09309a
DESCRIPTION
computer networksTRANSCRIPT
Information Security Best Practices 9 4/18/2023
Chapter 9
Information Security Best Practices
Learning Objectives
In this lesson, the students will learn about the best practices of information security. This
lesson also discusses the best practices for administrative and technical security. At the
end of the lesson, students should be able to:
Understand administrative security.
Understand technical security.
Estimated Time for Module: 4 hours
This lesson explains the best practices to be followed to provide an appropriate level of
security.
Preparing for Class
Read through the lecture outline to plan the lecture. Real-life examples should be used to
explain how best practices can be put to use in combination with risk management.
Prerequisites for Class
Ensure that the students:
Have read lesson 8.
Are familiar how to search the Internet for information.
Class Preparation Notes
This lesson introduces the concept of information security. This lesson does not require
any extra material. However, a viewing projector will be required for the PowerPoint
slides for this lesson.
General Teaching Tips
The practices described in this chapter are a starting point for an organization. These
practices should be used in combination with risk assessment. It helps identify ineffective
093-2 9-1
Information Security Best Practices 9 4/18/2023
measures and suggest more effective measures. Enough time should be budgeted to cover
all concepts included in this chapter.
Key Terms
administrative security practices
architecture
backup procedures
best practices
data archival procedures
incident response procedure
policy development
research
risk
security administration
technical security measures
Lecture Outline
I. Understanding Administrative Security
A. Administrative security practices include policies and procedures, resources,
responsibility, education, and contingency plans.
B. These practices define the importance of information and information systems to
the company.
C. They are also used to explain importance of security to employees.
D. Policies and procedures.
1. After the policies and procedures are defined, the employees are expected to
follow them.
2. The following policies are recommended as best practices.
093-2 9-2
Information Security Best Practices 9 4/18/2023
a) Information policy: Defines the sensitivity of information within an
organization. It also defines the proper storage, transmission, marking,
and disposal requirements for that information.
b) Security policy: Defines the technical controls and security
configurations that users and administrators must implement on all
computer systems.
c) Use policy: Defines the approved uses of organization computer
systems and the penalties for misusing such systems.
d) Backup policy: Defines the frequency of information backups and the
requirements for moving the backups to off-site storage.
E. In addition to policies, procedures must also be defined to guide employees
when performing certain duties.
F. Procedures that should be defined for an organization include:
1. User management procedures: Include information as to who may authorize
access to which systems.
2. System administration procedures: Define how the security policy of the
organization is actually implemented on various systems.
3. Configuration management procedures: Define the steps for modifying
production systems.
G. Resources
Discussion Point
If the security program is treated as a project, the organization must supply
sufficient resources to balance the triangle or else extend the time or reduce the
scope. Explain this concept with suitable real-life examples.
Teaching Tip
Figure 9-1 on page 4 shows the relationship between resources, time, and scope for
a project.
1. Staff
093-2 9-3
Information Security Best Practices 9 4/18/2023
a) Regardless of the size of the organization, some employee must be
given the tasks associated with managing the information security risk.
b) Security department staffs should have the following skills:
(1) Security administration: An understanding of the day-to-day
administration of security devices.
(2) Policy development: Experience in the development and
maintenance of security policies, procedures, and plans.
(3) Architecture: An understanding of network and system
architectures and the implementation of new systems.
(4) Research: The examination of new security technologies to see
how they may affect the risk to the organization.
(5) Assessment: Experience conducting risk assessments of
organizations or departments using penetration and security
testing.
(6) Audit: Experience in conducting audits of systems or procedures.
2. Budget
a) Budgeting should be based on security project plans.
b) It depends on the scope and time frame of the security project.
c) The security budget should be divided between capital expenditures,
current operations, and cost of training.
Discussion Point
Some organizations purchase security tools without budgeting sufficient amount for
training on these tools. Emphasize that staffing cannot be reduced even if a lot of
security tools are used. Discuss how budgeting is important for successful
completion of security project plans.
H. Responsibility
093-2 9-4
Information Security Best Practices 9 4/18/2023
1. Specific executive-level position, such as the Chief Information Security
Officer (CISO) must be assigned security responsibility.
2. The executive position should be authorized to define the organization’s
policy and sign off on all security-related policies.
3. Metrics should be developed so that progress toward security goals can be
measured. The metrics includes the number of vulnerabilities on systems,
progress against a security project plan, or progress toward best practices.
I. Education
1. Preventive measures
a) Preventative measures provide employees with detailed knowledge
about protecting an organization’s information resources.
b) In addition to informing employees why security is important,
preventive measures provide details and techniques on how they can
comply with the organization’s policy.
c) It includes awareness programs that include publicity campaigns,
employee training, and sending updates through electronic mail.
d) Employee training programs must be conducted for administrators,
developers, and security staff.
