policies that are applicable to third
parties and should be sanitized as to not disclose any confidential
information.
Client Synopsis of Information Security Policies
Client refers to companies to which the organization provides services.
A synopsis ( )ﻣﻠﺧصof the information security policy should be available
upon request to clients.
The synopsis could be expanded to incorporate:
Incident response and business continuity procedures
Notifications
Regulatory cross-references.
The synopsis should not disclose confidential business information
unless the recipients are required to sign a non-disclosure agreement
Evaluating Information Security Policies
*As applicable, standards, guidelines, plans, and procedures must be
developed to support the implementation of policy objectives and
requirements.
Policies can be evaluated internally or by independent third parties.
Objective of evaluating information security policy:
Measure the effectiveness of a security policy.
Estimate adherence/obedience to policy directives.
Measure the maturity of the information security program.
*Any information security policy distributed outside the organization must
be sanitized.
*All documentation will be retained for a period of six years from the last
effective date.
Evaluating Information Security Policies, cont.
Examples of standardized methodologies to evaluate security policy:
Audit ()ﺗدﻗﯾﻖ:
Systematic, evidence-based evaluation.
Include interviews, observation, tracing documents to management
policies, review or practices, review of documents, and tracing data
to source documents.
Audit report containing the formal opinion and findings of the audit
team is generated at the end of the audit.
Capability Maturity Model (CMM):
Used to evaluate and document process maturity for a given area.
Capability Maturity Model Scale
Level
State
0
Non-Existent
Description
The organization is unaware of need for policies and
processes
1
Ad-hoc
There are no documented policies or processes; there
is sporadic activity.
2
Repeatable
Policies and processes are not fully documented;
however, the activities occur on a regular basis.
3
Defined
Process
Policies and processes are documented and
standardized; there is an active commitment to
implementation
4
Managed
Policies and processes are well defined, implemented,
measured, and tested.
5
Optimized
Policies and process are well understood and have
been fully integrated into the organizational culture.
Who Authorizes Information Security Policy?
A policy is a reflection of the organization’s commitment, direction, and
approach.
Information security policies should be authorized by executive management.
It has four essential practices:
1. Place information security on the Board’s agenda ()ﺟدول أﻋﻣﺎل اﻟﻣﺟﻠس.
2. Identify information security leaders, hold them accountable/responsible,
and ensure support for them.
3. Ensure the effectiveness of the corporation’s information security policy
through review and approval.
4. Assign information security to a key committee and ensure adequate
support for that committee.
Revising Information Security Policies:
Change Drivers
Organizations change over time; policies need to be revisited
Change drivers are events that modify how a company does business and
they can be:
1. Demographic
2. Economic
3. Technological and regulatory or personnel related
Examples: company acquisition ()اﻻﺳﺗﺣواذ ﻋﻠﻰ اﻟﺷرﻛﺔ, new products, services or
technology, regulatory updates, entering into a contractual obligation (اﻟﺗزام
)ﺗﻌﺎﻗدي, and entering a new market
Why Revising:
Change can introduce new vulnerabilities and risk
Changes trigger internal assessment
Information Security Governance ( )إدارة
The process of managing, directing, controlling, and influencing
organizational decisions, actions, and behaviors
The Board of Directors is usually responsible for overseeing the policy
development
Effective security requires a distributed governance model with the active
involvement of stakeholders ()اﻷطراف اﻟﻔﺎﻋﻠﺔ, decision makers, and users
Distributed Governance Model
The foundation of a distributed governance model is the principle that stewardship/
management is an organizational responsibility ()اﻹﺷراف ﻣﺳؤوﻟﯾﺔ ﺗﻧظﯾﻣﯾﺔ.
Effective security requires the:
1. Active involvement
2. Cooperation
3. Collaboration of stakeholders
4. Decision makers, and the user community
Elements of distributed governance model
1. Chief information security officer (CISO) ﻛﺑﯾر ﻣوظﻔﻲ أﻣن اﻟﻣﻌﻠوﻣﺎت
2. Information security steering committee اﻟﻠﺟﻧﺔ اﻟﺗوﺟﯾﮭﯾﺔ ﻷﻣن اﻟﻣﻌﻠوﻣﺎت
3. Compliance officer ﻣﺳؤول اﻻﻣﺗﺛﺎل
4. Privacy officer
5. Internal audit اﻟﺗدﻗﯾﻖ اﻟداﺧﻠﻲ
6. Incident response team
7. Data owners
8. Data custodians أﻣﻧﺎء اﻟﺑﯾﺎﻧﺎت
9. Data users
Chief information security officer (CISO)
The CISO coordinates and manages security efforts across the company,
including IT, human resources (HR), communications, legal, facilities
management, and other groups.
The Chief Operating Officer (COO) اﻟرﺋﯾس اﻟﺗﻧﻔﯾذيwill appoint the CISO.
The CISO will report directly to the COO.
At COO discretion/decision, the CISO may communicate directly with
members of the Board of Directors ﻣﺠﻠﺲ إدارة.
The CISO will chair the Information Security Steering Committee.
Information Security Steering Committee
The Information Security Steering Committee (ISC) is tasked with
supporting the information security program:
Serves in an advisory capacity. ﺗﻌﻤﻞ بﺼﻔﺔ اﺳتﺸﺎر�ﺔ
Provides an open forum to discuss business initiatives and
security requirements.
Standing membership will include the CISO (Chair), the COO, the
Director of Information Technology, the Risk Officer, the
Compliance Officer, and business unit representatives.
Will meet on a monthly basis.
Organizational Roles and Responsibilities
In addition to the CISO and the Information Security Steering Committee, a
variety of roles that have information security–related responsibilities:
Compliance Officer – Responsible for identifying all applicable information
security–related statutory ﻗﺎﻧوﻧﻲ, regulatory, and contractual requirements.
Privacy Officer – Responsible for the handling and disclosure of data ﻛﺷف
اﻟﺑﯾﺎﻧﺎتas it relates to state, federal, and international law and customs.
Internal audit – Responsible for measuring compliance with Boardapproved policies and to ensure that controls are functioning as intended.
