SlideShare a Scribd company logo

Security policy case study

Download as DOCX, PDF
ashu6
ashu6

The document summarizes the components, purpose, and strategies of a security policy for T.Z.A.S.P. Mandal's Pragati College. It discusses the need for security policies to protect data, networks, and computing resources. The key components outlined include access policies, privacy policies, and guidelines for acceptable use, purchasing, authentication, availability, and violation reporting. Strategies discussed are host security, user authentication, password protection, firewalls, demilitarized zones, and encryption. The purpose is to inform users of security requirements and provide a baseline for compliance.

1 of 23
T.Z.A.S.P.MANDAL’S<br />PRAGATI COLLEGE OF ARTS, COMMERCE, AND SCIENCE<br />A CASE STUDY REPORT ON<br />Security Policy<br />PRESENTED ON:28th AUGUST, 2010<br />ABLY GUIDED BY Madam Snehal Borle<br />T.Y.B.Sc. (IT)<br />SUBMITTED BY<br />Ms. Ashwini Vaykole - Roll No.04
Ms. Ashwini Godage - Roll No. 02T.Z.A.S.P.MANDAL’S<br />PRAGATI COLLEGE OF ARTS, COMMERCE, AND SCIENCE<br />T.Y.B.Sc. (IT)<br />CERTIFICATE<br />This is to certify that Ms. Ashwini Godage (Roll No.02)
Ms. Ashwini Vaykole (Roll No. 04) has completed the case study of Internet Security satisfactorily during academic year 2010-11.
Date: 28th August, 2010
Professor-in-charge
(B.SC.IT)INDEX<br />Sr. No.ContentsPage No.1.Security42.Need of security63.Security Policy74.Purpose of Security Policy85.Characteristic of Security Policy106Strategies of Security Policy117.Components of Security Policy158.Person involved in framing Security Policy189.Steps in Security Policy1910.Ethics of Security Policy22<br />Security<br />In simple words security means safety and protection. In technical terms security means the protection of data, networks and computing power. The protection of data information security is the most important. The protection of network is important to prevent loss of server resources as well as to protect the network from being used for illegal purposes.<br />Need of security<br />The internet has made a tremendous impact on security. While it has many good aspects, there are many bad things that can come of this powerful communications tool. These problems included concerns about the validity and appropriateness of the material found online .when computer application were developed to handle financial and personal data real need for security came into picture. Two typical example of security mechanism are:<br />Provide a user_id and password to every user, and use that information to authenticate a user<br />Encode information stored in the database in some fashion, so that it is not visible to users who do not have the right permission.<br />We need security for the following purpose<br />To protect our data, files or folders<br />To protect our resources example: hardware, software etc.<br />To protect e-commerce, transaction, information, user id, password, pin<br />To protect website from getting blocked any attack as DOS (Denel Of Service)<br />To protect IP address<br />To protect e-mails<br />To protect incoming packets so that no virus/worms comes in<br />To protect outgoing packets so that secrets does not leak out<br />Security policy<br />In simple words a security policy in terms of computer systems defines what is secure and what is unsecured.
OR
In technical terms a security policy is a set of formal statements of the rules by which people that are given access to organization’s technology and information must abide.OR<br />A Security policy defines the overall security and risk control objectives that an organization endorses.
OR
A security policy is a formal statement of the rules through which people are given access to an organization’s technology, system and information assets. OR<br />The security policy defines what business and security goals and objectives management desires, but not how these solutions are engineered and implemented.
A security policy should be economically feasible, understandable, realistic, consistent, procedurally tolerable, and also provide reasonable protection relative to the stated goals and objectives of management.
OR
A security policy is the primary way in which management’s expectations for security are translated into specific, measurable, and testable goals and objectives. Security Policy Goals<br />The goal of the security policy is to translate, clarify and communicate management’s position on security as defined in high-level security principles. The security policies act as a bridge between these management objectives and specific security requirements.<br />Purposes of a Security Policy<br />The primary purpose of a security policy is to inform users, staff, and managers of those essential requirements for protecting various assets including people, hardware, and software resources, and data assets. The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy. This also allows for the subsequent development of operational procedures, the establishment of access control rules and various application, system, network, and physical controls and parameters.<br />To inform all of their obligatory(mandatory) requirements for protecting technology and information assets
The policy should specify the mechanism through which these requirements can be met
To provide a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy.An Appropriate Use Policy (AUP) may also be part of a security policy<br />It should spell out what users shall not do on the various components of the system, including the type of traffic allowed on the networks.
The AUP should be as explicit as possible to avoid ambiguity or misunderstanding. The characteristics of good security policies are<br />They must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods.
They must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible.
They must clearly define the areas of responsibility for the users, administrators, and management.
They must be documented, distributed, and communicated.Strategies of security policy<br />Before you can decide on how to safeguard your network, you must identify what level of security you require, i.e. whether you want a lower, medium or a very security. (For example, famous personalities will require more life security – Y level, Z level etc than a common man) once this job is done, you are ready to make your strategies to secure your network. The various strategies used further to secure the network will include the following<br />Host securityAuthentication of userChoosing good password & protecting themUsing firewall & proxy serversDMZ’sMaking use of encryption techniquesStrategies of <br />Security<br /> Policy<br />Host security
Securing the prime, host machines by logically isolating them. In most situations, the network is not the resource at risk rather; it is the endpoint of the network that is threatened.
Usually, there are bugs in the program for networks or in the administrator of the system.
It is this way with computer security; the attacker just has to trust them in some fashion. It might be therefore a major risk that the intruder can compromise the entire system.
He will now be able to attack other systems, either by taking over root, and thence the system’s identity, or by taking over some user account. This is called transitive trust.

