09309a

Information Security Best Practices 9 4/18/2023

Chapter 9

Information Security Best Practices

Learning Objectives

In this lesson, the students will learn about the best practices of information security. This

lesson also discusses the best practices for administrative and technical security. At the

end of the lesson, students should be able to:

Understand administrative security.

Understand technical security.

Estimated Time for Module: 4 hours

This lesson explains the best practices to be followed to provide an appropriate level of

security.

Preparing for Class

Read through the lecture outline to plan the lecture. Real-life examples should be used to

explain how best practices can be put to use in combination with risk management.

Prerequisites for Class

Ensure that the students:

Have read lesson 8.

Are familiar how to search the Internet for information.

Class Preparation Notes

This lesson introduces the concept of information security. This lesson does not require

any extra material. However, a viewing projector will be required for the PowerPoint

slides for this lesson.

General Teaching Tips

The practices described in this chapter are a starting point for an organization. These

practices should be used in combination with risk assessment. It helps identify ineffective

093-2 9-1


measures and suggest more effective measures. Enough time should be budgeted to cover

all concepts included in this chapter.

Key Terms

administrative security practices

architecture

backup procedures

best practices

data archival procedures

incident response procedure

policy development

research

risk

security administration

technical security measures

Lecture Outline

I. Understanding Administrative Security

A. Administrative security practices include policies and procedures, resources,

responsibility, education, and contingency plans.

B. These practices define the importance of information and information systems to

the company.

C. They are also used to explain importance of security to employees.

D. Policies and procedures.

1. After the policies and procedures are defined, the employees are expected to

follow them.

2. The following policies are recommended as best practices.

093-2 9-2


a) Information policy: Defines the sensitivity of information within an

organization. It also defines the proper storage, transmission, marking,

and disposal requirements for that information.

b) Security policy: Defines the technical controls and security

configurations that users and administrators must implement on all

computer systems.

c) Use policy: Defines the approved uses of organization computer

systems and the penalties for misusing such systems.

d) Backup policy: Defines the frequency of information backups and the

requirements for moving the backups to off-site storage.

E. In addition to policies, procedures must also be defined to guide employees

when performing certain duties.

F. Procedures that should be defined for an organization include:

1. User management procedures: Include information as to who may authorize

access to which systems.

2. System administration procedures: Define how the security policy of the

organization is actually implemented on various systems.

3. Configuration management procedures: Define the steps for modifying

production systems.

G. Resources

Discussion Point

If the security program is treated as a project, the organization must supply

sufficient resources to balance the triangle or else extend the time or reduce the

scope. Explain this concept with suitable real-life examples.

Teaching Tip

Figure 9-1 on page 4 shows the relationship between resources, time, and scope for

a project.

1. Staff

093-2 9-3


a) Regardless of the size of the organization, some employee must be

given the tasks associated with managing the information security risk.

b) Security department staffs should have the following skills:

(1) Security administration: An understanding of the day-to-day

administration of security devices.

(2) Policy development: Experience in the development and

maintenance of security policies, procedures, and plans.

(3) Architecture: An understanding of network and system

architectures and the implementation of new systems.

(4) Research: The examination of new security technologies to see

how they may affect the risk to the organization.

(5) Assessment: Experience conducting risk assessments of

organizations or departments using penetration and security

testing.

(6) Audit: Experience in conducting audits of systems or procedures.

2. Budget

a) Budgeting should be based on security project plans.

b) It depends on the scope and time frame of the security project.

c) The security budget should be divided between capital expenditures,

current operations, and cost of training.

Discussion Point

Some organizations purchase security tools without budgeting sufficient amount for

training on these tools. Emphasize that staffing cannot be reduced even if a lot of

security tools are used. Discuss how budgeting is important for successful

completion of security project plans.

H. Responsibility

093-2 9-4


1. Specific executive-level position, such as the Chief Information Security

Officer (CISO) must be assigned security responsibility.

2. The executive position should be authorized to define the organization’s

policy and sign off on all security-related policies.

3. Metrics should be developed so that progress toward security goals can be

measured. The metrics includes the number of vulnerabilities on systems,

progress against a security project plan, or progress toward best practices.

I. Education

1. Preventive measures

a) Preventative measures provide employees with detailed knowledge

about protecting an organization’s information resources.

b) In addition to informing employees why security is important,

preventive measures provide details and techniques on how they can

comply with the organization’s policy.

c) It includes awareness programs that include publicity campaigns,

employee training, and sending updates through electronic mail.

d) Employee training programs must be conducted for administrators,

developers, and security staff.

