cmps 319 blueprint for security chapter 6 begin with the end in mind -- stephen covey

CMPS 319CMPS 319

Blueprint For SecurityBlueprint For SecurityChapter 6Chapter 6

Begin with the end in mindBegin with the end in mind

-- Stephen Covey -- Stephen Covey

Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 22

Learning Objectives:Learning Objectives:

Upon completion of this material you should be able Upon completion of this material you should be able to:to:

Understand management’s responsibilities and role in the Understand management’s responsibilities and role in the development, maintenance, and enforcement of information security development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.policy, standards, practices, procedures, and guidelines.Understand the differences between the organization’s general Understand the differences between the organization’s general information security policy and the needs and objectives of the various information security policy and the needs and objectives of the various issue-specific and system-specific policies the organization will create.issue-specific and system-specific policies the organization will create.Know what an information security blueprint is and what its major Know what an information security blueprint is and what its major components are.components are.Understand how an organization institutionalizes its policies, standards, Understand how an organization institutionalizes its policies, standards, and practices using education, training and awareness programs. and practices using education, training and awareness programs. Become familiar with what viable information security architecture is, Become familiar with what viable information security architecture is, what it includes, and how it is used.what it includes, and how it is used.


IntroductionIntroduction

The creation of an information security program The creation of an information security program begins with an information security blueprint, and begins with an information security blueprint, and before we can discuss the creation and before we can discuss the creation and development of a blueprint, it is important to look at development of a blueprint, it is important to look at management’s responsibility in shaping policy. management’s responsibility in shaping policy.

It is prudent for information security professionals to It is prudent for information security professionals to know the information security polices and how these know the information security polices and how these policies contribute to the overall objectives of the policies contribute to the overall objectives of the organization.organization.


Information Security Policy, Information Security Policy, Standards and PracticesStandards and Practices

Management from all communities of interest must Management from all communities of interest must consider policies as the basis for all information consider policies as the basis for all information security effortssecurity effortsPolicies direct how issues should be addressed and Policies direct how issues should be addressed and technologies usedtechnologies usedSecurity policies are the least expensive control to Security policies are the least expensive control to execute, but the most difficult to implementexecute, but the most difficult to implementShaping policy is difficult because:Shaping policy is difficult because:

Never conflict with lawsNever conflict with lawsStand up in court, if challengedStand up in court, if challengedBe properly administeredBe properly administered


DefinitionsDefinitions

A policy is A policy is

A plan or course of action, as of a government, political A plan or course of action, as of a government, political party, or business, intended to influence and determine party, or business, intended to influence and determine decisions, actions, and other mattersdecisions, actions, and other matters

Policies are organizational lawsPolicies are organizational laws

Standards, on the other hand, are more detailed statements Standards, on the other hand, are more detailed statements of what must be done to comply with policy of what must be done to comply with policy

Practices, procedures and guidelines effectively explain how Practices, procedures and guidelines effectively explain how to comply with policyto comply with policy

For a policy to be effective it must be properly disseminated, For a policy to be effective it must be properly disseminated, read, understood and agreed to by all members of the read, understood and agreed to by all members of the organizationorganization


Types of Policy Types of Policy

Management defines three types of security Management defines three types of security policy:policy:

General or security program policyGeneral or security program policy

Issue-specific security policiesIssue-specific security policies

Systems-specific security policiesSystems-specific security policies


Policies Standards & PracticesPolicies Standards & Practices


Security Program PolicySecurity Program Policy

A security program policy (SPP) is also A security program policy (SPP) is also known as a general security policy, IT known as a general security policy, IT security policy, or information security policysecurity policy, or information security policySets the strategic direction, scope, and tone Sets the strategic direction, scope, and tone for all security efforts within the organization for all security efforts within the organization An executive-level document, usually drafted An executive-level document, usually drafted by or with, the CIO of the organization and is by or with, the CIO of the organization and is usually 2 to 10 pages longusually 2 to 10 pages long


Issue-Specific Security Policy (ISSP)Issue-Specific Security Policy (ISSP)

As various technologies and processes are As various technologies and processes are implemented, certain guidelines are needed to use implemented, certain guidelines are needed to use them properlythem properlyThe ISSP:The ISSP:

addresses specific areas of technologyaddresses specific areas of technologyrequires frequent updatesrequires frequent updatescontains an issue statement on the organization’s position contains an issue statement on the organization’s position on an issue on an issue