Incident response team – Responsible for responding to and managing
security-related incidents.
Organizational Roles and Responsibilities
Data owners – Responsible for defining protection requirements for the
data based on classification, business need, legal, and regulatory
requirements; *reviewing the access controls; and monitoring and enforcing
compliance with policies and standards
Data custodians – Responsible for implementing, managing, and
monitoring the protection mechanisms *defined by data owners and
notifying the appropriate party of any suspected or known policy violations
or potential endangerments.
Data users ( )ﻣﺳﺗﺧدﻣو اﻟﺑﯾﺎﻧﺎت- *Are expected to act as agents of the security
program by taking reasonable and prudent steps to protect the systems and
data they have access to.
These responsibilities should be documented in policies, job descriptions, or
employee manuals.
Information Security Risk
Three factors influence information security decision making and policy creation:
Guiding principles.
Regulatory requirements.
Risk associated with achieving business objectives.
Risk: The potential of undesirable or unfavorable outcome from a given action
Risk tolerance: How much undesirable outcome the risk taker is willing to accept.
Risk tolerance levels can be qualitative (for example, low, elevated, severe) or
quantitative (for example, dollar loss, number of customers impacted, hours of
downtime).
Risk appetite: The amount of risk an entity is willing to accept in pursuit/achieve of its
mission/objectives
Risk Assessment
An objective of a risk assessment is to evaluate what could go wrong,
the likelihood of such an event occurring, and the harm if it did.
Risk assessment involves:
1. Identifying the inherent risk based on relevant threats, threat sources, and
related vulnerabilities.
2. Determining the impact of a threat if it occurs.
3. Calculating the likelihood of occurrence.
4. Determining residual risk.
Risk Assessment cont.
Inherent risk:
The level of risk before security measure are applied.
Residual risk:
The level of risk after security measures are applied
Threat:
Natural, environmental, or human event that could cause harm.
*Information security focuses on the threats to:
confidentiality (unauthorized use or disclosure)
integrity (unauthorized or accidental modification),
availability (damage or destruction).
Vulnerability
A weakness that could be exploited by a threat.
Impact
The magnitude of a harm.
A threat source is either:
Intent and method targeted at the intentional exploitation of a vulnerability, such as criminal
groups, terrorists, and disgruntled/unhappy employees
or a situation and method that may accidentally trigger a vulnerability such as an severe
storm, and accidental or unintentional behavior.
Business Risk Categories
In a business context, risk is further classified by category:
Strategic risk relates to adverse business decisions.
Financial (or investment) risk relates to monetary loss.
Reputational risk relates to negative public opinion.
Operational risk relates to loss resulting from inadequate or failed
processes or systems.
Personnel risk relates to issues that affect morale, productivity,
employing, and retention.
Regulatory/compliance risk relates to violations of laws, rules,
regulations, or policy.
*Risk Assessment Methodologies
Components of a risk assessment methodology include:
Defined process
Assessment approach
Standardized analysis
Three well-known information security risk assessment
methodologies
Operationally Critical Threat, Asset, and Vulnerability Evaluation
(OCTAVE)
Factor Analysis of Information Risk (FAIR)
NIST Risk Management Framework (RMF)
Risk Management
The process of determining an acceptable level of risk,
calculating the current risk level, accepting the level of risk, or
taking steps to reduce it to an acceptable level
Risk Management Components:
Risk acceptance
Risk mitigation
Risk reduction
Risk transfer
Risk sharing
Risk avoidance
Risk Management Components
Risk Acceptance: Risk acceptance indicates that the organization is willing
to accept the level of risk associated with a given activity or process.
Risk Mitigation: The process of reducing, sharing, transferring or avoiding
risk.
Risk Reduction: Process of control to lower the residual risk.
Offensive Control: reducing or eliminating the vulnerabilities by enhanced
training or applying security patch.
Defensive control: respond to threat source such as sensor sending an alert or
detecting an intruder.
Risk Transfer: shifts the entire risk responsibility or liability from one
organization to another organization. This is often accomplished by
purchasing insurance.
Risk sharing: shifts a portion of risk responsibility or liability to other
organizations.
Risk avoidance: involves taking specific actions to eliminate or
significantly modify the process or activities that are the basis for the risk.
Information Security Risk Management
Oversight Policy Example :
Summary
Information security policies should be reviewed at least annually
to ensure they are relevant and accurate
Information security audits should be conducted to ensure
policies are accepted and integrated
Governance is the process of managing, directing, controlling,
and influencing organizational decisions, actions, and behaviors
Risk management is the process of determining an acceptable
level of risk, calculating the current risk level, accepting the level
of risk, or taking steps to reduce it to an acceptable level
Thank You
ت
اﻟﺴﻌﻮد�ﺔ اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ
Bachelor
of Science in
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ اﻟﺴﻌﻮد�ﺔ
Information Technology
IT476
IT Security and Policies
26/12/2021
1
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Week 5
Chapter 5: Asset Management
2
Contents
1. Information Assets and Systems
2. Information Classification
3. Labeling and Handling Standards
4. Information Systems Inventory
3
Objectives
Assign information ownership responsibilities
Develop and use information classification guidelines
Understand information handling and labeling procedures
Identify and inventory information systems
Create and implement asset classification policies
4
•
Information Assets and Systems
5
Information Assets and Systems
What is an information asset?
An information asset is a definable piece of information, stored in any
manner, and recognized as having value to the organization
It includes raw, mined, developed, and purchased data
*The information is used by the company (regardless of size) to fulfill its
mission or goal
Could be any information, such as customer and employees data,
research and proprietary data, intellectual property data, and operational
plans and procedures that have value to the company.
If the information is damaged, compromised, or stolen, the consequences
could include embarrassment, legal liability/responsibility, financial
ruin/collapse, and even loss of life.
6
Information Assets and Systems cont.
Information Systems
Provide a way and a place to process, store, transmit, and
communicate the information
Information systems are usually a combination of both hardware
and software assets.
