Unit 3

Policies, standards, practices and

business continuity
Introduction – information security policy – standards
and practices – the information security blueprint: ISO
17799/BS 7799, ISO 27001 and its controls – NIST
security models – design of security architecture –
security architecture – security education – training and
awareness program – continuity strategies.
OBJECTIVES:

• To understand the basics of Information Security

• To identify the legal, ethical and professional issues in
Information Security
• To understand the aspects of risk management.
• To become aware of various standards in information
security.
• To review the technological aspects of Information
Security.
COURSE OUTCOMES:
Upon completion of the course, the students will be able
to
1. Identify and analyze the security threats and attacks.
2. Outline risk management and information security.
3. Apply device suitable security policies and standards.
4. Experiment with intrusion detection and prevention
systems to ensure information security.
5. Discuss various matching and enrollment process in
biometrics
INSTITUTE VISION AND MISSION
VISION OF THE INSTITUTE:
To achieve a prominent position among the top technical
institutions.

MISSION OF THE INSTIITUTE:

M1: To bestow standard technical education par excellence
through state of the art infrastructure, competent faculty and high
ethical standards.

M2: To nurture research and entrepreneurial skills among students

in cutting edge technologies.

M3: To provide education for developing high-quality

professionals to transform the society.
DEPARTMENT VISION AND MISSION
VISION OF THE DEPARTMENT:
To create eminent professionals of Computer Science and
Engineering by imparting quality education.

MISSION OF THE DEPARTMENT:

M1: To provide technical exposure in the field of Computer
Science and Engineering through state of the art infrastructure and
ethical standards.
M2: To engage the students in research and development activities
in the field of Computer Science and Engineering.
M3: To empower the learners to involve in industrial and multi-
disciplinary projects for addressing the societal needs.
PROGRAM EDUCATIONAL OBJECTIVES (PEOs):
Our graduates shall
PEO1: Analyse, design and create innovative products for
addressing social needs.
PEO2: Equip themselves for employability, higher studies and
research.
PEO3: Nurture the leadership qualities and entrepreneurial skills
for their successful career

PROGRAM SPECIFIC OUTCOMES (PSOs):

Students will be able to
PSO1: Apply the basic and advanced knowledge in developing
software, hardware and firmware solutions addressing real life
problems.
PSO2: Design, develop, test and implement product-based
solutions for their career enhancement.
PROGRAM OUTCOMES:
PO1 Engineering knowledge
PO2 Problem analysis
PO3 Design/development of solutions
PO4 Conduct investigations of complex problems
PO5 Modern tool usage
PO6 The engineer and society
PO7 Environment and sustainability
PO8 Ethics
PO9 Individual and team work
PO10 Communication
PO11 Project management and finance
PO12 Life-long learning
 Introduction
Begins with creation/review of an
organization’s information security policies,
standards and practices.
Selection/creation of information security
architecture.
Development of information security blueprint –
creates a plan for future success.
Without this – cannot meet information security
needs.
 Information security planning and
governance
Strategic planning
Planning levels.
The executive team is sometimes called as the
organization’s C-level, as in
CEO
COO
CFO
CIO
CISO
IS governance:
Set of responsibilities and practices
exercised.
Goal – provide strategic direction, ensure
that objectives are achieved.
Ensure – risks are managed appropriately.
Verify – enterprise’s resources are used
responsibly.
According to Corporate Governance Task Force
(CGTF),

• Conduct an annual InfoSec evaluation

• Conduct periodic risk assessments of information
assets
• Implement policies and procedures based on risk
assessments
• Develop plans and initiate actions
• Provide InfoSec awareness, training and education
• Conduct periodic testing and evaluation
• Create and execute plan for remedial action
According to the information technology
governance institute (ITGI),
• Strategic direction
• Establishment of objectives
• Measurement of progress towards those
objectives
• Verification of risk management
• Validation of organization’s assets
5 Governance processes:
• Evaluate
• Direct
• Monitor
• Communicate
• Assure
 Information security planning and governance
Outcomes:
5 goals.
Strategic alignment
Risk management.
Resource management performance
measures.
Value delivery
Governance framework
 Information security policy, standards
and practices
Important terminologies:
• Policy
• Standards
• Vision
• Mission
• Strategic planning
• Security policy
• Information Security policy
 Information security policy, standards and
practices
Policy – policy is a set of guidelines or
instructions of an organization / management
to prepare and perform different activities. / it is
also called as organizational laws.