Three approaches:Three approaches:Create a number of independent ISSP documentsCreate a number of independent ISSP documentsCreate a single comprehensive ISSP documentCreate a single comprehensive ISSP documentCreate a modular ISSP documentCreate a modular ISSP document


Example ISSP StructureExample ISSP Structure

Statement of Policy Statement of Policy

Authorized Access and Usage of EquipmentAuthorized Access and Usage of Equipment

Prohibited Usage of EquipmentProhibited Usage of Equipment

Systems ManagementSystems Management

Violations of PolicyViolations of Policy

Policy Review and ModificationPolicy Review and Modification

Limitations of LiabilityLimitations of Liability


Example PolicyExample Policy


Systems-Specific PolicySystems-Specific Policy

While issue-specific policies are formalized as While issue-specific policies are formalized as written documents, distributed to users, and agreed written documents, distributed to users, and agreed to in writing, SysSPs are frequently codified as to in writing, SysSPs are frequently codified as standards and procedures used when configuring or standards and procedures used when configuring or maintaining systemsmaintaining systemsSystems-specific policies fall into two groups:Systems-specific policies fall into two groups:

Access control lists (ACLs) consists of the access control Access control lists (ACLs) consists of the access control lists, matrices, and capability tables governing the rights lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular systemand privileges of a particular user to a particular systemConfiguration Rules comprise the specific configuration Configuration Rules comprise the specific configuration codes entered into security systems to guide the codes entered into security systems to guide the execution of the systemexecution of the system


ACL PoliciesACL Policies

Both Microsoft Windows NT/2000 and Novell Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems translate ACLs Netware 5.x/6.x families of systems translate ACLs into sets of configurations that administrators use to into sets of configurations that administrators use to control access to their respective systems control access to their respective systems ACLs allow configuration to restrict access from ACLs allow configuration to restrict access from anyone and anywhereanyone and anywhereACLs regulate:ACLs regulate:

Who can use the systemWho can use the systemWhat authorized users can accessWhat authorized users can accessWhen authorized users can access the systemWhen authorized users can access the systemWhere authorized users can access the system fromWhere authorized users can access the system fromHow authorized users can access the systemHow authorized users can access the system


Figure 6-3 – Novell Example ACLFigure 6-3 – Novell Example ACL


Windows Example ACLWindows Example ACL


Rule PoliciesRule Policies

Rule policies are more specific to the Rule policies are more specific to the operation of a system than ACLsoperation of a system than ACLs

Many security systems require specific Many security systems require specific configuration scripts telling the systems what configuration scripts telling the systems what actions to perform on each set of information actions to perform on each set of information they processthey process


Checkpoint ExampleCheckpoint Example


IDS RulesIDS Rules


Policy ManagementPolicy Management

Policies are living documents that must be managed Policies are living documents that must be managed and nurtured, and are constantly changing and and nurtured, and are constantly changing and growinggrowingDocuments must be properly managedDocuments must be properly managedSpecial considerations should be made for Special considerations should be made for organizations undergoing mergers, takeovers and organizations undergoing mergers, takeovers and partnershipspartnershipsIn order to remain viable, policies must have: In order to remain viable, policies must have:

an individual responsible for reviewsan individual responsible for reviewsa schedule of reviewsa schedule of reviewsa method for making recommendations for reviewsa method for making recommendations for reviewsan indication of effective and revision datean indication of effective and revision date


Automated Policy ManagementAutomated Policy Management

There is an emergence of a new category of There is an emergence of a new category of software for managing information security policiessoftware for managing information security policies

In recent years, this category has emerged in In recent years, this category has emerged in response to needs articulated by information response to needs articulated by information security practitionerssecurity practitioners

While there have been many software products that While there have been many software products that meet specific technical control needs, there is now a meet specific technical control needs, there is now a need for software to automate some of the need for software to automate some of the administration of policyadministration of policy