Can be off-the-shelf or customized systems
7
Example of Information Assets and Systems
1. Data stores or warehouses of information about customers,
personnel, production, sales, marketing, or finances.
2. Intellectual property (IP) such as drawings, patents, music
scores or other publication that have commercial value
3. Operational plans and procedures that have value to the
company
4. Research documentation
5. Strategic and operational plans and procedures that define
the organization
8
Who Is Responsible for Information Assets? Role of
Data/Information Owner (Information Ownership)
1. Defining the asset
2. Assigning value to the asset
3. Defining the level of protection required
4. Deciding who should have access to the asset
5. Delegating day-to-day security and operational tasks
Data/Information Owner is NOT the one who will be tasked with
implementing security controls
The Information Security Officer (ISO) is accountable for the protection
of the organization. Compare this with:
The information owner is responsible for the information he owns
The information custodian is responsible for implementing the
actual controls that protect the information assets
*The ISO is the central repository of security information
9
Role of Information Security Officer (ISO)
1. Accountable for the protection of the information asset.
2. Managing the day-to-day controls
3. Provide direction and guidance as to the appropriate controls
and to ensure that controls are applied consistently
throughout the organization.
4. Responsible for the security of the entire organization.
5. *ISO central repository of security information
6. Publishes the classification criteria, maintains the information
systems inventories, and implements broad strategic and
tactical security creativities
10
Information Ownership Policy Statement
All information assets and systems must have an assigned owner.
The Office of Information Security (ISO) will maintain an inventory of information
ownership.
Owners are required to classify information and information systems in accordance
with the organizational classification guidelines.
Owners are responsible for determining the required level of protection.
Owners must authorize internal information and information system access rights
and permissions. Access rights and permissions must be reviewed and approved
annually.
Owners must authorize third-party access to information or information systems.
This includes information provided to a third party.
Implementation and maintenance of controls is the responsibility of the Office of
Information Security (ISO); however, accountability will remain with the owner of the
asset.
11
•
Information Classification
12
Information Classification
Objective of an information classification system is to
differentiate data types.
Definitions:
Information Classification
Information classification is the organization of information assets
according to their sensitivity to disclosure.
Classification Systems
Classification systems are labels that we assign to identify the
sensitivity levels (public, internal use, confidential, unclassified)
13
Information Classification Lifecycle Process
Assignment of classification ends with declassification/release.
The information owner is responsible for managing this process,
which is as follows:
1.
2.
3.
4.
Document the information asset and the supporting information systems.
Assign a classification level.
Apply the appropriate labeling.
Document “special” handling procedures (if different from organizational
standards).
5. Conduct periodic classification reviews.
6. Declassify information when (and if) appropriate.
14
Classification Systems
Federal Information Processing Standard 199 (FIPS-99) is
Standards for Security Categorization of Federal Information
and Information Systems
Classification Systems are now used in:
1. Government and Military
*Based on Executive order of who is handling the data
2. Commercial
*As per the organization’s hierarchy, decided by the
information owner
15
Information Classification
FIPS-199 requires information owners to classify information and information
systems based on CIA criteria as:
Low potential impact
Moderate potential impact
The loss of CIA could be expected to have a serious adverse
effect on organizational operations, organizational assets, or individuals.
High potential impact
The loss of CIA could be expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals
The loss of CIA could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals
The generalized format for expressing the security category (SC) of an
information type is as follows: (next slide is an example)
The SC of information type = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are low, moderate, high, or not applicable
16
Examples of FIPS-199 classification
An organization managing public information on its web server
determines that:
There is no potential impact from a loss of confidentiality (that
is, confidentiality requirements are not applicable),
A moderate potential impact from a loss of integrity, and
A moderate potential impact from a loss of availability
The resulting Security Category (SC) of this information type is
expressed as follows:
SC = {(confidentiality, n/a), (integrity, moderate), (availability, moderate)}
17
Information Classification Cont.
Government & Military Classification Systems:
Top Secret (TS)
Applied to “any information or material the unauthorized disclosure of which reasonably could
be expected to cause an exceptionally grave/severe damage to the national security”. i.e.
war breaks out
Secret (S)
Applied to “any information or material the unauthorized disclosure of which reasonably could
be expected to cause serious damage to the national security”. i.e. disruption of foreign
relations
Confidential (C)
Applied to “any information or material the unauthorized disclosure of which reasonably could
be expected to cause damage to the national security”. i.e. strength of ground, air, and
marine forces
Unclassified (U)
Applied to “any information that can generally be distributed to the public without any threat
to national interest”
Sensitive But Unclassified (SBU)
Applied to “any information of which the loss, misuse or unauthorized access to, or
modification of might adversely/unfavorable affect U.S. National Interests. i.e. For
18
Official/Internal Use Only
Information Classification Cont.
Commercial classification systems:
No standard: Each company can choose its own system that
matches its culture and needs
Usually less complex than the government system
*The more regulated a company, the more complex the
classification system it adopts
Most systems revolve around these four classification
levels: (next slide example)
1.
2.
3.
4.
Protected
Confidential
Internal Use
Public
19
Information Classification Cont.
Commercial classification systems
Protected
Data protected by law, regulation, memorandum of agreement, contractual obligation,
or management choice
Examples: Social Security numbers, personal health information, financial
information
Confidential
Data essential to the mission of an organization
Only available to a small circle of authorized individuals
Disclosure would cause significant financial loss, reputation loss and/or legal liability
Internal Use:
Data necessary for conducting ordinary company business
Loss, disclosure, and corruption may impair the business and lead to business,
financial, or legal loss
Public:
Information that does not require protection
Information that is specifically intended for the public
20
Information Classification Policy Example
21
Reclassification/Declassification
The need to protect information may change
With that change, the label assigned to that information may
change as well
The process of downgrading sensitivity levels is called
declassification
The process of upgrading sensitivity levels is called reclassification
22
•
Labeling and Handling Standards
23
Labeling and Handling Standards
Information labeling:
Labeling is the vehicle for communicating the assigned classification to
information custodians and users
Labels must be clear and self-explanatory
In electronic form, the label should be made part of the filename. i.e. Transaction
History–PROTECTED
In printed form, the label should be clearly visible on the outside and in the
header and/or footer
Information handling:
Information must be handled in accordance with its classification.