More Related Content

Security policy case study

  • 1. T.Z.A.S.P.MANDAL’S<br />PRAGATI COLLEGE OF ARTS, COMMERCE, AND SCIENCE<br />A CASE STUDY REPORT ON<br />Security Policy<br />PRESENTED ON:28th AUGUST, 2010<br />ABLY GUIDED BY Madam Snehal Borle<br />T.Y.B.Sc. (IT)<br />SUBMITTED BY<br />Ms. Ashwini Vaykole - Roll No.04
  • 2. Ms. Ashwini Godage - Roll No. 02T.Z.A.S.P.MANDAL’S<br />PRAGATI COLLEGE OF ARTS, COMMERCE, AND SCIENCE<br />T.Y.B.Sc. (IT)<br />CERTIFICATE<br />This is to certify that Ms. Ashwini Godage (Roll No.02)
  • 3. Ms. Ashwini Vaykole (Roll No. 04) has completed the case study of Internet Security satisfactorily during academic year 2010-11.
  • 4. Date: 28th August, 2010
  • 6. (B.SC.IT)INDEX<br />Sr. No.ContentsPage No.1.Security42.Need of security63.Security Policy74.Purpose of Security Policy85.Characteristic of Security Policy106Strategies of Security Policy117.Components of Security Policy158.Person involved in framing Security Policy189.Steps in Security Policy1910.Ethics of Security Policy22<br />Security<br />In simple words security means safety and protection. In technical terms security means the protection of data, networks and computing power. The protection of data information security is the most important. The protection of network is important to prevent loss of server resources as well as to protect the network from being used for illegal purposes.<br />Need of security<br />The internet has made a tremendous impact on security. While it has many good aspects, there are many bad things that can come of this powerful communications tool. These problems included concerns about the validity and appropriateness of the material found online .when computer application were developed to handle financial and personal data real need for security came into picture. Two typical example of security mechanism are:<br />Provide a user_id and password to every user, and use that information to authenticate a user<br />Encode information stored in the database in some fashion, so that it is not visible to users who do not have the right permission.<br />We need security for the following purpose<br />To protect our data, files or folders<br />To protect our resources example: hardware, software etc.<br />To protect e-commerce, transaction, information, user id, password, pin<br />To protect website from getting blocked any attack as DOS (Denel Of Service)<br />To protect IP address<br />To protect e-mails<br />To protect incoming packets so that no virus/worms comes in<br />To protect outgoing packets so that secrets does not leak out<br />Security policy<br />In simple words a security policy in terms of computer systems defines what is secure and what is unsecured.
  • 7. OR
  • 8. In technical terms a security policy is a set of formal statements of the rules by which people that are given access to organization’s technology and information must abide.OR<br />A Security policy defines the overall security and risk control objectives that an organization endorses.
  • 9. OR
  • 10. A security policy is a formal statement of the rules through which people are given access to an organization’s technology, system and information assets. OR<br />The security policy defines what business and security goals and objectives management desires, but not how these solutions are engineered and implemented.
  • 11. A security policy should be economically feasible, understandable, realistic, consistent, procedurally tolerable, and also provide reasonable protection relative to the stated goals and objectives of management.
  • 12. OR
  • 13. A security policy is the primary way in which management’s expectations for security are translated into specific, measurable, and testable goals and objectives. Security Policy Goals<br />The goal of the security policy is to translate, clarify and communicate management’s position on security as defined in high-level security principles. The security policies act as a bridge between these management objectives and specific security requirements.<br />Purposes of a Security Policy<br />The primary purpose of a security policy is to inform users, staff, and managers of those essential requirements for protecting various assets including people, hardware, and software resources, and data assets. The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy. This also allows for the subsequent development of operational procedures, the establishment of access control rules and various application, system, network, and physical controls and parameters.<br />To inform all of their obligatory(mandatory) requirements for protecting technology and information assets
  • 14. The policy should specify the mechanism through which these requirements can be met
  • 15. To provide a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy.An Appropriate Use Policy (AUP) may also be part of a security policy<br />It should spell out what users shall not do on the various components of the system, including the type of traffic allowed on the networks.
  • 16. The AUP should be as explicit as possible to avoid ambiguity or misunderstanding. The characteristics of good security policies are<br />They must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods.
  • 17. They must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible.
  • 18. They must clearly define the areas of responsibility for the users, administrators, and management.