Information ClassificationInformation Classification

The classification of information is an important The classification of information is an important aspect of policyaspect of policyThe same protection scheme created to prevent The same protection scheme created to prevent production data from accidental release to the production data from accidental release to the wrong party should be applied to policies in order to wrong party should be applied to policies in order to keep them freely available, but only within the keep them freely available, but only within the organizationorganizationIn today’s open office environments, it may be In today’s open office environments, it may be beneficial to implement a clean desk policybeneficial to implement a clean desk policyA clean desk policy stipulates that at the end of the A clean desk policy stipulates that at the end of the business day, all classified information must be business day, all classified information must be properly stored and securedproperly stored and secured


Not A Clean DeskNot A Clean Desk


Systems DesignSystems Design

At this point in the Security SDLC, the analysis phase At this point in the Security SDLC, the analysis phase is complete and the design phase begins – many is complete and the design phase begins – many work products have been created work products have been created

Designing a plan for security begins by creating or Designing a plan for security begins by creating or validating a security blueprintvalidating a security blueprint

Then use the blueprint to plan the tasks to be Then use the blueprint to plan the tasks to be accomplished and the order in which to proceedaccomplished and the order in which to proceed

Setting priorities can follow the recommendations of Setting priorities can follow the recommendations of published sources, or from published standards published sources, or from published standards provided by government agencies, or private provided by government agencies, or private consultantsconsultants


The SecSDLCThe SecSDLC


Information Security BlueprintsInformation Security Blueprints

One approach is to adapt or adopt a published One approach is to adapt or adopt a published model or framework for information securitymodel or framework for information securityA framework is the basic skeletal structure A framework is the basic skeletal structure within which additional detailed planning of the within which additional detailed planning of the blueprint can be placed as it is developed of blueprint can be placed as it is developed of refinedrefinedExperience teaches us that what works well for Experience teaches us that what works well for one organization may not precisely fit anotherone organization may not precisely fit another


ISO 17799/BS 7799ISO 17799/BS 7799

One of the most widely referenced and often One of the most widely referenced and often discussed security models is the Information discussed security models is the Information Technology – Code of Practice for Information Technology – Code of Practice for Information Security Management, which was originally Security Management, which was originally published as British Standard 7799published as British Standard 7799

This Code of Practice was adopted as an This Code of Practice was adopted as an international standard by the International international standard by the International Organization for Standardization (ISO) and the Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as International Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for ISO/IEC 17799 in 2000 as a framework for information securityinformation security


BS7799-2BS7799-2


ISO 17799 / BS 7799ISO 17799 / BS 7799

Several countries have not adopted 17799 claiming Several countries have not adopted 17799 claiming there are fundamental problems:there are fundamental problems:

The global information security community has not The global information security community has not defined any justification for a code of practice as identified defined any justification for a code of practice as identified in the ISO/IEC 17799in the ISO/IEC 1779917799 lacks “the necessary measurement precision of a 17799 lacks “the necessary measurement precision of a technical standard”technical standard”There is no reason to believe that 17799 is more useful There is no reason to believe that 17799 is more useful than any other approach currently available.than any other approach currently available.17799 is not as complete as other frameworks available17799 is not as complete as other frameworks available17799 is perceived to have been hurriedly prepared given 17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could have on the tremendous impact its adoption could have on industry information security controlsindustry information security controls


ISO/IEC 17799 ISO/IEC 17799 Organizational Security Policy is needed to provide Organizational Security Policy is needed to provide management direction and supportmanagement direction and support

Objectives:Objectives:Operational Security PolicyOperational Security PolicyOrganizational Security InfrastructureOrganizational Security InfrastructureAsset Classification and ControlAsset Classification and ControlPersonnel SecurityPersonnel SecurityPhysical and Environmental Security Physical and Environmental Security Communications and Operations Management Communications and Operations Management System Access Control System Access Control System Development and MaintenanceSystem Development and MaintenanceBusiness Continuity Planning Business Continuity Planning ComplianceCompliance


NIST Security ModelsNIST Security Models

Another approach available is described in the Another approach available is described in the many documents available from the Computer many documents available from the Computer Security Resource Center of the National Institute Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov) – for Standards and Technology (csrc.nist.gov) – Including:Including:

NIST SP 800-12NIST SP 800-12 - The Computer Security Handbook - The Computer Security Handbook

NIST SP 800-14NIST SP 800-14 - Generally Accepted Principles and - Generally Accepted Principles and Practices for Securing IT Systems Practices for Securing IT Systems

