Unit – III

Planning for Security: Security policy, Standards and Practices,

Security Blue Print, Security Education, Continuity strategies.
Security Technology: Firewalls and VPNs: Physical Design, Firewalls,
Protecting Remote connections.

Introduction to Information Security

Information security involves protecting data, systems, and
networks from unauthorized access, attacks, and disruptions. It ensures
confidentiality, integrity, and availability of information. The field
has evolved from physical security to advanced cybersecurity
measures to combat modern threats like hacking, malware, and
phishing. Key concepts include risk management, security models,
and balancing security with usability.

Information Security Planning and Governance

Planning and governance in information security focus on establishing
policies, strategies, and oversight mechanisms to protect an
organization's digital assets. This includes:
 Defining security policies at enterprise and system levels.
 Following frameworks like ISO 27000 and NIST models for
best practices.
 Assigning roles to security teams and top management
(CISO).
 Ensuring compliance with legal and regulatory requirements.

Planning for Security:

Planning provides a foundation for identifying risks, establishing policies,
and implementing measures to protect organizational assets. It aligns
security objectives with business goals and ensures a proactive approach
to mitigating threats. This chapter covers key aspects of security
planning, including policies, standards, education, and continuity
strategies.
Security Policy, Standards and Practices:

Policy: A policy is a directive from senior management that outlines

acceptable and unacceptable behavior, acting as organizational "laws"
with defined penalties and appeal processes.

Standards: Detailed statements on how to comply with policies, either

informal or formal.

Practices, Procedures, and Guidelines: Explain how to implement and

adhere to policies and standards.

Security policies are a formal set of rules which is issued by an

organization to ensure that the user who are authorized to access
company technology and information assets comply with rules and
guidelines related to the security of information. It is a written document
in the organization which is responsible for how to protect the
organizations from threats and how to handles them when they will occur.
A security policy also considered to be a "living document" which means
that the document is never finished, but it is continuously updated as
requirements of the technology and employee changes.

Key Components of a Security Policy:

1. Purpose and Scope: Explains why the policy exists and the areas it
covers.
2. Roles and Responsibilities: Defines who is responsible for
implementing and enforcing the policy.
3. Acceptable Use Policy (AUP): Outlines acceptable behavior for
using organizational resources.
4. Access Control Policy: Specifies rules for granting and revoking
access to systems.
 5. Incident Response: Guidelines for detecting, reporting, and
mitigating security breaches.

Management should define 3 types of security policy, according to the

National Institute of Standards and Technology’s special publication 800-
14. They are:

1.Enterprise Information Security Policy (EISP) is also known as a

general security policy, organizational security policy, IT security policy,
or information security policy.
An Enterprise Information Security Policy (EISP) is a high-level framework
that defines an organization's approach to protecting its information
assets. It outlines the principles, roles, responsibilities, and guidelines to
ensure the confidentiality, integrity, and availability of data. The EISP sets
the foundation for compliance with legal, regulatory, and organizational
requirements, addressing areas such as access control, risk management,
incident response, and data protection. It serves as a guide for developing
specific security policies and procedures across the organization.

2.Issue-Specific Security Policy (ISSP) focuses on addressing specific

areas of information security within an organization, such as acceptable
use of IT resources, email usage, or mobile device management. It
provides detailed rules, responsibilities, and procedures tailored to the
particular issue, ensuring compliance and mitigating risks. ISSPs are
narrower in scope than enterprise policies and are updated as technology
and threats evolve.

3.Systems-Specific Policy (SysSP) is a detailed document that

outlines security requirements and procedures for specific systems or
devices within an organization. It includes technical configurations,
operational guidelines, and user responsibilities tailored to a particular
system, such as a database, server, or application. SysSPs ensure
consistent security controls and compliance for the system's effective
operation.
Enterprise Information Security Policy (EISP):
 High-level, organization-wide framework for information security.
 Defines overall security goals, roles, and responsibilities.
 Provides a foundation for compliance and governance.
 Broad in scope, addressing general security principles.

Issue-Specific Security Policy (ISSP):

 Focuses on specific security issues, like email usage or mobile device
policies.
  Provides detailed rules and guidelines for handling particular
concerns.
 Updated regularly to address evolving threats and technologies.
 Narrower in scope than EISP.

System-Specific Security Policy (SysSP):

 Used when configuring or maintaining systems
 Tailored for individual systems or devices (e.g., databases, servers).
 Includes technical configurations and operational guidelines.
 Ensures security controls are applied consistently.
 Detailed and technical, focused on specific system needs.

Policy Management
Policy management in information security involves developing,
implementing, enforcing, and updating security policies to protect an
organization's data and IT systems. It ensures that security guidelines
align with business objectives, compliance regulations, and risk
management strategies.

Key aspects include:

 Creating policies (e.g., Enterprise Security Policies, Issue-Specific
Policies, and System-Specific Policies).
 Regular updates to adapt to new threats and technologies.
 Employee training and enforcement to ensure compliance.
 Monitoring and auditing for effectiveness.
 Effective policy management helps organizations maintain a secure
and compliant IT environment while reducing risks.

Security Blueprint:
An Information Security Blueprint is a detailed plan that outlines the
implementation of an organization's information security strategy. It
serves as a guide to develop and deploy security measures aligned with
business goals and compliance requirements. Key aspects of an
information security blueprint include:
 Framework: Establishes the structure for security controls and
policies, often based on industry standards like ISO 27001or NIST.
 Risk Assessment: Identifies potential threats, vulnerabilities, and
risks to the organization's information assets.
 Security Architecture: Defines the technologies, processes, and
practices to protect data, systems, and networks.
 Roles and Responsibilities: Specifies who is responsible for
implementing and managing security measures.
  Compliance and Governance: Ensures adherence to legal and
regulatory requirements.
 Continuous Improvement: Incorporates mechanisms for regular
evaluation and updates to adapt to evolving threats and business
changes.
An effective blueprint provides a clear, actionable roadmap for building a
secure and resilient IT environment.