  • 19. They must be documented, distributed, and communicated.Strategies of security policy<br />Before you can decide on how to safeguard your network, you must identify what level of security you require, i.e. whether you want a lower, medium or a very security. (For example, famous personalities will require more life security – Y level, Z level etc than a common man) once this job is done, you are ready to make your strategies to secure your network. The various strategies used further to secure the network will include the following<br />Host securityAuthentication of userChoosing good password & protecting themUsing firewall & proxy serversDMZ’sMaking use of encryption techniquesStrategies of <br />Security<br /> Policy<br />Host security
  • 20. Securing the prime, host machines by logically isolating them. In most situations, the network is not the resource at risk rather; it is the endpoint of the network that is threatened.
  • 21. Usually, there are bugs in the program for networks or in the administrator of the system.
  • 22. It is this way with computer security; the attacker just has to trust them in some fashion. It might be therefore a major risk that the intruder can compromise the entire system.
  • 23. He will now be able to attack other systems, either by taking over root, and thence the system’s identity, or by taking over some user account. This is called transitive trust.
  • 25. It provides checking the identity of valid users keeping the unauthorized user away.
  • 26. Choosing good password & protecting them
  • 27. A good password should be developed using various criteria and safeguarding it as well. Also making sure it is not reuse and change frequently.
  • 28. Using firewall & proxy servers
  • 29. These firewall and proxy servers are act like a logical security guard to monitor traffic in and out of your local network and the internet.
  • 30. A firewall is a collection of components placed between two networks that have the following properties
  • 31. All traffic from inside to outside and from outside to inside must passed through firewall
  • 32. Only authorized traffic refund by local security policy will be allow to pass
  • 33. For firewall login NIS (Network Interface System) not necessary
  • 34. It gives protection administration
  • 35. It helps in security without disturbing a population of users
  • 36. A proxy server is known as virtual directories to share the dataDemilitiarzed Zone (DMZ’S)<br />Some servers are difficult to trust because of the size and the complexity of the code they run. Web server for an example. If we place web server inside the firewall then a compromise creates a launch point for further attacks on inside machines. If you place it outside, then you make it even easier to attack. The common approach is therefore to create a demilitarized zone (DMZ) between two firewalls.
  • 37. A DMZ is an example of general philosophy of defense in depth. That is multiple layers of security always provide better shield. If an attacker penetrates past the first firewall he or she gains access to the DMZ, but not necessarily to the internal network. Without the DMZ, the first successful penetration could result in a more serious compromise.
  • 38. Making use of encryption techniques
  • 39. It is used to encrypt the sensitive information to be sent out making it harder to crack if intercepted
  • 40. Encryption is often consider as the ultimate weapon in the computer security
  • 41. Encryption is based to safe guard file transmission if a key is generated from a type password
  • 42. There are various encryption techniques like symmetric and asymmetric
  • 43. Asymmetric encryptions technique use the public or private key conceptComponents of security policy<br />Components of Security PolicyPurchasing guideline Privacy policyAccess policyAccounting policyAuthentication policyAvailability policyInformation technology and network maintenance policyViolation reporting policySupporting information
  • 44. Computer Technology Purchasing Guidelines, which specify required, or preferred security features. Theses should supplement existing purchasing policies and guidelines.
  • 45. A Privacy Policy, which defines reasonable expectations of privacy regarding such issues as monitoring of electronic mail, logging of keystrokes, and access to users files.
  • 46. An Access policy, which defines access rights and privileges to protect assets from loss or disclosure by specifying acceptable use guidelines for external connections, operation staff, and management. It should provide guidelines for external connections, data communication, connecting devices to a network, and adding new software to systems. It should also specify any required notification messages (e.g., connect messages should provide warnings about authorized usage and line monitoring, and adding simply say “Welcome”).
  • 47. An Accountability Policy, which defines the responsibilities of users, operation staff, and management. It should specify an audit capability, and provide incident handling guidelines (i.e., what to do and who to contact if a possible intrusion is detected).
  • 48. An Authentication Policy establishes trust through an effective password policy, and by setting guidelines for remote location authentication and the use of authentication devices (e.g., one-time password and devices that generate them).
  • 49. An Availability statement which sets users expectations for the availability of resources. It should address redundancy and recovery issues, as well as specify operating hours and maintenance downtime periods. It should also include contact information for reporting system and network failures.