Handling standards inform custodians and users how to treat the information
they use and the systems they interact with.
Handling standards generally include storage, transmission, communication,
access, retention/release, destruction, and disposal, and may extend to incident
management and breach notification
24
Information Classification Handling and Labeling
Requirements Policy Example
25
•
Information Systems Inventory ( ﺟرد،)إﺣﺻﺎء
26
Information Systems Inventory
*Many organizations don’t have an up-to-date inventory
*Creating a comprehensive inventory of information systems is
a major task
Both hardware and software assets should be inventoried
Each asset should have a unique identifier and a description
Company assets should be accounted for at all times
An asset management procedure should exist for moving and
destroying assets
27
Information Systems Inventory cont.
Hardware assets include (but are not limited to): visible and tangible pieces
of equipment and media, such as:
1. Computer equipment
2. Printers
3. Communication and network equipment
4. Storage media
5. Infrastructure equipment (Power supplies, air conditioners)
Software assets include (but are not limited to): programs or code that
provide the interface between the hardware, the users, and the data.
Generally, fall into three categories:
1. Operating system software
2. Productivity software (Microsoft Word, Excel, Publisher, and PowerPoint, Adobe Reader)
3. Application software (Complex machinery, Process bank transactions, or manage lab equipment)
28
Inventory of Information System Assets
Policy Example
29
Summary
A company cannot defend its information assets unless it knows
what it is and where it is. Furthermore, the company must also
identify how critical these assets are to the business process.
FISMA requires federal agencies to classify their information and
information systems as low, moderate, or high security based on
criteria identified in FIPS-199.
Companies need an inventory of their assets and a classification
system for those assets.
30
Thank You
31
ت
اﻟﺴﻌﻮد�ﺔ اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ
Bachelor
of Science in
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ اﻟﺴﻌﻮد�ﺔ
Information Technology
IT476
IT Security and Policies
26/12/2021
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 6: Human Resources Security
Objectives
Define the relationship between information security and
personnel practices
Recognize the stages of the employee lifecycle
Describe the purpose of confidentiality and acceptable use
agreements
Understand appropriate security education, training, and
awareness programs
*Create personnel-related security policies and procedures
Introduction
Employees need access to information and information systems.
Thus, we must know our employees’ background, education, and weaknesses.
Before employees are given access to information and information
systems:
• They must understand organizational expectations, policies, handling
standards, and consequences of noncompliance.
• This information is generally codified into two agreements:
1. A confidentiality agreement
2. An acceptable use agreement
The Employee Lifecycle
Represents stages in the employee’s career
Lifecycle models can vary but most include the following stages:
1. Recruitment
2. Onboarding
3. User provisioning
4. Orientation
5. Career development
6. Termination
The Employee Lifecycle (Cont.)
1.
2.
3.
4.
5.
6.
Recruitment:
It includes all the processes leading up to and including the hiring of a new employee.
Onboarding:
The employee is added to the organization’s payroll and benefits systems.
User provisioning:
The employee is assigned equipment as well as physical and technical access permissions.
• *It is also invoked whenever there is a change in the employee’s position, level of access required, or
termination.
Orientation:
The employee settles into the job, integrates with the corporate culture, familiarizes himself
with coworkers/colleagues and management, and establishes his role within the organization.
Career development:
The employee matures in his role in the organization. *Professional development frequently
means a change in roles and responsibilities.
Termination:
The employee leaves the organization.
• Processes are somewhat dependent on whether the departure is the result of resignation, firing, or
retirement.
• Tasks include removing the employee from the payroll and benefits system, recovering information
assets such as his smartphone, and deleting or disabling user accounts and access permissions.
What Does Recruitment Have to Do with Security?
Risks and rewards of posting online employment ads:
A company can reach a wider audience
A company can publish an ad that gives too much information:
About the network infrastructure and therefore allow a hacker to footprint
the internal network easily and stealthily
About the company itself, inviting social engineering attacks
Job Postings
Job descriptions are supposed to:
Convey اﺑﻼغthe mission of the organization
Describe the position in general terms
Outline the responsibilities attached to said position
Outline the company’s commitment to security via the use of such terms
as non-disclosure agreement
Job descriptions are NOT supposed to:
Include information about specific systems, software versions, security
configurations, or access controls
It’s harder to hack a network if one doesn’t know what hardware &
software
If the above information is deemed necessary, two versions of the position
can be created. The second, more detailed version should be posted
internally and shared with candidates that have made the “first cut”
Candidate Application Data
Companies are responsible for protecting the data and
privacy of the job seeker
Non-public personal information (NPPI) should not be
collected if possible.
Such as social security number, driver’s license, bank account, payment
card information (PCI) and personal health information (PHI).
The Interview
Job Interview:
The interviewer should be concerned/worried about revealing too much about
the company during the interview
For example, an interviewer might reveal that the organization is about
launch a new mobile app and that they know little about how to secure it!
Job candidates should never gain access to secured areas
Don’t make tour inside of organization
A job interview is a perfect foot-printing opportunity for hackers and social
engineers.
to
Screening Prospective Employees
An organization should protect itself by running extensive
background checks on potential employees at all levels of the
hierarchy (criminal record)
Some higher-level positions may require even more in-depth
checks
Many U.S. government jobs require prospective employees
have the requisite clearance level
Types of Background Checks
*The company should have a basic background check level to
which all employees are subjected.
Not all potential employees need to undergo the same level of
inspection
Information owners may require more in-depth checks for
specific roles.
Types of Background Checks
Rules that need to be considered when conducting background checks:
1. Workers’ right to privacy:
Not all information is fair game to gather.
Workers have a right to privacy in certain personal matters.
Only information relevant to the actual work they perform.
2. Getting consent:
Companies should seek consent ( )ﻣواﻓﻘﺔfrom employees before launching a
background check.