Security Education:
Security education, training, and awareness (SETA) program
1. Security Education:
 Focuses on building awareness and understanding of information
security.
 Formal education (e.g., university courses) is not required for all
employees but can be pursued through programs like NSA Centers of
Excellence.
 Local and online resources offer information security programs.

2. Security Training:
 Provides detailed, hands-on instruction tailored to specific job roles.
 Can be in-house or outsourced to agencies like SANS, (ISC)², ISSA, or
CSI.
 Focused on preparing employees to perform tasks securely, often for
IT professionals.

3. Security Awareness:
 Keeps security at the forefront of employees’ minds using
newsletters, posters, videos, flyers, or branded trinkets.
 Cost-effective and easy to implement, with newsletters being the
most common method.
 Aims to promote a security-conscious culture and reduce risks
caused by employee negligence.

Contingency Planning in Information Security

Contingency planning involves preparing an organization to respond
effectively to unexpected events that may disrupt its operations or
compromise information security. It ensures business continuity and
minimizes losses during incidents like cyberattacks, system failures, or
natural disasters.
Key components include:
 Business Impact Analysis (BIA): Identifies critical systems and
their potential risks.
  Incident Response Plan (IRP): Details steps to detect, respond,
and recover from security incidents.
 Disaster Recovery Plan (DRP): Focuses on restoring IT systems
and infrastructure.
 Crisis Management
Effective contingency planning requires regular testing, updates, and
employee training to adapt to evolving threats and organizational
changes.

Firewall:
Firewalls are the first line of defense for your network security. A firewall is
a type of cybersecurity tool used to monitor and filter incoming and
outgoing network traffic – from external sources, internal sources, and
even specific applications. The primary goal of a firewall is to block
malicious traffic requests and data packets while letting through
legitimate traffic.

Firewall match the network traffic against the rule set defined in its table.
Once the rule is matched, associate action is applied to the network
traffic. For example, Rules are defined as any employee from Human
Resources department cannot access the data from code server and at
the same time another rule is defined like system administrator can
access the data from both Human Resource and technical department.
Rules can be defined on the firewall based on the necessity and security
policies of the organization. From the perspective of a server, network
traffic can be either outgoing or incoming.

Types of Firewalls:
1. Packet Filtering Firewall
Packet filtering firewall is used to control network access by monitoring
outgoing and incoming packets and allowing them to pass or stop based
on source and destination IP address, protocols, and ports. It analyses
traffic at the transport protocol layer (but mainly uses first 3 layers).
Packet firewalls treat each packet in isolation. They have no ability to tell
whether a packet is part of an existing stream of traffic. Only It can allow
or deny the packets based on unique packet headers. Packet filtering
firewall maintains a filtering table that decides whether the packet will be
forwarded or discarded. From the given filtering table, the packets will be
filtered according to the following rules:

2. Stateful Inspection Firewall

Stateful firewalls (performs Stateful Packet Inspection) are able to
determine the connection state of packet, unlike Packet filtering firewall,
which makes it more efficient. It keeps track of the state of networks
connection travelling across it, such as TCP streams. So the filtering
decisions would not only be based on defined rules, but also on packet’s
history in the state table.

3. Software Firewall
A software firewall is any firewall that is set up locally or on a cloud
server. When it comes to controlling the inflow and outflow of data
packets and limiting the number of networks that can be linked to a single
device, they may be the most advantageous. But the problem with
software firewall is they are time-consuming.

4. Hardware Firewall
They also go by the name “firewalls based on physical appliances.” It
guarantees that the malicious data is halted before it reaches the network
endpoint that is in danger.
Virtual Private Network (VPN)
A Virtual Private Network (VPN) is a technology that creates a secure,
encrypted connection over a public or private network, enabling users to
transmit data safely. It is commonly used to ensure privacy,
confidentiality, and secure remote access.
Key Features:
 Encryption: Protects data in transit by encrypting it, ensuring it
cannot be intercepted or read by unauthorized parties.
 Secure Remote Access: Enables employees to connect to a
corporate network securely from remote locations.
 Anonymity: Masks the user’s IP address, enhancing online privacy.
 Data Integrity: Prevents unauthorized modifications to data during
transmission.
Types of VPNs:
1. Remote Access VPN:
o Allows individual users to securely connect to a private network
from remote locations.
o Commonly used by remote workers.
2. Site-to-Site VPN:
o Connects multiple networks (e.g., between different office
locations) securely over the internet.
o Used for inter-branch communication.

VPN Protocols:
 IPSec (Internet Protocol Security): Secures IP communication
with encryption and authentication.
 SSL/TLS (Secure Sockets Layer/Transport Layer Security):
Used for browser-based VPNs to secure web traffic.
 OpenVPN: Open-source protocol offering strong encryption and
reliability.
 L2TP (Layer 2 Tunneling Protocol): Often combined with IPSec
for added security.

Protecting Remote Connections

With increasing remote work and distributed networks, securing remote
connections is essential. Two key methods are:
1. Remote Access
o Allows users to connect to a private network from a remote
location.
o Uses authentication and encryption to ensure security.
o Common methods: Remote Desktop Protocol (RDP), Secure
Shell (SSH).
2. Virtual Private Networks (VPNs)
o Creates a secure, encrypted tunnel between a remote device
and the internal network.
o Prevents data interception and enhances privacy.
o Types: Site-to-Site VPN, Remote Access VPN.
Both methods help protect data and ensure secure remote
communication.