ch05 HumanFactorsandPolicy

(1)

Computer Security:

Principles and Practice

First Edition First Edition

by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown

Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown

Chapter 14 –

(2)

Human Factors



important, broad area



consider a few key topics:

 security awareness, training, and educationsecurity awareness, training, and education

 organizational security policy organizational security policy

 personnel securitypersonnel security

(3)

Security Awareness, Training,

and Education



prominent topic in various standards



provides benefits in:

 improving employee behaviorimproving employee behavior

 increasing employee accountabilityincreasing employee accountability

 mitigating liability for employee behaviormitigating liability for employee behavior

 complying with regulations and contractual complying with regulations and contractual

(4)

(5)

Awareness



seeks to inform and focus an employee's

attention on security issues

 threats, vulnerabilities, impacts, responsibilitythreats, vulnerabilities, impacts, responsibility



must be tailored to organization’s needs



using a variety of means

 events, promo materials, briefings, policy docevents, promo materials, briefings, policy doc



should have an employee security policy

document

(6)

Training



teaches what people should do and how

they do it to securely perform IS tasks



encompasses a spectrum covering:

 general usersgeneral users

• good computer security practices_{good computer security practices}

 programmers, developers, maintainersprogrammers, developers, maintainers

• security mindset, secure code development_{security mindset, secure code development}

 managersmanagers

• tradeoffs involving security risks, costs, benefits_{tradeoffs involving security risks, costs, benefits}

 executivesexecutives

(7)

Education



most in depth



targeted at security professionals whose

jobs require expertise in security



more employee career development



often provided by outside sources

 college coursescollege courses

(8)

Organizational Security Policy



“

formal statement of rules by which people

given access to organization's technology

and information assets must abide”

(9)

Organizational Security Policy



need written security policy document



to define acceptable behavior, expected

practices, and responsibilities

 makes clear what is protected and whymakes clear what is protected and why  articulates security procedures / controlsarticulates security procedures / controls  states responsibility for protectionstates responsibility for protection

 provides basis to resolve conflicts provides basis to resolve conflicts



must reflect executive security decisions

(10)

(11)

Policy Document Responsibility



security policy needs broad support



especially from top management



should be developed by a team including:

 site security administrator, IT technical staff, site security administrator, IT technical staff,

user groups admins, security incident user groups admins, security incident

response team, user groups representatives, response team, user groups representatives,

(12)

Document Content

 what is the reason for the policy?_{what is the reason for the policy?}  who developed the policy?_{who developed the policy?}

 who approved the policy?_{who approved the policy?}

 _{whose authority sustains the policy?}_{whose authority sustains the policy?}  which laws / regulations is it based on?_{which laws / regulations is it based on?}  who will enforce the policy?_{who will enforce the policy?}

 how will the policy be enforced?_{how will the policy be enforced?}  whom does the policy affect?_{whom does the policy affect?}

 _{what information assets must be protected?}_{what information assets must be protected?}  _{what are users actually required to do?}_{what are users actually required to do?}

 how should security breaches be reported?_{how should security breaches be reported?}

(13)

Security Policy Topics

 principles_principles

 organizational reporting structure_{organizational reporting structure}  _{physical security}_{physical security}

 _{hiring, management, and firing}_{hiring, management, and firing}

 _{data protection}_{data protection}

 communications security_{communications security}  _hardware_hardware

 _software_software

(14)

Security Policy Topics cont.

 technical support_{technical support}  privacy_privacy

 access_access

 accountability_{accountability}  authentication_{authentication}  availability_availability

 maintenance_maintenance

 violations reporting_{violations reporting}  business continuity_{business continuity}

(15)

Resources



ISO 17799

 popular international standardpopular international standard

 has a comprehensive set of controls has a comprehensive set of controls

 a convenient framework for policy authorsa convenient framework for policy authors



COBIT

 business-oriented set of standardsbusiness-oriented set of standards

 includes IT security and control practicesincludes IT security and control practices



Standard of Good Practice for Information

Security

(16)

Personnel Security

 hiring, training, monitoring behavior, and _{hiring, training, monitoring behavior, and}

handling departure handling departure

 employees security violations occur:_{employees security violations occur:}

 unwittingly aiding commission of violationunwittingly aiding commission of violation  knowingly violating controls or proceduresknowingly violating controls or procedures

 threats include:_{threats include:}

 gaining unauthorized access, altering data,gaining unauthorized access, altering data, deleting deleting

production and back up data,

production and back up data, crashing systems,crashing systems, destroying systems,

destroying systems, misusing systems ,misusing systems , holding data holding data hostage,

hostage, stealing strategic or customer data for stealing strategic or customer data for corporate espionage or fraud schemes

(17)

Security in Hiring Process



objective:

 ““to ensure that employees, contractors and third to ensure that employees, contractors and third party users understand their responsibilities, and

party users understand their responsibilities, and

are suitable for the roles they are considered for,

and to reduce the risk of theft, fraud or misuse of

facilities”



need appropriate background checks,

screening, and employment agreements

(18)

Background Checks & Screening

 issues:_issues:

 inflated resumesinflated resumes

 reticence of former employers to give good or bad reticence of former employers to give good or bad

references due to fear of lawsuits

 _{employers do need to make significant effort to}_{employers do need to make significant effort to}

do background checks / screening do background checks / screening

 get detailed employment / education historyget detailed employment / education history  reasonable checks on accuracy of detailsreasonable checks on accuracy of details  have experienced staff members interviewhave experienced staff members interview

 for some sensitive positions, additional intensive _{for some sensitive positions, additional intensive}

(19)

Employment Agreements



employees should agree to and sign the

terms and conditions of their employment

contract, which should include:

 information on their and the organization’s information on their and the organization’s

security responsibilities security responsibilities

 confidentiality and non-disclosure agreementconfidentiality and non-disclosure agreement

 agreement to abide by organization's security agreement to abide by organization's security

(20)

During Employment



current employee security objectives:

• ensure employees, contractors, third party users _{ensure employees, contractors, third party users} are aware of info security threats & concerns

are aware of info security threats & concerns • know their responsibilities and liabilities_{know their responsibilities and liabilities}

• are equipped to support organizational security _{are equipped to support organizational security} policy in their work, and reduce human error risks policy in their work, and reduce human error risks



need security policy and training



security principles:

 least privilegeleast privilege

 separation of dutiesseparation of duties

(21)

Termination of Employment

 termination security objectives: _{termination security objectives:}

• ensure employees, contractors, third party users _{ensure employees, contractors, third party users}

exit organization or change employment in an

orderly manner

• that the return of all equipment and the removal of _{that the return of all equipment and the removal of}

all access rights are completed

 critical actions:_{critical actions:}

 remove name from authorized access listremove name from authorized access list

 inform guards that general access not allowedinform guards that general access not allowed  remove personal access codes, change lock remove personal access codes, change lock

combinations, reprogram access card systems, etc

(22)

Email & Internet Use Policies



E-mail & Internet access for employees is

common in office and some factories



increasingly have e-mail and Internet use

policies in organization's security policy



due to concerns regarding

 work time lostwork time lost

 computer / comms resources consumedcomputer / comms resources consumed  risk of importing malwarerisk of importing malware

(23)

Suggested Policies

 business use only_{business use only}  policy scope_{policy scope}

 content ownership_{content ownership}  _privacy_privacy

 standard of conduct_{standard of conduct}

 reasonable personal use_{reasonable personal use}  unlawful activity prohibited_{unlawful activity prohibited}  security policy_{security policy}

(24)

Example

(25)

Summary



introduced some important topics relating

to human factors



security awareness, training & education



organizational security policy



personnel security