NIST SP 800-18NIST SP 800-18 - The Guide for Developing Security - The Guide for Developing Security Plans for IT Systems Plans for IT Systems


NIST SP 800-14NIST SP 800-14

Security Supports the Mission of the OrganizationSecurity Supports the Mission of the Organization

Security is an Integral Element of Sound MgmtSecurity is an Integral Element of Sound Mgmt

Security Should Be Cost-EffectiveSecurity Should Be Cost-Effective

Systems Owners Have Security Responsibilities Outside Systems Owners Have Security Responsibilities Outside Their Own OrganizationsTheir Own Organizations

Security Responsibilities and Accountability Should Be Made Security Responsibilities and Accountability Should Be Made ExplicitExplicit

Security Requires a Comprehensive and Integrated ApproachSecurity Requires a Comprehensive and Integrated Approach

Security Should Be Periodically ReassessedSecurity Should Be Periodically Reassessed

Security is Constrained by Societal FactorsSecurity is Constrained by Societal Factors

33 Principles enumerated33 Principles enumerated


IETF Security Architecture IETF Security Architecture

While no specific architecture is promoted through While no specific architecture is promoted through the Internet Engineering Task Force, the Security the Internet Engineering Task Force, the Security Area Working Group acts as an advisory board for Area Working Group acts as an advisory board for the protocols and areas developed and promoted the protocols and areas developed and promoted through the Internet Societythrough the Internet SocietyRFC 2196: Site Security Handbook provides an RFC 2196: Site Security Handbook provides an overview of five basic areas of security with detailed overview of five basic areas of security with detailed discussions on development and implementationdiscussions on development and implementationThere are chapters on such important topics as There are chapters on such important topics as security policies, security technical architecture, security policies, security technical architecture, security services, and security incident handlingsecurity services, and security incident handling


Visa Model Visa Model

Visa International promotes strong security measures Visa International promotes strong security measures and has security guidelines and has security guidelines Developed two important documents that improve Developed two important documents that improve and regulate its information systemsand regulate its information systems

““Security Assessment Process”Security Assessment Process”““Agreed Upon Procedures” Agreed Upon Procedures”

Using the two documents, a security team can Using the two documents, a security team can develop a sound strategy for the design of good develop a sound strategy for the design of good security architecturesecurity architectureThe only down side to this approach is the very The only down side to this approach is the very specific focus on systems that can or do integrate specific focus on systems that can or do integrate with VISA’s systemswith VISA’s systems


Baselining and Best PracticesBaselining and Best Practices

Baselining and best practices are solid methods for Baselining and best practices are solid methods for collecting security practices, but can have the collecting security practices, but can have the drawback of providing less detail than would a drawback of providing less detail than would a complete methodologycomplete methodology

It is possible to gain information by baselining and It is possible to gain information by baselining and using best practices and thus work backwards to an using best practices and thus work backwards to an effective design effective design

The Federal Agency Security Practices Site The Federal Agency Security Practices Site (fasp.csrc.nist.gov) is designed to provide best (fasp.csrc.nist.gov) is designed to provide best practices for public agencies and adapted easily to practices for public agencies and adapted easily to private organizationsprivate organizations


Professional MembershipProfessional Membership

It may be worth the information security It may be worth the information security professional’s time and money to join professional professional’s time and money to join professional societies with information on best practices for its societies with information on best practices for its membersmembers

Many organizations have seminars and classes on Many organizations have seminars and classes on best practices for implementing securitybest practices for implementing security

Finding information on security design is the easy Finding information on security design is the easy part, sorting through the collected mass of part, sorting through the collected mass of information, documents, and publications can take a information, documents, and publications can take a substantial investment in time and human resourcessubstantial investment in time and human resources


Hybrid FrameworkHybrid Framework

The framework proposed here is the result of The framework proposed here is the result of a detailed analysis of the components of all a detailed analysis of the components of all the documents, standards, and Web-based the documents, standards, and Web-based information described in the previous information described in the previous sectionssections

It is offered to the student as a balanced It is offered to the student as a balanced introductory blueprint for learning the introductory blueprint for learning the blueprint development processblueprint development process