Discussion point

Strong preventative measures take many forms. Discuss various awareness

programs and how will it help employees, developers, and administrators

understand the concept of security.

2) Enforcement measures

a) When employees fail to follow or ignore organization policies,

organizations can use enforcement measures.

b) It acts as a proof that the employee knew the particulars of organization

policy.

093-2 9-5


3) Incentive programs

a) Incentive programs may be introduced to increase the reporting of

security issues.

b) Employees should also be assured that they will not be held responsible

for reporting issues that fail to work out.

J. Contingency plans

1. Incident Response

a) This procedure defines the steps to be taken in the event of a

compromise or break-in.

b) It should also detail who is responsible for the organization’s response

to the incident.

c) Best practices also recommend that the incident response procedure be

tested periodically.

2. Backup and Data Archival

a) Backup procedures should be derived from the backup policy.

b) It should identify when backups are run and specify the steps to be

taken in making the backups and storing them securely.

c) Data archival procedures should specify how often backup media is to

be reused and how the media is to be disposed of.

3) Disaster Recovery

a) Disaster recovery plans should identify the needs and objectives in the

event of a disaster.

b) In addition, key infrastructure components, such as communication

lines and equipment, should also be included in disaster scenarios.

c) Disaster recovery plans should be tested periodically.

K. Security project plans

093-2 9-6


1) Improvement plans

a) After an assessment has determined risk areas, improvement plans

should be created to address these risks.

b) Improvement plans may include plans to establish policy, implement

tools or system changes, or create training programs.

2) Assessment

a) The security department should develop yearly plans for assessing the

risk to the organization.

Discussion Point

Discuss how assessment plans of small and medium-sized organizations may differ

from that of large organizations.

3) Vulnerability Assessment

a) Security departments should perform vulnerability assessments (or

scans) of the organization’s systems on a regular basis.

4) Audit

a) Audits may focus on system configurations, on backup policy

compliance, or on the protection of information in physical form.

b) When conducting audits of system configurations, a representative

sample of systems can be chosen.

c) Audits determine how well the security policies and procedures are

understood.

5) Training

a) Awareness training plans should be created in conjunction with the

human resources department.

6) Policy Evaluation

a) Every organization policy should have built-in review dates.

II. Technical Security

093-2 9-7


A. Network Connectivity

1. To protect an organization from unwanted intrusions, the following network

connections are recommended:

a) Permanent Connections: Use firewalls to connect to other organizations

or the Internet.

b) Remote Access Connections: Allow access to organization’s internal

network using two-factor authentication mechanisms.

Discussion Point

Ask the students to discuss how dial-in modems and dynamic passwords can be used

as authentication mechanisms.

B. Malicious Code Protection

1. Malicious code enters organizations through four primary ways:

a) Files shared between home computers and work computers.

b) Files downloaded from Internet sites.

c) Files that come into an organization as e-mail attachments.

d) Files that are inserted through vulnerabilities in systems.

2. A strong anti-virus program controls malicious code at the following points:

a) Servers and Desktops: Configure anti-virus software installed on all file

servers and desktop systems to periodically run complete virus checks

on all files.

b) E-mail systems: Configure anti-virus software to check each file

attachment before delivery to the end user.

C. Authentication

1. Authenticating users prevents unauthorized access to corporate information

systems.

2. If passwords are to be used, following are the recommended best practices:

093-2 9-8


a) Password length: Passwords should be minimum eight characters long.

b) Password change frequency: Passwords should not be more than 60

days old.

c) Password history: The last ten passwords should not be reused.

d) Password content: Passwords should be made up of alphanumeric

characters.

3. Use dynamic passwords or two-factor authentication for sensitive systems

or information.

D. Monitoring

1. Audit

a) Auditing is a mechanism that records actions that occur on a computer

system.

b) The audit log file contains information about the events that occurred,

who performed the action, when the action was performed, and whether

it was successful or not.

c) The following events should be recorded.

(1) Logins/logoffs.

(2) Failed login attempts.

(3) Network connection attempts.

(4) Dial-in connection attempts.

(5) Supervisor/administrator/root login.

(6) Supervisor/administrator/root privileged functions.

(7) Sensitive file access.

d) Audit logs must be reviewed on a weekly basis.

2. Intrusion Detection

093-2 9-9


a) Intrusion detection systems (IDS) are used to monitor networks or

systems.

b) Using host-based IDS may help with the examination of audit logs.

c) Network-based IDS is used to monitor the network for attacks or

unusual traffic on the network.

