Security Policies

• An information security policy (ISP) is a

set of rules, policies and procedures
designed to ensure all end users and
networks within an organization meet
minimum IT security and data protection
security requirements.
 Security Policies
• What is the purpose of an information
security policy?
– An information security policy aims to enact
protections and limit the distribution of data to
only those with authorized access. Organizations
create ISPs to:
• Establish a general approach to information security
• D o cu men t sec u r i t y m e a s u r e s a n d   u s e r a c c e s s
control policies
• Detect and minimize the impact of compromised
information assets such as misuse of data, networks,
mobile devices, computers and applications
• Protect the reputation of the organization
 Security Policies
• What is the purpose of an information
security policy?
– An information security policy aims to enact
protections and limit the distribution of data to
only those with authorized access. Organizations
create ISPs to:
• Comply with legal and regulatory requirements like
NIST, GDPR, HIPAA and FERPA
• Protect their customer's data, such as credit card
numbers
• Provide effective mechanisms to respond to
complaints and queries related to real or perceived
c y b e r s e c u r i t y r i s k s s u c h
as phishing, malware and ransomware
 Security Policies
• Why is an information security policy is
important?
– Creating an effective information
security policy and that meets all compliance
requirements is a critical step in preventing
security incidents like data leaks and data
breaches.
– ISPs are important for new and established
organizations. Increasing digitalization means
every employee is generating data and a
portion of that data must be protected from
unauthorized access. Depending on your
industry, it may even be protected by laws
 Security Policies
• Why is an information security policy is
important?
– Sensitive data, personally identifiable information
(PII), and intellectual property must be protected
to a higher standard than other data.
– Whether you like it or not, information
security (InfoSec) is important at every level of
your organization. And outside of your
organization.
– Increased outsourcing means third-party vendors
have access to data too. This is why third-party
risk management and vendor risk management is
part of any good information security
 Security Policies
• What are the key elements of an
information security policy?
– 1. Purpose
– 2. Audience
– 3. Information security objectives
– 4. Authority and access control policy
– 5. Data classification
– 6. Data support and operations
– 7. Security awareness training
– 8. Responsibilities and duties of employees
 Security Policies
• What are the key elements of an
information security policy?
– 1. Purpose
• Preserve your organization's information security.
• Detect and preempt information security breaches
caused by third-party vendors, misuse of
networks, data, applications, computer systems
and mobile devices.
• Protect the organization's reputation
• Uphold ethical, legal and regulatory requirements
• Protect customer data and respond to inquiries
and complaints about non-compliance of security
requirements and data protection
 Security Policies
• What are the key elements of an
information security policy?
– 2. Audience
• Define who the information security policy applies
to and who it does not apply to. You may be
tempted to say that third-party vendors are not
included as part of your information security policy.
 Security Policies
• What are the key elements of an
information security policy?
– 3. Information security objectives
• Confidentiality: data and information are
protected from unauthorized access
• Integrity: Data is intact, complete and accurate
• Availability: IT systems are available when
needed
 Security Policies
• What are the key elements of an
information security policy?
– 4. Authority and access control policy
• This part is about deciding who has the authority
to decide what data can be shared and what can't.
• Remember, this may not be always up to your
organization.
• For example, if you are the CSO at a hospital. You
likely need to comply with HIPAA and its data
protection requirements. If you store medical
records, they can't be shared with an
unauthorized party whether in person or online.
 Security Policies
• What are the key elements of an information
security policy?
– 5. Data classification
• An information security policy must classify data into
categories. A good way to classify the data is into five
levels that dictate an increasing need for protection:
– Level 1: Public information
– Level 2: Information your organization has chosen to keep
confidential but disclosure would not cause material harm
– Level 3: Information has a risk of material harm to
individuals or your organization if disclosed
– Level 4: Information has a high risk of causing serious harm
to individuals or your organization if disclosed
– Level 5: Information will cause severe harm to individuals
or your organization if disclosed
 Security Policies
• What are the key elements of an information
security policy?
