E. G. S. Pillay Engineering College, Nagapattinam Computer Science and Engineering

Transcription

1 IT Infrmatin Security 1-1 E. G. S. Pillay Engineering Cllege, Nagapattinam Cmputer Science and Engineering Elective II IT 2042 INFORMATION SECURITY VIII Sem CSE QUESTION BANK - UNIT-IV 1) What is a plicy? A plicy is A plan r curse f actin, as f a gvernment, plitical party, r business, intended t influence and determine decisins, actins, and ther matters Plicies are rganizatinal laws Standards, n the ther hand, are mre detailed statements f what must be dne t cmply with plicy Practices, prcedures, and guidelines effectively explain hw t cmply with plicy Fr a plicy t be effective it must be prperly disseminated, read, understd and agreed t by all members f the rganizatin 2) Explain hw infrmatin security plicy is implemented as prcedure? 3) What are the three types f security plicies? Explain. Types f Plicy Management defines three types f security plicy: General r security prgram plicy Issue-specific security plicies Systems-specific security plicies

2 IT Infrmatin Security 1-2 Security Prgram Plicy A security prgram plicy (SPP) is als knwn as A general security plicy IT security plicy Infrmatin security plicy Sets the strategic directin, scpe, and tne fr all security effrts within the rganizatin An executive-level dcument, usually drafted by r with, the CIO f the rganizatin and is usually 2 t 10 pages lng Issue-Specific Security Plicy (ISSP) As varius technlgies and prcesses are implemented, certain guidelines are needed t use them prperly The ISSP: addresses specific areas f technlgy requires frequent updates cntains an issue statement n the rganizatin s psitin n an issue Three appraches: Create a number f independent ISSP dcuments Create a single cmprehensive ISSP dcument Create a mdular ISSP dcument Systems-Specific Plicy (SysSP) SysSPs are frequently cdified as standards and prcedures used when cnfiguring r maintaining systems Systems-specific plicies fall int tw grups: Access cntrl lists (ACLs) cnsist f the access cntrl lists, matrices, and capability tables gverning the rights and privileges f a particular user t a particular system Cnfiguratin rules cmprise the specific cnfiguratin cdes entered int security systems t guide the executin f the system 4) What are ACL Plicies? ACL Plicies Bth Micrsft Windws NT/2000 and Nvell Netware 5.x/6.x families f systems translate ACLs int sets f cnfiguratins that administratrs use t cntrl access t their respective systems ACLs allw cnfiguratin t restrict access frm anyne and anywhere ACLs regulate: Wh can use the system What authrized users can access When authrized users can access the system Where authrized users can access the system frm Hw authrized users can access the system

3 IT Infrmatin Security 1-3 4) What is Infrmatin Security Blueprint? The Security Blue Print is the basis fr Design,Selectin and Implementatin f Security Plicies,educatin and training prgrams,and technlgy cntrls. The security blueprint is a mre detailed versin f the Security Framewrk,which is an utline f the verall infrmatin security strategy fr the rganizatin and a rad map fr the planned changes t the infrmatin security envirnment f the rganizatin. The blueprint shuld specify the tasks t be accmplished and the rder in which they are t be realized. It shuld serve as a scaleable,upgradable,and cmprehensive paln fr the infrmatin security needs fr cming years. One apprach t selecting methdlgy t develp an infrmatin security bluepring is t adapt r adpt a published mdel r framewrk fr infrmatin security. 5) Define ISO 17799/BS 7799 Standards and their drawbacks ISO 17799/BS 7799 One f the mst widely referenced and ften discussed security mdels is the Infrmatin Technlgy Cde f Practice fr Infrmatin Security Management, which was riginally published as British Standard BS 7799 This Cde f Practice was adpted as an internatinal standard by the Internatinal Organizatin fr Standardizatin (ISO) and the Internatinal Electrtechnical Cmmissin (IEC) as ISO/IEC in 2000 as a framewrk fr infrmatin security Drawbacks f ISO 17799/BS 7799 Several cuntries have nt adpted claiming there are fundamental prblems: The glbal infrmatin security cmmunity has nt defined any justificatin fr a cde f practice as identified in the ISO/IEC lacks the necessary measurement precisin f a technical standard There is n reasn t believe that is mre useful than any ther apprach currently available is nt as cmplete as ther framewrks available is perceived t have been hurriedly prepared given the tremendus impact its adptin culd have n industry infrmatin security cntrls 6) What are the bjectives f ISO 17799? Organizatinal Security Plicy is needed t prvide management directin and supprt Objectives: a. Operatinal Security Plicy b. Organizatinal Security Infrastructure c. Asset Classificatin and Cntrl d. Persnnel Security