Standards – what must be done to comply with

policies are the one which is slowly converted
into standards once everyone starts following
there.
Practices, procedures and guidelines – explain how to
effectively comply with policy.

Components of security policy:

1. Dissemination / distribution
2. Review / reading
3. Comprehension / understanding
4. Compliance / agreement
5. Uniform enforcement.
Types of security policy:
NIST standards defined three types of
security policy

• Enterprise Information Security Policy

• Issue – specific security policies
• Systems – specific security policies
Enterprise Information Security Policy (EISP)

Also Known as a general Security policy, IT

security policy, or information security policy.
Sets strategic direction, scope and tone for all
security efforts within the organization.
Drafted by/with Committee for CIO of an
organization.
Addresses 2 areas.
Ensure requirements are met.
Use of specific penalties and disciplinary
action.
• This policy is usually 2 to 10 pages long and
shapes the philosophy of security in the IT
environment
• EISP guides the development,
implementation, and management of the
security programs
• Sets the requirements for the IS Blueprint
• Finally it addresses the legal compliance.
 EISP elements

Overview of corporate philosophy on security.

Information on structure of security and
organization and individuals who fulfil
security role.
Fully articulated responsibilities for security –
employees, contractors, consultants, partners
and visitors.
Responsibilities are unique to each role in the
organization.
 Issue-Specific Security Policy (ISSP)

• An issue-specific security policy, or ISSP for

short, is developed by an organization to
outline the guidelines that govern the use of
individual technologies in that organization.
• The issue-specific security policy is a
security policy that provides detailed
targeted guidance to instruct employees in
the proper use of a resource, such as an
information asset or technology.
 3.Systems-Specific Policy (SysSP)
• SysSPs are frequently codified as standards and
procedures to be used when configuring or
maintaining systems
Systems-specific policies fall into two groups:
Access control lists (ACLs) consist of the access
control lists, matrices, and capability tables governing
the rights and privileges of a particular user to a
particular system
Configuration rules comprise the specific
configuration codes entered into security systems to
guide the execution of the system
ACL:
• ACL regulates the details about who, when,
where and how to access the system.
• Common restrictions includes: read, write,
modify, create, delete, compare and copy.
• ACLs allow a configuration to restrict access
from anyone and anywhere
Information Security Blueprint

• It is the basis for the design, selection, and

implementation of all security policies, education
and training programs, and technological controls.

• More detailed version of security framework, which is

an outline of overall information security strategy
for organization and a road map for planned changes
to the information security environment of the
organization.
 STANDARD AND PRACTICE - SECURITY
MODELS - ISO 17799 / BS 7799

• One of the most widely referenced and often discussed security

models is the Information Technology – Code of Practice for
Information Security Management, which was originally
published as British Standard BS 7799

• In 2000, this Code of Practice was adopted as an international

standard framework for information security by the
International Standard Organization (ISO) and the
International Electro-technical Commission (IEC) as
ISO/IEC 17799.
PLAN:
• Select control objective
• Prepare the statement
• Identify and assess risk
DO:
• Formulate and mitigate risk mitigation plan
• Implement the previously selected controls in order to meet
the objectives
CHECK:
• Perform monitoring procedure
• Conduct periodic reviews
• Review the levels of acceptable and residual risks
• Periodically conduct audits
ACT:
• Take appropriate corrective and preventive actions
• Maintain communications with all stack holders
• Validate improvements
Drawbacks of ISO 17799/BS 7799

Several countries have not adopted 17799 claiming there are

fundamental problems:

• The global information security community has not defined

any justification for a code of practice as identified in the
ISO/IEC 17799
• 17799 lacks “the necessary measurement precision of a
technical standard”
• There is no reason to believe that 17799 is more useful than
any other approach currently available
• 17799 is not as complete as other frameworks available
NIST SECURITY MODELS

• This refers to “The National Institute for

standards and technology (NIST) is a primary
alternative to the BS 7799
• These documents are freely available.
• The following are its publications:
1. NIST SP 800-12
2. NIST SP 800-14
3. NIST SP 800-16
4. NIST SP 800-18
5. NIST SP 800-23 etc..
Design of security architecture

Security architecture is a strategy for designing and

building a company’s security infrastructure.