– 6. Data support and operations
• Once data has been classified, you need to outline how data
is each level will be handled. There are generally three
components to this part of your information security policy:
– Data protection regulations: 
» Organizations that store personally identifiable information
(PII) or sensitive data must be protected according to
organizational standards, best practices, industry compliance
standards and regulation
– Data backup requirements: 
» Outlines how data is backed up, what level of encryption is
used and what third-party service providers are used
– Movement of data: 
» Outlines how data is communicated. Data that is deemed
classified in the above data classification should be securely
communicated with encryption and not transmitted across
public networks to avoid man-in-the-middle attacks
 Security Policies
• What are the key elements of an
information security policy?
– 7. Security awareness training
• Security training should include:
– Social engineering: 
»T e a c h y o u r e m p l o y e e s a b o u t
phishing, spearphishing and other common social
engineering cyber attacks
– Clean desk policy: 
» Laptops should be taken home and documents
shouldn't be left on desks at the end of the work day
– Acceptable usage: 
» What can employees use their work devices and
 Security Policies
• What are the key elements of an information
security policy?
– 8. Responsibilities and duties of employees
• This is where you operationalize your information security
policy. This part of your information security policy needs to
outline the owners of:
– Security programs
– Acceptable use policies
– Network security
– Physical security
– Business continuity
– Access management
– Security awareness
– Risk assessments
– Incident response
– Data security
– Disaster recovery
– Incident management
 Basic Terminologies in
Cryptography
• Plaintext
• Ciphertext
• Encryption
• Decryption
• Keys
• Hash
• Salt
• Symmetric and Asymmetric Algorithms
• Public and Private Keys
• HTTPS
• End-to-End Encryption
 Basic Terminologies in
Cryptography
• Plaintext
– which is simple but just as important as the
others: plaintext is an unencrypted, readable,
plain message that anyone can read.
 Basic Terminologies in
Cryptography
• Ciphertext
– Ciphertext is the result of the encryption
process.
– The encrypted plaintext appears as
apparently random strings of characters,
rendering them useless.
– A cipher is another way of referring to the
encryption algorithm that transforms the
plaintext, hence the term ciphertext.
 Basic Terminologies in
Cryptography
• Encryption
– Encryption is the process of applying a
mathematical function to a file that renders its
contents unreadable and inaccessible---
unless you have the decryption key.
– For instance, let's say you have a Microsoft
Word document.
– You apply a password using Microsoft
Office's inbuilt encryption function.
– The file is now unreadable and inaccessible
to anyone without the password. You can
even encrypt your entire hard drive for
 Basic Terminologies in
Cryptography
• Decryption
– If encryption locks the file, then decryption
reverses the process, turning ciphertext back
to plaintext. 
– Decryption requires two elements: the
correct password and the corresponding
decryption algorithm.
 Basic Terminologies in
Cryptography
• Keys
–The encryption process requires
a cryptographic key that tells the algorithm
how to transform the plaintext into
ciphertext. 
– Kerckhoffs's principle states that "only
secrecy of the key provides security," while
Shannon's maxim continues "the enemy
knows the system.”
 Basic Terminologies in
Cryptography
• Keys
– These two statements influence the role of
encryption, and keys within that.
– Keeping the details of an entire encryption
algorithm secret is extremely difficult; keeping
a much smaller key secret is easier.
– The key locks and unlocks the algorithm,
allowing the encryption or decryption process
to function.
 Basic Terminologies in
Cryptography
• Keys
– Is a Key a Password?
• No. Well, at least not entirely. Key creation is a
result of using an algorithm, whereas a password
is usually a user choice.
• The confusion arises as we rarely specifically
interact with a cryptographic key, whereas
passwords are part of daily life.
• Passwords are at times part of the key creation
process. A user enters their super-strong
password using all manner of characters and
symbols, and the algorithm generates a key using
their input.
 Basic Terminologies in
Cryptography
• Hash
– When a website encrypts your password, it uses
an encryption algorithm to convert your plaintext
password to a hash.
– A hash is different from encryption in that once
the data is hashed, it cannot be unhashed. Or
rather, it is extremely difficult.