Consent request needs to be included on the application forms and
requires the applicant to agree in writing.
3. Using social media:
Social media sites are increasingly being used to “learn more” about a
candidate.
In some countries, law prohibits the use of this information for hiring
Types of Background Checks Cont.
What Happens in the Onboarding Phase?
The new hire is added to the organization’s payroll and
benefit systems
New employees must provided by:
1. Proof of identity
2. Work authorization
3. Tax identification (There is no individual income tax scheme in Saudi
Arabia.)
What Is User Provisioning?
The process of:
Creating user accounts and group memberships
Providing company identification
Assigning access rights and permissions
Assigning access devices such as tokens and/or smartcards
The user should be provided with and acknowledge the terms
and conditions of the Acceptable Use Agreement before being
granted access.
What Should an Employee Learn During Orientation?
His responsibilities
Information handling standards and privacy protocols
Ask questions
Why Is Termination Considered the Most
Dangerous Phase?
The terminated employee may seek revenge, create havoc
()ﺧراب, or take information with him.
Don’t assume that a termination is friendly even if the
employee resigns for personal reasons or is retiring.
How to handle termination properly:
• Disable access to the network, internal, and web-based
application, email, and company owned social media.
The Importance of Employee Agreements
It is common practice to require employees, contractors, and outsourcers to sign two
basic agreements:
Confidentiality or non-disclosure agreements
Agreement between employees and organization
Defines what information may not be disclosed by employees
Goal: To protect sensitive information
Especially important in these situations:
When an employee is terminated or leaves
When a third-party contractor was employed
Introduction
Data classifications
Applicable policy statement
Handling standards
Contacts
Sanctions for violations
acknowledgment
Acceptable Use Agreement
A policy contract between the company and information systems user
Components of an Acceptable Use Agreement
The Importance of Employee Agreements cont.
Components of an Acceptable Use Agreement
1. Introduction -sets the tone for the agreement and emphasizes the commitment of the
leadership of the organization.
2. Data classifications define (and include examples of) the classification schema adopted by the
organization.
3. Applicable policy statement include Authentications & Password Controls, Application
Security, Messaging Security (including email, instant message, text, and video conferencing),
Internet Access Security, Remote Access Security, Mobile Device Security, Physical Access
Security, Social Media, Incident Use of Information Resources, Expectation of Privacy, and
Termination.
5. Handling standards order by classification level how information must be stored, transmitted,
communicated, accessed, retained, and destroyed.
6. Contacts should include to whom to address questions, report suspected security incidents,
and report security violations.
7. The Sanctions for Violations section details the internal process for violation as well as
applicable civil and criminal penalties for which the employee could be liable.
8. The Acknowledgment states that the user has read the agreement, understands the
agreement and the consequences of violation, and agrees to abide by the policies presented.
The agreement should be dated, signed, and included in the employee permanent record.
The Importance of Security Education and Training
Training employees
According to NIST: “Federal agencies […] cannot protect […] information […]
without ensuring that all people involved […]:
Understand their role and responsibilities related to the organization’s mission
Understand the organization’s IT security policy, procedures and practices
Have at least adequate knowledge of the various management, operational and
technical controls required and available to protect the IT resources for which
they are responsible”
Hackers adapt: If it is easier to use social engineering – i.e., targeting users –
rather than hack a network device, that is the road they will take
Only securing network devices and neglecting to train users on information
security topics is ignoring half of the threats against the company
What Is the SETA Model?
What is SETA?
General for three different programs: Security Education, Training and Awareness.
1. Awareness:
It is not training; It is focusing the attention of employees on security topics to change
their behavior.
*Intended to allow individuals to recognize IT security concerns and respond accordingly.
Security awareness programs are designed to remind the user of appropriate behaviors.
A poster reminding employee to check and make sure the door is shut completely is an
example of an awareness program.
2. Security training:
“Seeks to teach skills” (per NIST).
Examples:
Training a firewall administrator how to close ports.
Training an auditor how to read logs.
Training a system administrator how to create user accounts
Security training should NOT be dispensed only to the technical staff but to all
employees.
What Is the SETA Model?
3. Security Education
Per NIST: The ‘Education’ level integrates all of the security skills and
competencies/capabilities of the various functional specialties into a
common body of knowledge, *adds a multidisciplinary study of concepts,
issues, and principles (technological and social), and strives to produce
IT security specialists and professionals capable of vision and pro-active
response.
Education is generally targeted to those who are involved in:
The decision-making process.
Classifying information.
Choosing controls.
Evaluating and reevaluating security strategies
Employee Agreements Policy Example:
Summary
A security policy that does not include personnel as a
permanent threat to the data owned by the company is
incomplete. Social engineering is more virulent than ever.
Failing to train users on security topics is a bad mistake and
may result in a lack of compliance for some federal mandates.
All users should sign the Acceptable Use Agreement before
receiving access to company’s systems and equipment.
Thank You
ت
اﻟﺴﻌﻮد�ﺔ اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ
Bachelor
of Science in
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ اﻟﺴﻌﻮد�ﺔ
Information Technology
IT476
IT Security and Policies
26/12/2021
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 7: Physical & Environmental Security
Objectives
Define the concept of physical security and how it relates to information
security
Evaluate the security requirements of facilities, offices, and equipment
Understand the environmental risks posed to physical structures, areas
within those structures, and equipment
Enumerate the vulnerabilities related to reusing and disposing of
equipment
Recognize the risk posed by the loss or theft of mobile devices and media
Develop policies designed to ensure the physical and environmental
security of information, information systems, and information processing
and storage facilities
Introduction
ISO 27002:2013 encompasses both physical and environmental
security.
Environmental security refers to the workplace environment, which
includes the design and construction of the facilities, how and where
people move, where equipment is stored, how the equipment is
secured, and protection from natural and man-made disasters.
A physical security expert may question the location, the topography,
and even the traffic patterns of walkers, automobiles, and airplanes.
Introduction
Creating and maintaining physical and environmental security is a
team effort.