E. Encryption

1. Encryption provides a means of protecting sensitive information.

2. The algorithm used to encrypt information should have a level of assurance

that matches the sensitivity of the information being protected.

3. If a message is being sent to another organization, procedures should be

established beforehand to allow for the encryption of the message.

F. Patching Systems

1. Patches include updates to correct vulnerabilities and bugs in software.

2. They should not be installed without being tested.

3. Patches should be installed in accordance with the organization’s change

control procedures.

G. Backup and Recovery

1. Backups are performed so that the organization can recover information if a

failure occurs.

2. All backups should be periodically verified to determine if the backup

successfully copied the important files.

3. Backup files must be kept in a place where it is easily available.

4. Storing backups off-site maximizes the protection of the information.

H. Physical Security

1. Physical security should be used to protect information systems in the

following four areas:

093-2 9-10


a) Physical access

b) Climate

c) Fire suppression

d) Electrical power

Project

List the reasons for implementing security policy, backup policy, and configuration

management procedure.

Project Solution

Security policy: Defines the technical controls and security configurations that the

users and administrators must implement on all computer systems.

Backup policy: Defines the frequency of information backups. It also lists the

requirements for moving the backups to off-site storage. It identifies the length of

time that backups should be stored for prior to reuse.

Configuration management procedure: Defines the steps for making changes to

production systems. Changes may include upgrading software and hardware, bringing

new systems online, and removing systems that are no longer needed.

Chapter Review

Best practices refer to a set of communications that provides an appropriate level of

security.

Administrative security practices include policies and procedures, resources,

responsibility, education, and contingency plans.

The security policies of an organization define the way security is supposed to be.

The minimum policies recommended as best practices are information policy,

security policy, use policy, and backup policy.

Procedures that should be defined by an organization include user management,

system administration, and configuration management procedures.

093-2 9-11


Educating employees about the need for security is a key part of managing

information security risk.

To be effective, audit logs should be reviewed on a regular basis using automated

tools.

Intrusion detection systems monitor networks or systems.

The sensitivity level of information will dictate if encryption must be used or not.

A backup policy should include backing up information on server systems daily.

Physical security should be used to protect information systems.

Assessment Quiz

The following quiz will help you gauge the level of understanding of your students.

Questions

1. What are best practices?

2. What are the recommended best practices for educating employees?

3. What do awareness programs include?

4. Why should developers receive basic training on basic security awareness?

5. Why do you need to have contingency plans?

6. ____________________ aid in terminating employees.

7. ____________________ plans should be undertaken in conjunction with the

human resources department.

8. Resources must be assigned to implement ____________________ practices.

9. Intrusion detection helps to ____________________ networks or systems.

10. ____ should be derived from the Backup policy.

A. Backup procedure

B. Recovery procedure

093-2 9-12


C. Restoration procedure

D. Disaster procedure

11. ____ should specify how often backup media is to be reused and how the media

should be disposed.

A. Backup archival

B. Data archival

C. Information archival

D. Restoration

12. Passwords should be minimum ____ characters long.

A. 4

B. 8

C. 5

D. 2

13. True or False? Trojan horse is not a malicious code.

14. True or False? Passwords should never be stored in encrypted form.

15. True or False? It may not be necessary to encrypt e-mail messages.

Answers

1. Best practices refer to a set of recommendations that provides an appropriate level

of security.

2. Employees can be educated by implementing preventive, enforcement, and

incentive measures.

3. Awareness programs can include publicity campaigns, employee training, and

sending regular security updates through electronic mail.

4. Developers should receive the basic employee security awareness training so that

security issues can be included in the development process.

093-2 9-13


5. You need to have contingency plans because they ensure quick recovery and

prevent any major impact to business in case of an incident.

6. Enforcement measures aid in terminating employees.

7. Awareness training plans should be undertaken in conjunction with the human

resources department.

8. Resources must be assigned to implement security practices.

9. Intrusion detection helps to monitor networks or systems.

10. A. Backup procedure should be derived from the Backup policy.

11. B. Data archival should specify how often backup media is to be reused and

how the media should be disposed.

12. B. Passwords should be minimum 8 characters long.

13. B. False. Trojan horse is a malicious code.

14. B. False. Passwords should always be stored in encrypted form.

15. A. True. It may not be necessary to encrypt e-mail messages.

093-2 9-14

09309a

Documents