Professional Documents
Culture Documents
?
P c c
P
Pc
c
c
cP
P
c
c
P
cP
c
P c P
c PP
?
?
9?
?
c
?
P c c
P
Pc
c
P c P
d d
?
c
?
c
1. Security 4
2. Need of security 6
3. Security Policy 7
4. Purpose of Security Policy 8
5. Characteristic of Security Policy 10
6 Strategies of Security Policy 11
7. Components of Security Policy 15
8. Person involved in framing Security Policy 18
9. Steps in Security Policy 19
10. Ethics of Security Policy 22
·
?
c
?
c
?
?
£
?
c
?
?
c
?
c
?
å
?
c
?
c
?
ü
?
c
?
3
?
c
?
A
?
c
?
9
?
c
?
99
?
c
?
p? V
?Securing the prime, host machines by logically isolating them. In
most situations, the network is not the resource at risk rather; it is
the endpoint of the network that is threatened.
?Usually, there are bugs in the program for networks or in the
administrator of the system.
?It is this way with computer security; the attacker just has to trust
them in some fashion. It might be therefore a major risk that the
intruder can compromise the entire system.
?Ve will now be able to attack other systems, either by taking
over root, and thence the system¶s identity, or by taking over
some user account. This is called transitive trust.
9
?
c
?
p?
(DMZ¶S)
?Some servers are difficult to trust because of the size and the
complexity of the code they run. Web server for an example. If
we place web server inside the firewall then a compromise
9·
?
c
?
9£
?
c
?
c
p? Purchasing guideline
p? Privacy policy
p? ccess policy
p? ccounting policy
p? uthentication policy
p? vailability policy
p? Information technology and
network maintenance policy
p? ^iolation reporting policy
p? Supporting information?
?
?
?
?
?
?
p? P
which specify
required, or preferred security features. Theses should supplement
existing purchasing policies and guidelines.
?
p?
which defines
9
?
c
?
?
p?
access rights and privileges to
protect assets from loss or disclosure by specifying acceptable use
guidelines for external connections, operation staff, and
management. It should provide guidelines for external connections,
data communication, connecting devices to a network, and adding
new software to systems. It should also specify any required
notification messages (e.g., connect messages should provide
warnings about authorized usage and line monitoring, and adding
simply say ³Welcome´).
?
p?
which defines the responsibilities of
users, operation staff, and management. It should specify an audit
capability, and provide incident handling guidelines (i.e., what to
do and who to contact if a possible intrusion is detected).
?
p?
establishes trust through an effective
password policy, and by setting guidelines for remote location
authentication and the use of authentication devices (e.g., one-time
password and devices that generate them).
?
p?
statement which sets users expectations for the
availability of resources. It should address redundancy and
recovery issues, as well as specify operating hours and
9å
?
c
?
?
p? P
c
which describes how both internal and external
maintenance people are allowed to handle and access technology.
One important topic to be addressed here is whether remote
maintenance is allowed and how such access is controlled. nother
area for consideration here is outsourcing and how it is managed.
?
p?
that indicates which types of
violations (e.g., privacy and security, internal and external) must
be reported and to whom the reports are made. non-treating
atmosphere and the possibility of anonymous reporting will result
in a greater probability that a violation will be reported if it is
detected.
?
p? c which provides users, staff, and
management with contact information for each type of policy
violation; guidelines on how to handle outside queries about a
security incident, or information which may be considered
confidential or proprietary, and cross-references to security
procedures and related information, such as company policies and
governmental laws and regulations.
9ü
?
c
?
?
93
?
c
?
9A
?
c
?
p? o
?Outsiders as well as insiders may from the collective answers
here.
?What kind of security therefore must be provided differs from
the type of attacker you are planning against.
?
c
?
9
?
c
?
p? The way anyone has ³the right to protect ³they also have ³the right
to protect them´. The way you have the right to protect your own
assets the other people around you too, have the same right. Thus
while demanding Computer Security for yourself; the foremost
point is that one should not deprive others from having their rights.
?
c
?
·
?