4 IT Infrmatin Security 1-4 e. Physical and Envirnmental Security f. Cmmunicatins and Operatins Management g. System Access Cntrl h. System Develpment and Maintenance i. Business Cntinuity Planning j. Cmpliance 7) What is the alternate Security Mdels available ther than ISO 17799/BS 7799? Anther apprach available is described in the many dcuments available frm the Cmputer Security Resurce Center f the Natinal Institute fr Standards and Technlgy (csrc.nist.gv) Including: NIST SP The Cmputer Security Handbk NIST SP Generally Accepted Principles and Practices fr Securing IT Systems NIST SP The Guide fr Develping Security Plans fr IT Systems 8) Explain NIST SP Generally accepted Principles and practices fr Security Inf Tech Sys Prvides best practices and security principles that can direct the security team in the develpment f Security Blue Print.as given belw: Security Supprts the Missin f the Organizatin Security is an Integral Element f Sund Management Security Shuld Be Cst-Effective Systems Owners Have Security Respnsibilities Outside Their Own Organizatins Security Respnsibilities and Accuntability Shuld Be Made Explicit Security Requires a Cmprehensive and Integrated Apprach Security Shuld Be Peridically Reassessed Security is Cnstrained by Scietal Factrs 33 Principles enumerated 9) Explain NIST SP It serves as a Security Self Assesment Guide cmprising f Management Cntrls Risk Management Review f Security Cntrls Life Cycle Maintenance Authrizatin f Prcessing (Certificatin and Accreditatin) System Security Plan Operatinal Cntrls Persnnel Security Physical Security Prductin, Input/Output Cntrls Cntingency Planning

5 IT Infrmatin Security 1-5 Hardware and Systems Sftware Data Integrity Dcumentatin Security Awareness, Training, and Educatin Incident Respnse Capability Technical Cntrls Identificatin and Authenticatin Lgical Access Cntrls Audit Trails 10) What is Sphere f prtectin? Sphere f Prtectin The sphere f prtectin verlays each f the levels f the sphere f use with a layer f security, prtecting that layer frm direct r indirect use thrugh the next layer The peple must becme a layer f security, a human firewall that prtects the infrmatin frm unauthrized access and use Infrmatin security is therefre designed and implemented in three layers plicies peple (educatin, training, and awareness prgrams) technlgy

6 IT Infrmatin Security ) What is Defense in Depth? Defense in Depth a. One f the fundatins f security architectures is the requirement t implement security in layers b. Defense in depth requires that the rganizatin establish sufficient security cntrls and safeguards, s that an intruder faces multiple layers f cntrls 12) What is Security perimeter? Security Perimeter The pint at which an rganizatin s security prtectin ends, and the utside wrld begins Referred t as the security perimeter Unfrtunately the perimeter des nt apply t internal attacks frm emplyee threats, r n-site physical threats

7 IT Infrmatin Security ) What are the key technlgical cmpnents used fr security implementatin? Key Technlgy Cmpnents Other key technlgy cmpnents A firewall is a device that selectively discriminates against infrmatin flwing int r ut f the rganizatin The DMZ (demilitarized zne) is a n-man s land, between the inside and utside netwrks, where sme rganizatins place Web servers In an effrt t detect unauthrized activity within the inner netwrk, r n individual machines, an rganizatin may wish t implement Intrusin Detectin Systems r IDS

8 IT Infrmatin Security 1-8

9 IT Infrmatin Security 1-9