Security professionals often focus on technical controls and can
overlook the importance of physical controls
Early Computer Age (Easy system protection):
Locked labs, heavy computers and only few were granted access to
information
Today:
Transportable computers, cloud environment, many employees/workers
and limited privacy
Understanding the Secure Facility Layered Defense Model
In Layered Defense Model, If an intruder bypasses one layer of
controls, the next layer should provide additional defense and
detection capabilities
*Both physical and psychological
*The appearance of security is deterrent
E.g., Medieval اﻟﻘرون اﻟوﺳطﻰcastles:
Built of stone, on a high hill, with guards, and one entry way
All designed to ward of intruders.
How to Secure the Site
Physical protection is required for information-processing facilities.
Information-processing facilities consist of:
1. A closet of one server
2. A complex of buildings with thousands of computers
In addressing site physical security, we must think of:
1. Theft
2. Malicious activity
3. Accidental damage
4. Damage that results from natural disasters
The design of a secure site starts with the location
Evaluating location-based threats:
1. Political stability
2. Susceptibility to terrorism
3. Crime rate in the area
4. Roadways and flight paths
5. Utility stability
6. Vulnerability to natural disasters
How to Secure the Site (Cont…)
Critical information processing facilities should be inconspicuous ( )ﻏﯾر واﺿﺢand
unremarkable
They should not have signage relating to their purpose, nor should their outward
appearance hint at what may be inside.
The physical perimeter can be protected using:
1. Obstacles:
Berms ﺳواﺗر, Fences اﺳوار, Gates ﺑواﺑﺎت, and Bollards أﻋﻣدة اﻻﻋﺎﻗﺔ
Illuminated ( )إﺿﺎءةentrances, exits, pathways, and parking areas
2. Detection systems:
Cameras, closed-circuit TV, alarms, motion sensors, and security guards
3. Response system:
Locking gates and doors, personnel notification and direct communication with
police.
How Is Physical Access Controlled?
Next area to consider is Physical entry and exit controls:
Physical entry and exit controls can be selected from
1. Authorizing Entry (building access)
2. Securing Offices, Rooms, and Facilities (within the building)
3. Working in Secure Areas
4. Ensuring clear desks and screens
Access control rules should be designed for:
Employees
Third-party (contractors/partners/vendors)
Visitors
Physical entry/access controls (rules):
Authorized users should be authorized prior to gaining access to protected area
Visitors should be identified, labeled, and authorized prior to gaining access to protected area
Visitors should be required to wear identification that can be evaluated from a distance, such as
a badge
Identification should start as soon as a person attempts to gain entry
Physical Entry Controls Policy Example
Securing Offices, Rooms, and Facilities
Workspaces should be classified based on the level of protection required
Some internal rooms and offices as well as parts of individual rooms (cabinets
and closets) may also require different levels of protection
Classification system should address
1. Personnel security
2. Information system security
3. Documents security
Secure design controls for spaces within a building include (but are not
limited to) the following:
Structural protection such as full height walls, fireproof ceilings, and restricted
vent وﺻولaccess
Alarmed solid, fireproof, lockable, and observable doors
Alarmed locking, unbreakable windows
Monitored and recorded entry controls (keypad, biometric, card swipe)
Monitored and recorded activity
Working in Secure Areas
It is not enough to just physically secure an area but, close
attention should be paid to
Who is allowed to access the area
What they are allowed to do
The area should be
Continually monitored
Access control lists should be review frequently
Based on the circumstances, devices are restricted from
entering certain areas
Cameras, smartphones, tablets, and USB drives
Ensuring Clear Desks and Screens
*Companies have a responsibilities to protect physical and digital information (during
the workday and non-business hours)
Protected or confidential documents should never be viewable to unauthorized
personnel
1. Document should be locked in file rooms, desk drawers and cabinets when not in use
2. Copiers, scanners, and fax machines should be located in nonpublic areas and
require the use of codes
Unauthorized access can be the result of viewing a document left unattended
Also protect documents or screens from Shoulder Surfing
Shoulder surfing, is the act of looking over someone’s shoulder to see what is
displayed on a monitor or device.
Password-protected screen savers should be automated to engage automatically.
Users should be trained to lock their screens when leaving devices unattended.
Physical security expectations and requirements should be included in organizational
acceptable use agreements.
Clear Desk and Clear Screen Policy Example
Protecting Equipment (Energy Consumption)
No power, no processing—it’s that simple
All information systems rely on clean, consistent, and abundant supplies of electrical
power.
Portable devices that run on battery power require electricity for replenishment.
Power is not free.
Power can be very expensive, and excessive use has an environmental and geopolitical
impact
After lighting, computers and monitors have the highest energy consumption in office
environments.
As power consumption and costs rise, saving energy is becoming a significant issue
Universities and Fortune 500 organizations have been leaders in the sustainable
“green” computing movement.
The goals of sustainable computing are to
1. Reduce the use of hazardous materials,
2. Maximize energy efficiency during the product’s lifetime,
3. Promote the recyclability or biodegradability of defunct products and factory
waste.
Protecting Equipment
Both company and employee-owned equipment should be protected
To function properly, systems need consistent power delivered at the correct
voltage level.
Systems need to be protected from power loss, power degradation, and
even from too much power, all of which can damage equipment.
Common causes of voltage variation include:
1. Lightning; damage to overhead lines from storms, trees, birds, or
animals
2. Vehicles striking poles or equipment
3. Load changes or equipment failure on the network.
4. Heat waves can also contribute to power interruptions as the demand in
electricity
Protecting Equipment
Hardware assets must be protected from:
1. Power surges: Prolonged increase in voltage
2. Power spikes: momentary increase in voltage
3. Brownout: Prolonged period of low voltage
4. Sag: Momentary periods of low voltage
5. Blackouts اﻧﻘطﺎع اﻟﺗﯾﺎر اﻟﻛﮭرﺑﺎﺋﻲ: Prolonged periods of power loss
6. Fault: momentary loss of power
Protective devices can be installed to help protect the area and assets such as
1. Voltage regulators
2. Isolation transformers ﻣﺣوﻻت اﻟﻌزل
3. Line filters
No power, No processing
Reduce power consumption, for example by purchasing Energy Star certified
devices
How Dangerous Is Fire?