NIST SP 800-26NIST SP 800-26Management ControlsManagement Controls

Risk Management Risk Management Review of Security Controls Review of Security Controls Life Cycle MaintenanceLife Cycle MaintenanceAuthorization of Processing Authorization of Processing (Certification and Accreditation)(Certification and Accreditation)

System Security Plan System Security Plan Operational ControlsOperational Controls

Personnel Security Personnel Security Physical SecurityPhysical SecurityProduction, Input/Output Controls Production, Input/Output Controls Contingency PlanningContingency PlanningHardware and Systems SoftwareHardware and Systems SoftwareData IntegrityData IntegrityDocumentationDocumentationSecurity Awareness, Training, and EducationSecurity Awareness, Training, and EducationIncident Response CapabilityIncident Response Capability

Technical ControlsTechnical ControlsIdentification and AuthenticationIdentification and AuthenticationLogical Access Controls Logical Access Controls Audit TrailsAudit Trails


Spheres of SecuritySpheres of Security


Sphere of UseSphere of UseGenerally speaking, the concept of the sphere is Generally speaking, the concept of the sphere is to represent the 360 degrees of security to represent the 360 degrees of security necessary to protect information at all timesnecessary to protect information at all timesThe first component is the “sphere of use” The first component is the “sphere of use” Information, at the core of the sphere, is Information, at the core of the sphere, is available for access by members of the available for access by members of the organization and other computer-based systems:organization and other computer-based systems:

To gain access to the computer systems, one must To gain access to the computer systems, one must either directly access the computer systems or go either directly access the computer systems or go through a network connectionthrough a network connectionTo gain access to the network, one must either directly To gain access to the network, one must either directly access the network or go through an Internet access the network or go through an Internet connectionconnection


Sphere of ProtectionSphere of Protection

The “sphere of protection” overlays each of the The “sphere of protection” overlays each of the levels of the “sphere of use” with a layer of security, levels of the “sphere of use” with a layer of security, protecting that layer from direct or indirect use protecting that layer from direct or indirect use through the next layerthrough the next layerThe people must become a layer of security, a The people must become a layer of security, a human firewall that protects the information from human firewall that protects the information from unauthorized access and useunauthorized access and useInformation security is therefore designed and Information security is therefore designed and implemented in three layersimplemented in three layers

policiespoliciespeople (education, training and awareness programs)people (education, training and awareness programs)technologytechnology


ControlsControls

Management Controls cover security processes that Management Controls cover security processes that are designed by the strategic planners and are designed by the strategic planners and performed by security administration of the performed by security administration of the organizationorganizationOperational Controls deal with the operational Operational Controls deal with the operational functionality of security in the organizationfunctionality of security in the organizationOperational controls also address personnel Operational controls also address personnel security, physical security and the protection of security, physical security and the protection of production inputs and outputsproduction inputs and outputsTechnical Controls address those tactical and Technical Controls address those tactical and technical issues related to designing and technical issues related to designing and implementing security in the organizationimplementing security in the organization


The Framework The Framework

Management ControlsManagement ControlsProgram Management Program Management System Security PlanSystem Security PlanLife Cycle Maintenance Life Cycle Maintenance Risk ManagementRisk ManagementReview of Security ControlsReview of Security ControlsLegal ComplianceLegal Compliance

Operational ControlsOperational ControlsContingency PlanningContingency PlanningSecurity ETASecurity ETAPersonnel SecurityPersonnel SecurityPhysical SecurityPhysical SecurityProduction Inputs and OutputsProduction Inputs and OutputsHardware & Software Systems Hardware & Software Systems MaintenanceMaintenanceData IntegrityData Integrity

Technical ControlsTechnical ControlsLogical Access ControlsLogical Access Controls

Identification, Authentication, Identification, Authentication, Authorization and AccountabilityAuthorization and Accountability

Audit TrailsAudit Trails

Asset Classification and ControlAsset Classification and Control

CryptographyCryptography


SETASETA

As soon as the policies exist, policies to implement As soon as the policies exist, policies to implement security education, training and awareness (SETA) security education, training and awareness (SETA) should followshould followSETA is a control measure designed to reduce SETA is a control measure designed to reduce accidental security breachesaccidental security breachesSupplement the general education and training Supplement the general education and training programs in place to educate staff on information programs in place to educate staff on information security. security. Security education and training builds on the Security education and training builds on the general knowledge the employees must possess to general knowledge the employees must possess to do their jobs, familiarizing them with the way to do do their jobs, familiarizing them with the way to do their jobs securelytheir jobs securely


