Monday, December 29, 2014

What is security Policy?

 What is security Policy?


o   Set of decisions
o   Rules & regulation
o   Written or verbally understood
o   Which Collectively determines Organisation’s posture towards security
o   Delimits the boundaries
o   Acceptable & non acceptable behaviours
o   What is ethical and what is non-ethical?
o   What is the degree of seriousness of the offence
o   Or is it an offence at all
o   What if it is violated?

§  A Shares broker
§  A Corporate body
§  A Household application whole-seller
§  A Student
§  A teacher
Etc. will have
o   Different requirements,
o   Different priorities
o   Different needs
o   Different missions / targets / goals

Organisation differ in their:
o   Culture
o   Structures
o   Strategy
And thus Security Policy will also differ from organisation to organisation.

Security Policy will decide:
o   What legal course of action will you follow if attacked?
o   What will be considered as a cognizable crime?
o   Can anyone be sued?
o   Infringing on someone else’s rights?

To devise a security policy you must yourself several question?
1.    What resources are you trying to protect?
2.    Who would be interested in attacking you?
3.    How much security can you afford?

Never under-estimate about your own assets!
Data base is the most important asset in e-commerce!

1.3 What is Security Policy? - Definition

§  A security policy is the set of decisions that collectively, determines an organization's attitude toward security.

§  A security policy defines the boundaries of acceptable behaviour and what the response to violations should be.

Naturally, security policies will differ from organization to organization.
Your security policy may determine what legal course you have to take if you are ever attacked.

You must first decide what is and is not permitted. To some extent, this process is driven by the business or structural needs of the organization. Thus, some companies may issue a verdict that bars the personal' use of corporate computers.

Some companies wish to restrict outgoing traffic, to guard against employees exporting valuable data. Other policies may be driven by technological considerations.

In general, Computer security means keeping anyone from doing anything, which is unwanted or undesired, relating to computers & peripherals. It is the way of protecting your precious assets in terms of information or resources.



1.4 Picking a security policy:­

A 'Security Policy' describes your plan, methodology to safeguard your assets or what measures / precautions you take (or do not take) in order to keep your assets secured. A security policy differs from organization to organization. All the decisions are then based on this formulated policy.

The first step here is to perform a Risk Analysis. It is a process of examining all your risks & then finding a cost-effective decision to recover from it.

A few important steps in this are:

1.      Finding out what resources you wish to protect: Resources may include: Physical resources like printers, monitors, keyboards, drives, modems etc. & Logical resources like source & object programs, data, utilities, operating system, applications etc.

What resources are you trying to protect? The answer to this will dictate the host specific measures that are needed. Machines with sensitive files may require extra security measures: Stronger authentication, keystroke logging and strict auditing, or even file encryption. If the target of interest is the outgoing connectivity, the administrator may choose to require certain privileges for access to the network. May be all such access should be done through a proxy that will perform extra logging.

2.      Find out who can disrupt them & in what ways: The threats to your assets may include

  • Physical threats to the resources such as stealing, malfunctioning devices,
  • Logical threats such as unauthorized access to data, information, resources
  • Unintended disclosure of your information.

3.      Who is interested in attacking you?
  • Outsiders as well as insiders may form the collective answer here.
  • What kind of security therefore must be provided differs from the type of attacker you are planning against.

4. How much Security can you afford?
Part of the cost of security is direct financial expenditures, such as the extra routers, firewalls, software packages, and so on. Often, the administrative costs are overlooked. There is another cost, however, a cost in convenience and productivity, and even moderate. Too much security can hurt as surely as too little can. Annoyed by increases in security, people get frustrated. Finding the proper balance therefore is essential.

What Stance do you take?
The stance is the attitude of the designer. It is determined by the cost of failure and the designer’s estimate of that likelihood. It is also based on the designer's opinions of their own abilities. At one end of the scale is a philosophy to correct it only when mistake happens and. the other one is taking preventive measures so that no mistake occurs.


Experiment in Picking a Security Policy

What is a policy should I have while surfing?
Let us do a practical experiment

1.    Open Internet Explorer
2.    Click on “tool”
3.    Click on “Internet Options”
4.    Click on “Security”
5.    Click on “Custom Level”
6.    Click on “Default levels”

Study the following levels.
1.    High
2.    Medium
3.    Medium-low and
4.    Low







High:
The safest way to browse,
but also the least functional
Less secured feature are disabled
Appropriate policy for sites
that might have harmful contents











Medium-Low
Same as Medium  but with prompts
Most content will run without prompts
Unsigned ActiveX controls will be downloaded
Appropriate for sites on local Network (Intranets)













Medium
Safe browsing & still functional
Prompts before downloading potentially unsafe content
Unsigned ActiveX controls will be downloaded
Appropriate for most Internet sites









Low
Minimam safeguards and warning promts provided
Most content is downloaded and run without prompts
All active contents can run
Approariate for site that you absolutely trust.



1.5 What kind of security?

a. Host Based Security:
If a host is connected to a network, it ought to be up to the host to protect itself from network borne abuses. It is possible to tighten up a host to a fair degree of security. The hosts that tend to be safer include the commercial firewalls, which are built with security as their primary goal. The SSL (Secure Socket Layer) provides reasonably easy access to encrypted connectiol1s, and numerous similar attempts are evolving.

b. Perimeter Security:
One way the attackers always would prefer, if you have tremendous security at the door, is to go around it and get into the system. This approach would therefore lead to provide perimeter security. The perimeter approach is not effective if the network is too -large. The network boundaries should not have holes or secret entrances that allows the attacker to get in.

The attackers here are normally known as Hackers by the terminology. A hacker is an individual who finds ways of exploiting your systems & looks for known loopholes (vulnerabilities) & further can disclose, or use them for personal gains.

A hacker is technically sound, not satisfied with just running programs, but needs to understand how it works. A hacker may also be an individual who is employed as a security consultant. Many companies do that. (Thieves know their own ways & methods. So, why not use a thief to track another?)
1.6 Distinguish between a Hacker and a cracker.

§  Qualities of a Hacker: Lots of Knowledge & Experience. Good Guy. Strong Ethics. Never Indulges in Crime. Catches Computer Criminals. (Mnemonics: H for Hacker, H for Heck of it!)

§  Qualities of a Cracker: Lots of Knowledge & Experience. Bad Guy. Low Ethics. Mostly Indulges in Crime. Is a Computer Criminal himself. (Mnemonics: C for cracker, C for Criminal)

Once you know why you require security, what resources you have to protect & from whom you need to protect them, you are ready to form your policy to safeguard. A good security policy should have following characteristics:

  • Should define a clear set of security goals.
  • Accurately define each issue discussed in the policy.
  • Define under what circumstances each issue is applicable.
  • Should be enforceable with security tools wherever appropriate.
  • Should clearly define the areas of responsibility for users, administrators & management.
  • Should have acceptance within the organization

Hence, a security policy is a document, which describes the acceptable network activity as well as the penalties for misuse of it.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)