Three elements of fire protection:
1. Fire prevention controls
These are the first line of defense.
Fire prevention controls include:
Hazard assessments and inspections,
Adhering to building and construction codes,
Using flame-retardant/nonflammable materials, and
Proper handling and storage procedures for flammable/combustible materials.
2. Fire detection
It is recognizing that there is a fire.
Fire detection devices can be
Smoke activated,
Heat activated, or
Flame activated.
3. Fire containment and suppression
It involves actually responding to the fire.
Containment and suppression equipment is specific to fire classification.
How Dangerous Is Fire (Fire Classification)
Responding to the fire based on its specific classification
Class A: Fire with combustible materials ( )ﻣواد ﻗﺎﺑﻠﺔ ﻟﻼﺷﺗﻌﺎلas its fuel source,
such as wood, cloth, paper, rubber, and many plastics
Class B: Fire in flammable liquids, oils, greases ()ﺷﺣوم, tars, oil-base paints,
lacquers ()دھﺎن, and flammable gases
Class C: Fire that involves electrical equipment
Class D: Combustibles that involve metals
Facilities must comply/fullfill with standards to test fire-extinguishing ()ﻣطﻔﺎءة ﺣرﯾﻖ
methods annually to validate full functionality.
The best-case scenario is that data centers and other critical locations are
protected by an automatic fire-fighting system that spans multiple classes.
In any emergency, human life always takes precedence. All personnel should
know how to quickly and safely evacuate an area.
What About Disposal?
What do servers, workstations, laptops, tablets,
smartphones, firewalls, routers, copies, scanners, printers,
memory cards, cameras, and flash drives have in
common?
They all store data that should be permanently removed
before handing down, recycling, or discarding.
What About Disposal (Data Files)?
The data can be apparent, hidden, temporary, cached, browser based, or metadata.
1. Apparent data files are files that authorized users can view and access.
2. Hidden files are files that the operating system by design does not display.
3. Temporary files are created to hold information temporarily while a file is being created.
4. A web cache is the temporary storage of web documents, such as HTML pages,
images, and downloads.
5. A data cache is the temporary storage of data that has recently been read and, in some
cases, adjacent data areas that are likely to be accessed next.
6. Browser-based data includes the following items:
1. Browsing history, which is the list of sites visited
2. Download history, which is the list of files downloaded
3. Form history, which includes the items entered into web page forms
4. Search bar history, which includes items entered into the search engines
5. Cookies, which store information about websites visited, such as site preferences
and login status
7. Metadata is details about a file that describes or identifies it, such as title, date, author
name, subject, and keywords that identify the document’s topic or contents.
Data Destruction Standard
NIST Special Publication 800-88 defines data destruction as
“the result of actions taken to ensure that media cannot be
reused as originally intended and that information is virtually
impossible to recover or prohibitively expensive.”
What About Disposal?
Removing data from drives
Formatting a hard drive or deleting files does not mean that the data located
on that drive cannot be retrieved
Two methods for permanently removing data from drives before their
disposal:
Disk wiping (overwriting the hard drive with 0 and 1)
Degaussing (exposing the hard drive to high magnetic field)
What About Disposal?
Disk wiping
The process will overwrite the master boot record (MBR), partition table, and every
sector of the hard drive with the numerals 0 and 1 several times. Then the drive is
formatted.
The more times the disk is overwritten and formatted, the more secure the disk wipe is.
Disk wiping does not work reliability on solid-state drives: USB thumb drives, compact
flash, and MMC/SD cards.
Degaussing
The process wherein a magnetic object, such as a computer tape, hard disk drive, or
CRT monitor, is exposed to a magnetic field of greater, fluctuating intensity.
As applied to magnetic media, such as video, audio, computer tape, or hard drives, the
movement of magnetic media through the degaussing field realigns the particles,
resetting the magnetic field of the media to a near-zero state, erasing all the data written
to the tape or hard drive.
In many instances, degaussing resets the media to a like-new state so that it can be
reused and recycled.
What About Disposal?
Destroying materials
*The objective of physical destruction is to render the device and/or the media
unreadable and unusable.
Devices and media can be crushed, shredded, or, in the case of hard drives,
drilled in several locations perpendicular to the platters and penetrating clear
through from top to bottom.
Cross-cut shredding technology, which reduces material to fine, confetti-like
pieces ()ﻗطﻊ ﺗﺷﺑﻊ اﻟﻘﺻﺎﺻﺎت, can be used on all media, ranging from paper to hard
drives.
What About Disposal?
Outsource the destruction process
Companies that offer destruction services often have specialized equipment
and are aware of environmental and regulatory requirements.
The downside is that the organization is transferring responsibility for
protecting information.
*The media may be transported to off-site locations. The data is being handled
by non-employees over whom the originating organization has no control.
Selecting a destruction service is serious business, and thorough due
diligence/care is in order.
Stop, Thief! (Statistics)
According to the Federal Bureau of Investigation (FBI), on average:
1/10 individuals will have their laptop stolen at some point.
97% of laptops stolen will never be returned to their rightful owners.
The cost of lost and stolen devices is significant:
*The most obvious loss is the device itself.
What cost more is the cost of detection, investigation, notification, afterthe-fact response, and economic impact of lost customer trust and
confidence, especially if the device contained legally protected
information.
Summary
The physical perimeter of the company must be secured.
Some internal rooms and offices must be identified as needing
more security controls than others. These controls must be
deployed.
Environmental threats such as power loss or a fire must be taken
into account and the proper hardware must be placed.
A clean screen and desk policy is important to protect the
confidentiality of company-owned data.
It is important to permanently remove data before recycling or
disposing of a device.