Types of security architecture:

• Architecture of network security
• Architecture of application security
• Architecture of cloud security
• Architecture of enterprise information security
• Architecture of wireless security
• Endpoint security architecture
Design of security architecture
Sphere of Use
• The spheres of security are the
foundation of the security framework.
• Left side : explains the ways in which
people access information
• right side : a layer of protection to
prevent access to the inner layer from the
outer layer
Sphere of Protection

• The “sphere of protection” overlays each of the levels

of the “sphere of use” with a layer of security,
protecting that layer from direct or indirect use
through the next layer
• The people must become a layer of security, a human
firewall that protects the information from
unauthorized access and use

3 levels of control:
• Management control
• Operational control
• Technical control
Management controls
• It address the design and implementation of the security
planning process and security program management.
• They provide guidelines regarding planning strategy.
• describe the necessity and scope of legal compliance and
the maintenance, certifications and accreditations of the
entire security life cycle.

Operational controls:
• It deals with operational functionality of security in
organizations.
• They also address personnel security, physical security,
and the protection of production inputs and outputs.
• Plays a major role in Training, Education and
Awareness.
Technical controls

• It address those tactical and technical issues related

to designing and implementing security in the
organization.
• Technical controls include logical access controls,
such as identification, authentication, authorization,
and accountability.
• They also deploy the use of cryptography.
• Focus on selecting appropriate technologies to be
used in the organization.
 Security Architecture Components

Defenses in Depth,

• “It is a strategy that leverages multiple security measures

to protect an organization's assets”
• One of the basic foundations of security architectures is the
implementation of security in layers. This layered approach
is called defense in depth.
• Defense in depth requires that the organization establish
sufficient security controls and safeguards, so that an intruder
faces multiple layers of controls.
Defenses in Depth
Implementing multiple types of technology and thereby preventing
the failure of one system from compromising the security of the
information is referred to as redundancy.
Security Perimeter
• A Security Perimeter is the first level of security that protects
all internal systems from outside threats.
• segregate the protected information from those who would
attack it.
 Major Technologies that provide security
1. Firewall
• A firewall is a network security device that monitors
incoming and outgoing network traffic and decides
whether to allow or block specific traffic based on a
defined set of security rules
• Firewalls can be packet filtering, stateful packet filtering,
proxy, or application level.
• A Firewall can be a single device or a firewall subnet,
which consists of multiple firewalls creating a buffer
between the outside and inside networks.
• Used to prevent unauthorized internet access
DMZ (demilitarized zone)
• A computer host or small network inserted
between company’s private network.
• Buffer against outside attacks
• Prevents outside users from getting direct access to a
server that has company data.
Proxy Server
• An alternative approach to the strategies of using a firewall
subnet or a DMZ is to use a proxy server, or proxy firewall.
• Configured to look like a web server
• Assigned the domain name
• Retrieves and transmits data
• Cache server
• They intercept all messages entering and leaving the
network
• Hides the true network address
Intrusion Detection Systems (IDSs):
• To detect unauthorized activity within the inner network, or on
individual machines, an organization may wish to implement
Intrusion Detection Systems or IDS.
• IDS come in two versions.
• Host-based IDS
• Network-based IDSs.
Host-based IDSs: are usually installed on the particular
machines they protect to monitor the status of various files
stored on those machines.(ex: analyse traffic and logging
malicious activities)

Network-based IDSs: look at patterns of network traffic and

attempt to detect unusual activity based on previous
baselines.

Internet Protocol (IP) spoofing is a type of malicious attack

where the threat actor hides the true source of IP packets to
make it difficult to know where they came from.
Security education, training and awareness (SETA)
program
• Security education and training build the general
knowledge the employees regarding their jobs by
familiarizing them with the way to do their jobs
securely

The SETA program consists of three elements

• Security education
• Security training
• Security awareness
APPLICATIONS:

• DDoS security
• Web Firewall
• Bots
• Antivirus and Antimalware
• Threat management systems
• Critical systems
• Rules and regulations
REFERENCES:
1. Michael E Whitman and Herbert J Mattord, "Principles of
Information Security", Course Technology, New Delhi,
Fourth Edition, 2012.
2. Nina Godbole, "Information Systems Security-Security
Management, Metrics, Frameworks and Best Practices",
Wiley India Pvt. Ltd., New Delhi, First Edition, 2009.

ONLINE REFERENCES:
3. https://nptel.ac.in/courses/106/106/106106129/
2. https://nptel.ac.in/courses/106/106/106106178/
3. https://nptel.ac.in/courses/106/106/106106157/