– Hashing is really useful when you need to verify
something's authenticity, but not have it read
back. In this, password hashing offers some
protection against brute-force attacks (where
the attacker tries every possible password
 Basic Terminologies in
Cryptography
• Hash
– You might have even heard of some of the
common hashing algorithms, such as MD5,
SHA, SHA-1, and SHA-2. Some are stronger
than others, while some, such as MD5, are
outright vulnerable.
– For instance, if you head to the site MD5
Online, you'll note they have
123,255,542,234 words in their MD5 hash
database.
 Basic Terminologies in
Cryptography
• Salt
– When passwords are part of key creation, the
encryption process requires additional
security steps.
– One of those steps is salting the passwords.
– At a basic level, a salt adds random data to a
one-way hash function.
 Basic Terminologies in
Cryptography
• Salt
– There are two users with the exact same
password: hunter2.
– We run hunter2 through an SHA256 hash
g e n e r a t o r a n d r e c e i v e
f52fbd32b2b3b86ff88ef6c490628285f482af15
ddcb29541f94bcf526a3f6c7.
– Someone hacks the password database and
they check this hash; each account with the
corresponding hash is immediately vulnerable.
 Basic Terminologies in
Cryptography
• Symmetric and Asymmetric Algorithms
– In modern computing, there are two primary
encryption algorithm types: symmetric and
asymmetric. They both encrypt data, but
function in a slightly different manner.
• Symmetric algorithm: 
– Uses the same key for both encryption and decryption.
Both parties must agree on the algorithm key before
commencing communication.
• Asymmetric algorithm: 
– Uses two different keys: a public key and a private key.
This enables secure encryption while communicating
without previously establishing a mutual algorithm. This
is also known as public key cryptology
 Basic Terminologies in
Cryptography
• Public and Private Keys
– An asymmetric algorithm uses two keys:
a public key and a private key.
– The public key can be sent to other people,
while the private key is only known by the
owner.
– What's the purpose of this?
• Well, anyone with the intended recipient's public
key can encrypt a private message for them, while
the recipient can only read the contents of that
message provided they have access to the paired
private key. Check out the below image for more
 Basic Terminologies in
Cryptography
• Public and Private Keys
 Basic Terminologies in
Cryptography
• Public and Private Keys
– Public and private keys also play an essential
role in digital signatures, whereby a sender
can sign their message with their private
encryption key.
– Those with the public key can then verify the
message, safe in the knowledge that the
original message came from the sender's
private key.
– A key pair is the mathematically linked public
and private key generated by an encryption
 Basic Terminologies in
Cryptography
• HTTPS
– HTTPS (HTTP Secure) is a now widely
implemented security upgrade for the HTTP
application protocol that is a foundation of
the internet as we know it.
– When using a HTTPS connection, your data is
encrypted using Transport Layer Security
(TLS), protecting your data while in transit.
– HTTPS generates long-term private and
public keys that in turn are used to create a
short-term session key.
 Basic Terminologies in
Cryptography
• HTTPS
– The session key is a single-use symmetric
key that the connection destroys once you
leave the HTTPS site (closing the connection
and ending its encryption).
– However, when you revisit the site, you will
receive another single-use session key to
secure your communication.
– A site must completely adhere to HTTPS to
offer users complete security.
– Since 2018 the majority of sites online began
offering HTTPS connections over standard
 Basic Terminologies in
Cryptography
• End-to-End Encryption
– One of the biggest encryption buzzwords is that
of end-to-end encryption.
– Social messaging platform service WhatsApp
began offering its users end-to-end encryption
(E2EE) in 2016, making sure their messages are
private at all times.
– WhatsApp isn't the first, or even the
only messaging service to offer end to end
encryption. It did, however, move the idea of
mobile message encryption further into the
mainstream---much to the ire of myriad
 Encryption
(Cryptography)
- “hidden writing” (hiding the meaning of
the message)
 Encryption
(Cryptography)
 Encryption
(Cryptography)
• Basic security goals:
- privacy (secrecy, confidentiality)
• only the intended recipient can
see the communication
- authenticity (integrity)
• the communication is generated
by the alleged sender
Types of Encryption Algorithms