SETA ElementsSETA Elements

The SETA program consists of three elementsThe SETA program consists of three elementssecurity educationsecurity educationsecurity trainingsecurity trainingand security awarenessand security awareness

The organization may not be capable or willing to undertake The organization may not be capable or willing to undertake all three of these elements but may outsource themall three of these elements but may outsource themThe purpose of SETA is to enhance security by:The purpose of SETA is to enhance security by:

Improving awareness of the need to protect system Improving awareness of the need to protect system resourcesresourcesDeveloping skills and knowledge so computer users can Developing skills and knowledge so computer users can perform their jobs more securelyperform their jobs more securelyBuilding in-depth knowledge, as needed, to design, Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations implement, or operate security programs for organizations and systems.and systems.


SETASETA


Security EducationSecurity Education

Everyone in an organization needs to be trained Everyone in an organization needs to be trained and aware of information security, but not every and aware of information security, but not every member of the organization needs a formal degree member of the organization needs a formal degree or certificate in information securityor certificate in information securityWhen formal education for appropriate individuals in When formal education for appropriate individuals in security is needed an employee can identify security is needed an employee can identify curriculum available from local institutions of higher curriculum available from local institutions of higher learning or continuing educationlearning or continuing educationA number of universities have formal coursework in A number of universities have formal coursework in information securityinformation security(See for example http://infosec.kennesaw.edu).(See for example http://infosec.kennesaw.edu).


Security TrainingSecurity Training

Security training involves providing members Security training involves providing members of the organization with detailed information of the organization with detailed information and hands-on instruction designed to prepare and hands-on instruction designed to prepare them to perform their duties securelythem to perform their duties securely

Management of information security can Management of information security can develop customized in-house training or develop customized in-house training or outsource the training programoutsource the training program


Security AwarenessSecurity Awareness

One of the least frequently implemented, but One of the least frequently implemented, but the most beneficial programs is the security the most beneficial programs is the security awareness programawareness programDesigned to keep information security at the Designed to keep information security at the forefront of the users’ minds forefront of the users’ minds Need not be complicated or expensiveNeed not be complicated or expensiveIf the program is not actively implemented, If the program is not actively implemented, employees begin to ‘tune out’, and the risk of employees begin to ‘tune out’, and the risk of employee accidents and failures increasesemployee accidents and failures increases


Awareness at KSUAwareness at KSU


CommentsComments

Defense in DepthDefense in DepthOne of the foundations of security architectures is the One of the foundations of security architectures is the requirement to implement security in layersrequirement to implement security in layersDefense in depth requires that the organization establish Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an sufficient security controls and safeguards, so that an intruder faces multiple layers of controlsintruder faces multiple layers of controls

Security PerimeterSecurity PerimeterThe point at which an organization’s security protection The point at which an organization’s security protection ends, and the outside world beginsends, and the outside world beginsReferred to as the security perimeterReferred to as the security perimeterUnfortunately the perimeter does not apply to internal Unfortunately the perimeter does not apply to internal attacks from employee threats, or on-site physical threatsattacks from employee threats, or on-site physical threats


Defense in DepthDefense in Depth


Perimeters and DomainsPerimeters and Domains


Key Technology Components Key Technology Components

Other key technology components Other key technology components A firewall is a device that selectively discriminates against A firewall is a device that selectively discriminates against information flowing into or out of the organization information flowing into or out of the organization

The DMZ (demilitarized zone) is a no-man’s land, The DMZ (demilitarized zone) is a no-man’s land, between the inside and outside networks, where some between the inside and outside networks, where some organizations place Web servers organizations place Web servers

In an effort to detect unauthorized activity within the inner In an effort to detect unauthorized activity within the inner network, or on individual machines, an organization may network, or on individual machines, an organization may wish to implement Intrusion Detection Systems or IDSwish to implement Intrusion Detection Systems or IDS


Key ComponentsKey Components


IDSIDS

cmps 319 blueprint for security chapter 6 begin with the end in mind -- stephen covey

Documents

information security

information security

general security policy

types of security policy

policy practices

definitionsa policy

types of policy management

systemspecific policies