Please enable JavaScript.
Coggle requires JavaScript to display documents.
TOPIC 6: PRINCIPLES OF SECURE DESIGN - Coggle Diagram
TOPIC 6: PRINCIPLES OF SECURE DESIGN
SECURITY POLICIES
1. What is policy?
Security policies can also be created to deal with regulatory requirements.
These types of policies direct members of the organization as to how to comply with certain regulations.
There can be policies regarding end-user behavior, IT response to incidents, or policies for specific issues and incidents.
For example a policy might advise users that emailing from a smart phone using a WIFI hotspot can be unsecure, but not forbid it.
A security policy is a document that defines how an organization will deal with some aspect of security.
2. Defining User Policies
An organization should have a policy for every foreseeable situation.
The misure of systems is a major problem fo many organizations.
A large part of the problem comes from the difficulty in defining exactly what is misuse - including password sharing, copying data, leaving accounts logged on while employees go to lauch, etc.
Several areas that effective user policies must cover:
a) Password
A good password is at least eight characters long, uses numbers and special characters and has no obvious relevance to the end user.
Keeping passwords secure is critical.
b) Internet use
Most organizations provide their users with some sort of internet access. There are several reasons for this. The most obviuos reason is email.
c) Email Usage
Email security is a significant issue for any network administrator.
d) Installing / Uninstalling Software
End users should not be allowed to install anything on their machine
e) Instant Messaging
Also widely used and abused by employees in companies and organizations
can be used for legitimate business purposes
f) Desktop Configuration
Many users like to reconfigure their dekstop.(Changing background, screensaver, font size, resolution, etc)
3. Defining System Administration Policies
a) New Employees
When a new employee is hired, the system administration policy must define specific steps to safeguard company security.
New employees must be given access to the resources and applications their job function requires. The granting of that access must be documented (possibly in a log).
b) Departing Employees
When an employee leaves, it is critical to make sure all of his logins
c) Change Requests
d) Security Breaches
i. Virus Infection
ii. Denial of Service Attacks
iii. Intrusion by a Hacker
4. Defining Access Control
An important area of security policies that usually generates some controversy in any organization is access control.
There is always a conflict between users' desire for unconstrained access to any data or resources on the network and the security administrator's desire to protect that data and resources.
This means that extremes in policies are not practical.
The core of access control is the least privileges concept - Each person is given the minimum privileges necessary to do his or her job.
Implicit deny
means that all users are implicity denied access to network resources until an administrator explicitly grants them.
Separation of duty
means that no one person can perform critical tasks; at least two individuals are needed.
This prevents one person from accidently, or intentionally, causing some security breach via inapprpriate use of critical functions.
:pencil2:
By Nurulain Binti Adinan Nasir(065489)