Thank You
ت
اﻟﺴﻌﻮد�ﺔ اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ
Bachelor
of Science in
ت
اﻻﻟ��وﻧ�ﺔ
اﻟﺠﺎﻣﻌﺔ اﻟﺴﻌﻮد�ﺔ
Information Technology
IT476
IT Security and Policies
26/12/2021
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 8: Communications and Operations Security
Objectives
Author useful standard operating procedures
Implement change control processes
Understand the importance of patch management
Protect information systems against malware
Consider data backup and replication strategies
Recognize the security requirements of email and email systems
Appreciate the value of log data and analysis
Evaluate service provider relationships
Write policies and procedures to support operational and
communications security
Introduction
Communication and operations security focuses on Information technology (IT)
and Security functions:
1. Standard operating procedures
2. Change management
3. Malware protection
4. Data replication
5. Secure management
6. Activity monitoring
These functions are carried out by IT and information security data custodians
(e.g., network administrations security engineers)
Standard Operating Procedures (SOPs)
SOPs are detailed explanations of how to perform a task
*SOPs provide; standardized direction, improved communication,
reduced training time and improved work consistency
Effective SOPs include:
1.
2.
3.
4.
5.
Who performs the task
What materials are necessary
Where the task takes place
When the task will be performed
How the person will execute the task
SOPs Documentation
SOPs should be properly documented to protect the company
A critical task/business process is only known by one employee and is not
documented, if that employee becomes unavailable, the organization could be
seriously injured
Documented SOPs standardize the target process and provide
sufficient information
Someone with limited experience can successfully perform the procedure
unsupervised
SOPs should be written in detail by someone with sufficient
experience of the targeted process
Authorizing SOP Documentation
Documented procedure must be:
Reviewed
The reviewer should check the SOP for clarity and reliability
Verified
The verifier should test the procedure and ensure they are correct
and not missing any steps
Authorized (before publication)
The process owner is responsible for authorization, publication and
distribution of the document
Protecting SOP Documentation
The integrity of the SOP document should be protected through:
Access controls
Should be applied to protect the procedure document from any
tampering/altering
Version controls
Employees should use the latest revision of the procedure
Developing SOPs
SOPs should be:
Concise & clear
Logical step-by-step order
Plain language format
Exceptions are noted and explained
Warnings are clear and standout
Choosing the format of a SOP is based on:
How many decisions the user will make
How many steps are in the procedure
Developing SOPs
There are four common SOP formats:
1. Simple step
Procedure contains less than 10 steps
Does not involve many decisions
Developing SOPs
There are four common SOP formats:
2. Hierarchical / 3. Graphic
Procedure contains more than 10 steps
Does not involve many decisions
Developing SOPs
There are four common SOP formats:
4. Flowchart
Procedure can contain any number of steps
Involves many decisions
Developing SOPs Methods
SOPs Documentation Policy Example
Operational Change Control
Change control:
An internal procedure in which authorized changes are made to software,
hardware, network access privileges, or business processes.
Managing change allows organizations to be productive and spend less
time in crisis mode.
Example: An operating system fails to be updated completely to the new version nor
is it still original version, this results in an unstable platform hindering the productivity
of the entire company.
The change control process:
1. Submitting a Request For Change (RFC)
2. Developing a change control plan
3. Communicating change
4. Implementing & monitoring change
Submitting a Request for Change
The first phase of the change control process is an RFC submission
The RFC should include:
1. Description of the proposed change
2. Justification why the change should be implemented
3. Impact of not implementing the change
4. Alternatives
5. Cost
6. Resource requirements and timeframe
The change is then evaluated and if approved, it will be implemented
Developing a Change Control Plan
Once the change is approved, the next step is to develop a change
control plan
The change control plan should include:
1.
2.
3.
4.
Security reviews to ensure no new vulnerabilities are introduced
Implementation instructions
Rollback and/or recovery options
Post implementation monitoring
*The complexity of the change and its risk to the organization will
influence the level of detail within the change control plan.
Communicating Change
Change must be communicated to all relevant parties (employees, managers)
There are two main categories of messages that are communicated:
1. Messages about the change, which should include:
Current situation
The need for change
What the change is, how it will change and when
2. Messages how the change will impact employees
Impact on day-to-day activities of the employees
Implication on job security
Implementing & Monitoring Change
Change can be unpredictable
If possible, change should be applied to a test environment to check and
monitor its impact.
A plan must be in place to roll back or recover from failed implementation
All actions and steps taken to implement the change should be recorded and
documented
Change should be continuously monitored for any flaws and unexpected impacts
Patching
Patch is software or code designed to fix a problem
Applying security patches is the primary method of fixing security vulnerabilities in
software
Patches need to be applied quickly to prevent attackers from exploiting code and
information
Patch Management
The process of scheduling, testing, approving, and applying security patches
Patching can be unpredictable and disruptive
User should be notified of potential downtime due to patch installation
Malware Protection
Malware (malicious software) is designed to:
1. Disrupt computer operation
2. Gather sensitive information
3. Gain unauthorized access to computer systems and mobile devices
Malware can infect system by being bundled with other programs
or self-replicated
Most malware typically requires user interaction such as:
1. Clicking an email attachment
2. Downloading a file from the Internet
Different Types of Malware
Malware can be categorized as:
Viruses: malicious code that attaches to become part of another program
Worm: a piece of code that spreads from one computer to another without
requiring a host file
Trojans: malicious code that masks itself as a legitimate kind application
Bots: Snippets of code designed to automate tasks and respond to
instructions
Ransomware: a type of malware that take computer or its data as hostage
Rootkits: a set of software tools that hides its presence on the computer,
using some of the lower layers of the operating system or the device basic
input/output system (BIOS) with privileged access permissions.
Spyware/adware: general term describing software that tracks Internet
activity and searches without user knowledge
How Is Malware Controlled?
Prevention controls
Stop an attack before it occurs
Disable remote desktop connection
Configure the firewall to restrict access
Disallow users to install software on company device
Detection controls
Identify the presence of malware, alert the user, and prevent the
malware from carrying out its mission
Detection controls include the following:
Real-time firewall detection of suspicious file downloads.
Real-time firewall detection of suspicious network connections.
What Is Antivirus Software?
Antivirus software is used to detect, contain, and in some cases
el…
Purchase answer to see full
attachment
