Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Security Policy (arbab)

No description

Faham Usman

on 22 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Security Policy (arbab)

Information Security
Security Policy
Awareness Campaign
Salim is your Cyber Security Advisor.
Aims at promoting, building and ensuring a safer & secure cyber environment and culture in the UAE.
About aeCERT
One of the initiatives of the UAE Telecommunications Regulatory Authority.
aeCERT is the United Arab Emirates Computer Emergency Response Team.
About aeCERT
Security Policy
Why Security Policy
Challenges in defining Security Policy
Types of Security Policies
Security Policy Development Process
Salim (aeCERT)
For more information
Security Policy
Security policy is a set of standards that define how an organization manages and protects its resources and information.
It is a document that identifies assets of the company with respect to their criticality and how they will be protected.
Security Policy
Security policy helps protect against external and internal threats.
External threats are addressed by making sure that no one from outside the organization accesses company’s resources.
Internal threats are addressed by defining roles and responsibilities of each and every personnel with respect to their designation.
Security Policy
Why Security Policy?
Provides directives of the management to employees
Defines roles and responsibilities of individuals with respect to their designation
Classifies assets based on their criticality
Defines role of each asset
Why Security Policy?
Secures information according to sensitivity and criticality
Acts as a base for guidelines and procedures
Becomes easy to establish accountability
Fulfills compliance and legal requirements
Challenges in Defining Security Policy
Developing a security policy is a difficult task because it is unique to every organization, depending upon their structure.
There is no common format for developing a security policy.
Making a security policy that is simple and easily understandable for everyone is vital.
Challenges in Defining Security Policy
Convincing management and getting their consensus.
Defining criticality
of assets.
Analyzing implemented security against defined policy.
Implementation of security policy.
Defining punishments for violations to obey the policy.
Reporting policy violations.
Implementation of security policy.
Types of Security Policies
Defining criticality
of assets.
Preventive Policy
Preventing an incident addresses both external and internal aspects.
Preventing an incident addresses both external and internal aspects.
It documents the process to add any application or device to the organization’s network or systems.
Defines a policy that would keep systems and applications updated so that it becomes difficult for anyone to find or exploit a vulnerability.
Detective Policy
In case an incident cannot be prevented, it is very important to detect it in time to prevent complete system or network failure.
The detection policy defines what information is to be collected and analyzed.
The policy for people having access to information with respect to their roles is also defined.
This policy also defines the mechanism through which the information will be collected and analyzed.
Preventive and Detective Policy
Reactive Policy
The responding policy actually defines steps needed to be taken after an incident has occurred.
The policy defines how incident will be reported.
This policy defines how damage caused by a particular incident can be mitigated.
The policy also prioritizes incidents needed to be mitigated according to their level of criticality.
Corrective Policy
The policies documented in an organization are subject to change due to ever evolving technologies and threats.
The policies need to be modified with time to keep up with the latest trends.
Security training and awareness plays a vital role in the implementation of security policies.
Policies are improved based on previous incidents and latest security threats.
Security Policy Development Process
Analyzing Current Policies
Risk Assessment
Policy Review Panel
Developing Information Security Plan
Developing Information Security Policies
Implementation of Policies
Training and Awareness Campaign
Compliance Review
Evaluate Implementation
Revision / Updating of Policy
Security Policy Designing
1.Analyzing Current Policies
Analyze currently implemented policies.
Analyze currently implemented policies.
Identify the controls and determine level of control needed
Identify who should write the policies
Security Policy Designing
2. Risk Assessment
Security Policy Designing
3. Policy Review Panel
Make a policy review panel that would be involved throughout the policy designing process.
The first step of writing a security policy is to write initial draft that would contain all security related points.
Send the initial draft to the review panel for their feedback.
Incorporate feedback in the draft and submit for approval.
Security Policy Designing
4. Developing Information Security Plan
Describe goals of the security plan.
Provide basis for information security compliance, risk assessment and audit.

Define roles and responsibilities.
Security Policy Designing
5. Developing Information Security Policy
information security policy provides guidance for decision makers.
The information security policy defines what standards should be followed.
Security Policy Designing
6. Implementation of Policies
This is the phase where actual policies are implemented.
In this phase controls are implemented to enforce security policies.

Security Policy Designing
7. Training and Awareness Campaign
Conduct training and awareness campaign for users regarding the newly devised security policy.
Make sure users understand the criticality for implementing controls.

Security Policy Designing
Security Policy Designing
10. Revision of Policy
Information Security Policy
The information security policy is a collection of policies that help organizations safeguard their data.

The policy also ensures that the data should be segregated according to its level of criticality and it should only be accessed by authorized personnel.

The information security policy consists of policies including:
Password Policy
Email Security Policy
Mobile Policy
Dial-in Access Policy
Information Sensitivity Policy Framework
Incident Response Policy
Business Continuity and Disaster Recovery Policy
Asset Management Policy
Application Security Policy
Physical Security Policy
Email Security Policy
Following are types of email security policies that an organization should implement:
Automatically Forwarded Email Policy
This policy is defined to prevent unauthorized or unintentional disclosure of company’s sensitive information on behalf of company to the outside world.
E-mail Policy
This policy addresses appropriate use of email sent from a company’s email address. The purpose of this policy is to prevent all employees from sending inappropriate email using company’s official email account.
E-mail Retention Policy
This policy is devised to help employees determine which information sent or received by email should be retained and for what period of time.
Password Policy
Password policy is designed to establish a standard to ensure creation and protection of strong passwords.

Password policy consists of the following parts:

Password creation guideline
Describes the selection and intensity of characters including uppercase, lowercase, numbers, special characters and punctuation.

Password protection guideline
This part of the policy emphasizes on the measures needed to be taken for the protection of passwords
Mobile Policy
The purpose of mobile policy is to safeguard company’s data that resides on employee’s mobile devices.

This part of policy describes how mobile devices including laptops, cell phones, PDA’s, etc. would employ full disk encryption using approved software encryption package to protect data at rest. None of company’s data should be stored in clear text.
The keys used for encryption and decryption must comply with company’s complexity requirements.
Storing Data
Employees are not allowed to store any of company’s data on their personal mobile devices unless there is a business need for doing so.
Mobile device theft or loss should be immediately reported to the company.
Policy Review Panel
Full transcript