  • 50. An Information Technology System and Network Maintenance Policy which describes how both internal and external maintenance people are allowed to handle and access technology. One important topic to be addressed here is whether remote maintenance is allowed and how such access is controlled. Another area for consideration here is outsourcing and how it is managed.
  • 51. A Violation Reporting Policy that indicates which types of violations (e.g., privacy and security, internal and external) must be reported and to whom the reports are made. A non-treating atmosphere and the possibility of anonymous reporting will result in a greater probability that a violation will be reported if it is detected.
  • 52. Supporting Information which provides users, staff, and management with contact information for each type of policy violation; guidelines on how to handle outside queries about a security incident, or information which may be considered confidential or proprietary, and cross-references to security procedures and related information, such as company policies and governmental laws and regulations.Persons involved while forming security policy<br />Site security administrator
  • 53. Department within the university etc.)
  • 55. Representative of the user groups affected by the security policy
  • 58. Information technology staff(e.g., business divisions, computer science Steps of picking security policy<br />A security policy is the set of decision that collectively, determines an organizations attitude towards security. A security policy defines boundaries of acceptable behaviors and what response to the violations should be. Security policies differ from organization to organization. Every organization should have security policy. In a security policy one must decide what is permitted and what is not permitted. This depends on the business or structural needs of organization. a security policy. In a security policy one must decide what is permitted and what is not permitted. This depends on the business or structural needs of organization.
  • 59. Before a security policy is set up the following points should be considered
  • 60. Finding out what resources you want to protect
  • 61. The resources you want to protect may include Physical resources like printers, monitors, keyboards, drives, modems etc. and Logical resources include source and object program, data utilities, operating system, application etc.
  • 62. What resources you are trying to protect
  • 63. The answer to this is will dictate the host specific measures that are needed. Machines with sensitive files may require extra security measures. Stronger the authentication, keystrokes logging and strict auditing, or even file encryption. If the target of interest is the outgoing connectivity, the administrator may choose to require certain privileges for access to the network.
  • 64. Find out who can disrupt them and in what ways
  • 65. Physical threats to the resources such as stealing, malfunctioning devices.
  • 66. Logical threats such as unauthorized access to data, information, resources.
  • 67. Unintended disclosure of your information.
  • 68. Who is interested in attacking you
  • 69. Outsiders as well as insiders may from the collective answers here.
  • 70. What kind of security therefore must be provided differs from the type of attacker you are planning against.
  • 71. How much security can you afford
  • 72. Part of cost of security is directed financial expenditures, such as extra routes, firewalls, software packages, and so on. Often, the administrative costs are overlooked. There is another cost, however a cost in convenience and productivity, and even moderate. Too much security, people get frustrated. Finding the proper balance therefore essential.
  • 73. What stance do you stake?
  • 74. The stance is altitude of the designer. It determined by the cost of failure and the designer’s estimate of that likelihood. It is also based on the designer’s opinions of the own abilities. At the one end of the scale is a philosophy to correct it only when mistaking happen end. The other one is taking preventive measures so that no mistake occurs.Ethics of computer security<br />The way anyone has “the right to protect “they also have “the right to protect them”. The way you have the right to protect your own assets the other people around you too, have the same right. Thus while demanding Computer Security for yourself; the foremost point is that one should not deprive others from having their rights.
  • 75. In a technological era, Computer Security is fundamental to individual privacy. A great deal of personal information is stored on computer. If these computers are not safe prying eyes, neither is the data they hold. Worse yet, some of the most sensitive data-credit histories, bank balances, and the like-lives on machines attached to very large networks.
  • 76. It is a fair school of thought that “I have a right to attack others because someone else has attack me!” No it is not ethical to do so! How can you take the law in your hands? This cannot be treated as “self defense”. Can it be?
  • 77. Computer Security is a matter of good manners. If people want to be left alone, they should be.
  • 78. More and more modem society depends on computers, and on the integrity of the programs and data they contain. These range from obvious (finance industry) to the telephone industry controlled by bugs in such systems can be divesting.
  • 79. The administrator may gain some knowledge, some information about the users, about the organization, by the virtue of his position. Using such information for personal gain is not ethical.