0% found this document useful (0 votes)
26 views15 pages

Computer Security (Chapter-7)

The document discusses administering security through a combination of technical, administrative and physical controls. It covers topics like security planning, policies, risk analysis, and physical security. Ethics and education are also discussed as ways to promote proper security behavior.

Uploaded by

Naoly Get
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
26 views15 pages

Computer Security (Chapter-7)

The document discusses administering security through a combination of technical, administrative and physical controls. It covers topics like security planning, policies, risk analysis, and physical security. Ethics and education are also discussed as ways to promote proper security behavior.

Uploaded by

Naoly Get
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 15

Chapter Seven

Administering security
Overview
 So far we have learned how to achieve security, protecting programs,
operating systems, databases, and networks, using technology
(technical controls)
 While this is essential, but not all of security and privacy issues are
addressed by technology
 Security controls are combination of
o Technical controls
o Administrative controls
o Physical controls

04/20/2024 Compiled by: Naol G. (MSc.) 2


Security planning
 Every organization using computing resources should perform
thorough and effective security planning
 A security plan is a document that describes how an organization
will address its security needs, specifying its security goals, and
how to achieve them
 The plan should be reviewed and revised periodically
Security policies
(Constraints)

Security Planning Security Plan


Requirements
Process

Security Techniques and controls


(Mechanisms)
04/20/2024 Compiled by: Naol G. (MSc.) 3
Contents of a Security Plan
 A security plan identifies and organizes the security activities for a
computing system
 The plan is both a description of the current situation and a plan for
improvement
 Every security plan must address seven issues:
o Policy: A security policy is a high-level statement of purpose and
intent, specifying goals, responsibility, and commitment
o Current state: describing the status of security at the time of the
plan, e.g., current assets, vulnerabilities, responsibilities.
o Requirements: specifying the needs that the organization has,
e.g., who is allowed/not allowed, what logs should be kept, etc.

04/20/2024 Compiled by: Naol G. (MSc.) 4


Contents of a Security Plan /Cont…
o Recommended controls: mapping controls to the vulnerabilities
identified in the current state and requirements in the light of the
security policy
o Accountability: describing who is responsible for each security
activity in the case of failure, e.g., specifying responsibilities for
desktop users, DB admins, network admins, CSO, CIO, etc.
o Timetable: identifying when different security functions are to be
done, e.g., procurement of HW, installation, operations, and
maintenance, etc.
o Continuing attention: specifying a structure for periodically updating
the security plan, as the state of the world, technology,
vulnerabilities is not static!

04/20/2024 Compiled by: Naol G. (MSc.) 5


Risk Analysis
 A risk is a potential problem that the system or its users may experience
 Risk analysis is the process of examining a system and its operational
context to determine possible exposures and the potential harm they
can cause
 Three strategies for dealing with risk
o Risk avoidance: by changing requirements for security or other
system characteristics
o Risk transference: by allocating the risk to other systems, people,
organizations, or assets; or by buying insurance to cover any
financial loss should the risk become a reality
o Risk acceptance: by accepting it, controlling it with available
resources, and preparing to deal with the loss if it occurs

04/20/2024 Compiled by: Naol G. (MSc.) 6


Risk Analysis /Cont…
Risk analysis usually comprises the following steps:
 Identify assets
o what we need to protect
 Determine vulnerabilities
o predict what damage might occur to the assets and from what sources
 Estimate likelihood of exploitation
o how often each exposure is likely to be exploited
 Compute expected loss
o determine the likely loss if the exploitation does indeed occur
 Survey applicable controls
o see which controls address the risks identified in previous steps
 Project savings due to control
o determine whether the costs outweigh the benefits of preventing or mitigating the
risks

04/20/2024 Compiled by: Naol G. (MSc.) 7


Security Policies
 A security policy is a high-level management document to inform all
users of the goals of and constraints on using a system
 A security policy must answer three questions: who can access which
resources in what manner?
 Characteristics of a good security policy
o Coverage: a security policy must be comprehensive, and general
enough to apply to new cases
o Durability: a security policy must grow and adapt well
o Realism: it must be possible to implement the stated security
requirements with existing technology
o Usefulness: it must be clear, direct, and understood

04/20/2024 Compiled by: Naol G. (MSc.) 8


Security Policies /Cont…
Examples
 "Each security officer shall . . . perform a risk assessment to identify and
document specific . . . assets, . . . threats, . . . and vulnerability . . .”
 “Vendors and system developers are responsible for providing systems
which are sound and which embody adequate security controls

04/20/2024 Compiled by: Naol G. (MSc.) 9


Physical Security
 There are many threats to security that involve human or natural disasters
 Humans:
o Thieves, vandals, etc.
 Natural:
o Fire, flood, hurricanes, storms, etc.
 Physical security is the term used to describe protection needed outside
the computer system
 Typical physical security controls include guards, locks, CCTVs, backups,
and fences to deter direct attacks
 The primary physical controls are strength and duplication
o Strength means overlapping controls implementing a defense-in-depth
approach so that if one control fails, the next one will protect
o Duplication means having redundant copies of data, spare hardware
components, etc.

04/20/2024 Compiled by: Naol G. (MSc.) 10


Ethics and Information Security
 Ethics: define socially acceptable behaviour
 Many professional groups have explicit rules governing ethical
behavior in the workplace
 Professional associations and certification agencies work to establish
codes of ethics
o Can prescribe ethical conduct (Code of conduct and Code of
practice)
o Do not always have the ability to ban violators from practice in
field

04/20/2024 Compiled by: Naol G. (MSc.) 11


Ethical Differences Across Cultures
 Cultural differences create difficulty in determining what is and what is
not ethical
 Difficulties arise when one nationality’s ethical behavior conflicts with
ethics of another national group
 Scenarios are grouped into
o Software License Infringement
o Illicit (illegal) Use
o Misuse of Corporate Resources
 Cultures have different views on the scenarios

04/20/2024 Compiled by: Naol G. (MSc.) 12


Ethics and Education
 Overriding factor in levelling ethical perceptions within a
population is education
 Employees must be trained in expected behaviors of an ethical
employee, especially in areas of information security
 Proper ethical training is vital to creating informed, well
prepared, and low-risk system user

04/20/2024 Compiled by: Naol G. (MSc.) 13


Deterring Unethical and Illegal Behavior
 Three general causes of unethical and illegal behavior:
ignorance, accident, intent
 Deterrence: best method for preventing an illegal or unethical
activity; e.g., laws, policies, technical controls
 Laws and policies only deter if three conditions are present
o Fear of penalty
o Probability of being caught
o Probability of penalty being administered

04/20/2024 Compiled by: Naol G. (MSc.) 14


End of Chapter-7
Questions?
Read More…..

04/20/2024 Compiled by: Naol G. (MSc.) 15

You might also like