| About Blog Cheatsheets Defense Links Offense |
| Defense |
| Architecture Authorities Concept Forensic Introduction ITlawCH Malware Management Measures Methods Network Policy Risks Rules Threats Unix Linux Windows |
Policy
| An effective and realistic Security Policy is the key to IT-Security. This Guideline is originally based on the international ISO 17799-Standard (Code of Practice for Information Security) but slightly extended to actual times. An IT-Security-Policy should at least make reference to each of the points below. |
|
1 Security Policy 1.1 IT-Security Policy 1.2 Acceptable Use Policy |
|
2 Security Organisation 2.1 IT Security Organisation 2.2 Roles and Responsibilities Policy 2.3 External Parties 2.4 Authorities 2.5 Confidentiality Agreements |
|
3 Assets Classification and Control 3.1 Responsibilities of Objects and Systems 3.2 Classification of Information 3.3 Risk Assessment and Treatment |
|
4 Personnel Security 4.1 Security in Human Resource Department 4.2 Screening and Background Checks 4.3 Awareness 4.4 User Training 4.5 Reaction to Human Incidents 4.6 Return Assets and Removal of Rights 4.7 Social Media Usage |
|
5 Physical and Environmental Security 5.1 Security Zones 5.2 Security of Devices 5.3 Perimeter Security 5.4 Fire, Water, Earthquakes, Tornados, Tsunamis, Volcanos 5.5 Return of Property |
|
6 Computer and Network Security 6.1 System Operating and Responsibilities 6.2 Planning and Transfer of Application Systems 6.3 Authentication and Authorization 6.4 Protection from Malicious Software 6.5 Operating and Backup 6.6 Networkmanagement and -security 6.7 Secure Handlung of Media 6.8 Data- and Software-Exchange 6.9 Internet, Email, Filesharing, Chat and Social Networks 6.10 Remote Access and VPN 6.11 Reaction to Network Incidents 6.12 Segregation of Duties 6.13 Change Management 6.14 Auditing, Monitoring and Logging |
|
7 System Access Control 7.1 Business Request for the System Access 7.2 Administration of Permissions 7.3 Responsabilities of Users 7.4 Secure Access to Network 7.5 Secure Access to Computer 7.6 Secure Access to Applications 7.7 Auditing of System Access/Using |
|
8 Systems Development and Maintenance 8.1 Definition of Security Requirements 8.2 Security of Application Systems 8.3 Security of Application-/Systemfiles 8.4 Security in Development- and Support-Environments 8.5 Cryptographic Controls |
|
9 Business Continuity Planning 9.1 Procedures for Business Continuity Planning 9.2 Disaster Recovery 9.3 Testing |
|
10 Compliance 10.1 Fulfilment of Law Obligations 10.2 Security Checks of IT-Systems 10.3 Considerations for System Revisions 10.4 IT Forensic |
|
11 Lifecycle 11.1 Systems 11.2 Projects 11.3 Vulnerability Management and Penetration Testing |
|
12 Mobiles 12.1 Smartphones 12.2 Tablets 12.3 Notebooks |
|
13 Business Practice 13.1 Code of Conduct 13.2 Whistleblowing |
|
Policy Process 1) Identify assets to protect (inventory) 2) Identify threats to assets (intellectual property, privacy) 3) Legal liabilities, policy enforcement (logging) 4) Writing the polices 5) Maintain the policies |