Discussion point
Strong preventative measures take many forms. Discuss various awareness
programs and how will it help employees, developers, and administrators
understand the concept of security.
2) Enforcement measures
a) When employees fail to follow or ignore organization policies,
organizations can use enforcement measures.
b) It acts as a proof that the employee knew the particulars of organization
policy.
093-2 9-5
Information Security Best Practices 9 4/18/2023
3) Incentive programs
a) Incentive programs may be introduced to increase the reporting of
security issues.
b) Employees should also be assured that they will not be held responsible
for reporting issues that fail to work out.
J. Contingency plans
1. Incident Response
a) This procedure defines the steps to be taken in the event of a
compromise or break-in.
b) It should also detail who is responsible for the organization’s response
to the incident.
c) Best practices also recommend that the incident response procedure be
tested periodically.
2. Backup and Data Archival
a) Backup procedures should be derived from the backup policy.
b) It should identify when backups are run and specify the steps to be
taken in making the backups and storing them securely.
c) Data archival procedures should specify how often backup media is to
be reused and how the media is to be disposed of.
3) Disaster Recovery
a) Disaster recovery plans should identify the needs and objectives in the
event of a disaster.
b) In addition, key infrastructure components, such as communication
lines and equipment, should also be included in disaster scenarios.
c) Disaster recovery plans should be tested periodically.
K. Security project plans
093-2 9-6
Information Security Best Practices 9 4/18/2023
1) Improvement plans
a) After an assessment has determined risk areas, improvement plans
should be created to address these risks.
b) Improvement plans may include plans to establish policy, implement
tools or system changes, or create training programs.
2) Assessment
a) The security department should develop yearly plans for assessing the
risk to the organization.
Discussion Point
Discuss how assessment plans of small and medium-sized organizations may differ
from that of large organizations.
3) Vulnerability Assessment
a) Security departments should perform vulnerability assessments (or
scans) of the organization’s systems on a regular basis.
4) Audit
a) Audits may focus on system configurations, on backup policy
compliance, or on the protection of information in physical form.
b) When conducting audits of system configurations, a representative
sample of systems can be chosen.
c) Audits determine how well the security policies and procedures are
understood.
5) Training
a) Awareness training plans should be created in conjunction with the
human resources department.
6) Policy Evaluation
a) Every organization policy should have built-in review dates.
II. Technical Security
093-2 9-7
Information Security Best Practices 9 4/18/2023
A. Network Connectivity
1. To protect an organization from unwanted intrusions, the following network
connections are recommended:
a) Permanent Connections: Use firewalls to connect to other organizations
or the Internet.
b) Remote Access Connections: Allow access to organization’s internal
network using two-factor authentication mechanisms.
Discussion Point
Ask the students to discuss how dial-in modems and dynamic passwords can be used
as authentication mechanisms.
B. Malicious Code Protection
1. Malicious code enters organizations through four primary ways:
a) Files shared between home computers and work computers.
b) Files downloaded from Internet sites.
c) Files that come into an organization as e-mail attachments.
d) Files that are inserted through vulnerabilities in systems.
2. A strong anti-virus program controls malicious code at the following points:
a) Servers and Desktops: Configure anti-virus software installed on all file
servers and desktop systems to periodically run complete virus checks
on all files.
b) E-mail systems: Configure anti-virus software to check each file
attachment before delivery to the end user.
C. Authentication
1. Authenticating users prevents unauthorized access to corporate information
systems.
2. If passwords are to be used, following are the recommended best practices:
093-2 9-8
Information Security Best Practices 9 4/18/2023
a) Password length: Passwords should be minimum eight characters long.
b) Password change frequency: Passwords should not be more than 60
days old.
c) Password history: The last ten passwords should not be reused.
d) Password content: Passwords should be made up of alphanumeric
characters.
3. Use dynamic passwords or two-factor authentication for sensitive systems
or information.
D. Monitoring
1. Audit
a) Auditing is a mechanism that records actions that occur on a computer
system.
b) The audit log file contains information about the events that occurred,
who performed the action, when the action was performed, and whether
it was successful or not.
c) The following events should be recorded.
(1) Logins/logoffs.
(2) Failed login attempts.
(3) Network connection attempts.
(4) Dial-in connection attempts.
(5) Supervisor/administrator/root login.
(6) Supervisor/administrator/root privileged functions.
(7) Sensitive file access.
d) Audit logs must be reviewed on a weekly basis.
