Ch11 - Policies and Procedures - PoliciesandProcedures P...

Info iconThis preview shows pages 1–11. Sign up to view the full content.

View Full Document Right Arrow Icon
Policies and Procedures Policies and Procedures Security+ Guide to Network Security Fundamentals  Second Edition Chapter 11
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Objectives Define the security policy cycle Explain risk identification Design a security policy Define types of security policies Define compliance monitoring and evaluation
Background image of page 2
3 Understanding the Security Policy Cycle First part of the cycle is risk identification Risk identification seeks to determine the risks that an  organization faces against its information assets That information becomes the basis of developing a security  policy A security policy is a document or series of documents that  clearly defines the defense mechanisms an organization will  employ to keep information secure
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Understanding the Security Policy Cycle  (continued)
Background image of page 4
5 Reviewing Risk Identification First step in security policy cycle is to identify risks Involves the four steps: Inventory the assets Determine what threats exist against the assets and by  which threat agents Investigate whether vulnerabilities exist that can be  exploited Decide what to do about the risks
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 Reviewing Risk Identification  (continued)
Background image of page 6
7 Asset Identification An asset is any item with a positive economic value Many types of assets, classified as follows: Physical assets –  Data Software –  Hardware Personnel Along with the assets, attributes of the assets need to be compiled After an inventory of assets has been created and their attributes  identified, the next step is to determine each item’s relative value Factors to be considered in determining the relative value are listed  on pages 386 and 387 of the text
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
8 Threat Identification A threat is not limited to those from attackers, but also  includes acts of God, such as fire or severe weather Threat modeling constructs scenarios of the types of threats  that assets can face The goal of threat modeling is to better understand who the  attackers are, why they attack, and what types of attacks may  occurA valuable tool used in threat modeling is the  construction of an attack tree An attack tree provides a visual image of the attacks that may  occur against an asset
Background image of page 8
9 Threat Identification (continued)
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
10 Vulnerability Appraisal After assets have been inventoried and prioritized and the threats  have been explored, the next question becomes, what current security  weaknesses may expose the assets to these threats? Vulnerability appraisal takes a current snapshot of the security of the 
Background image of page 10
Image of page 11
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 39

Ch11 - Policies and Procedures - PoliciesandProcedures P...

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online