2. Intrusion Detection
093-2 9-9
Information Security Best Practices 9 4/18/2023
a) Intrusion detection systems (IDS) are used to monitor networks or
systems.
b) Using host-based IDS may help with the examination of audit logs.
c) Network-based IDS is used to monitor the network for attacks or
unusual traffic on the network.
E. Encryption
1. Encryption provides a means of protecting sensitive information.
2. The algorithm used to encrypt information should have a level of assurance
that matches the sensitivity of the information being protected.
3. If a message is being sent to another organization, procedures should be
established beforehand to allow for the encryption of the message.
F. Patching Systems
1. Patches include updates to correct vulnerabilities and bugs in software.
2. They should not be installed without being tested.
3. Patches should be installed in accordance with the organization’s change
control procedures.
G. Backup and Recovery
1. Backups are performed so that the organization can recover information if a
failure occurs.
2. All backups should be periodically verified to determine if the backup
successfully copied the important files.
3. Backup files must be kept in a place where it is easily available.
4. Storing backups off-site maximizes the protection of the information.
H. Physical Security
1. Physical security should be used to protect information systems in the
following four areas:
093-2 9-10
Information Security Best Practices 9 4/18/2023
a) Physical access
b) Climate
c) Fire suppression
d) Electrical power
Project
List the reasons for implementing security policy, backup policy, and configuration
management procedure.
Project Solution
Security policy: Defines the technical controls and security configurations that the
users and administrators must implement on all computer systems.
Backup policy: Defines the frequency of information backups. It also lists the
requirements for moving the backups to off-site storage. It identifies the length of
time that backups should be stored for prior to reuse.
Configuration management procedure: Defines the steps for making changes to
production systems. Changes may include upgrading software and hardware, bringing
new systems online, and removing systems that are no longer needed.
Chapter Review
Best practices refer to a set of communications that provides an appropriate level of
security.
Administrative security practices include policies and procedures, resources,
responsibility, education, and contingency plans.
The security policies of an organization define the way security is supposed to be.
The minimum policies recommended as best practices are information policy,
security policy, use policy, and backup policy.
Procedures that should be defined by an organization include user management,
system administration, and configuration management procedures.
093-2 9-11
Information Security Best Practices 9 4/18/2023
Educating employees about the need for security is a key part of managing
information security risk.
To be effective, audit logs should be reviewed on a regular basis using automated
tools.
Intrusion detection systems monitor networks or systems.
The sensitivity level of information will dictate if encryption must be used or not.
A backup policy should include backing up information on server systems daily.
Physical security should be used to protect information systems.
Assessment Quiz
The following quiz will help you gauge the level of understanding of your students.
Questions
1. What are best practices?
2. What are the recommended best practices for educating employees?
3. What do awareness programs include?
4. Why should developers receive basic training on basic security awareness?
5. Why do you need to have contingency plans?
6. ____________________ aid in terminating employees.
7. ____________________ plans should be undertaken in conjunction with the
human resources department.
8. Resources must be assigned to implement ____________________ practices.
9. Intrusion detection helps to ____________________ networks or systems.
10. ____ should be derived from the Backup policy.
A. Backup procedure
B. Recovery procedure
093-2 9-12
Information Security Best Practices 9 4/18/2023
C. Restoration procedure
D. Disaster procedure
11. ____ should specify how often backup media is to be reused and how the media
should be disposed.
A. Backup archival
B. Data archival
C. Information archival
D. Restoration
12. Passwords should be minimum ____ characters long.
A. 4
B. 8
C. 5
D. 2
13. True or False? Trojan horse is not a malicious code.
14. True or False? Passwords should never be stored in encrypted form.
15. True or False? It may not be necessary to encrypt e-mail messages.
Answers
1. Best practices refer to a set of recommendations that provides an appropriate level
of security.
2. Employees can be educated by implementing preventive, enforcement, and
incentive measures.
3. Awareness programs can include publicity campaigns, employee training, and
sending regular security updates through electronic mail.
4. Developers should receive the basic employee security awareness training so that
security issues can be included in the development process.
093-2 9-13
Information Security Best Practices 9 4/18/2023
5. You need to have contingency plans because they ensure quick recovery and
prevent any major impact to business in case of an incident.
6. Enforcement measures aid in terminating employees.
7. Awareness training plans should be undertaken in conjunction with the human
resources department.
8. Resources must be assigned to implement security practices.
9. Intrusion detection helps to monitor networks or systems.
10. A. Backup procedure should be derived from the Backup policy.
11. B. Data archival should specify how often backup media is to be reused and
how the media should be disposed.
12. B. Passwords should be minimum 8 characters long.
13. B. False. Trojan horse is a malicious code.
14. B. False. Passwords should always be stored in encrypted form.
15. A. True. It may not be necessary to encrypt e-mail messages.
093-2 9-14