Software/Application Security Policy PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Chapter 5 - 03 - Learn to Design and Develop Security Policies - 07_ocred.pdf
- JTO Ph-II (DNIT) Motive Metasol Elitecore Netsweeper PDF
- Security Controls - GuidesDigest Training PDF
- Java Security Manager - Criptografía 2 PDF
- Farm to Fork LCA: Ensuring Food Security in a Changing Climate PDF
- IT Governance Summary PDF
Summary
This document outlines a software/application security policy. It covers securing in-built and purchased applications throughout their lifecycle. The policy emphasizes validating data, managing users and sessions, and implementing authorization and encryption.
Full Transcript
Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Software/Application Securit}rfi""' Securityj‘-fl' Policy RS M Policy i QQO Application security policy mandates proper measures that enhance the security of in-house and purchased applications..... ’ De...
Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Software/Application Securit}rfi""' Securityj‘-fl' Policy RS M Policy i QQO Application security policy mandates proper measures that enhance the security of in-house and purchased applications..... ’ Design Considerations Error Handling and Configuration Management Authentication Data Protectionin Storage and Transit User and Session Management Logging and Auditing Authorization Data Validation Encryption Exception Management [4: Copyright © by E iLIL All Rights Reserved. Reproductionis Strictly Prohibited. Software/Application Security Policy Application security involves securing the inbuilt and purchased applications running on the system. The security policy covers the application throughout its complete life cycle. The threat to an application is caused by software tampering, parameter manipulation, authorization, or cryptography. Drafting the guidelines for application security mandates application, further enhancing how the system works. the proper functioning of the The key factors in documenting a software/application security policy are: 1. Data validation 2. User and Session Management 3. Authentication 4. Authorization 5. Encryption 6. Logging and Auditing ry & Data Protection in Storage and Transit 8. Configuration Management 9. Error Handling and Exception Management A security professional’s role in enforcing application policies is: 1. Criteria for Data Validation: It is required to set measures to validate data flowing in and out of the application. Module 05 Page 586 Certified Cybersecurity Technician Copyright © by EG-GCouncil EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls 2. Exam 212-82 Authentication Process: Security professionals should set up an authentication policy for all systems. If a user is attempting to install a third-party application, the system will prompt for an administrator password. This will restrict users from installing such applications without administrator rights. 3. Authorization Standards: Security professionals should authorize application use for only those who need it. The authorization can also be limited to certain parts of the application’s data. 4. Encryption Policy: Security professionals can encrypt the sensitive application data, preventing users from gaining access to it. 5. Monitoring: Every employee application session should be monitored. Module 05 Page 587 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Data Backup Policy QO The backup policy helps an organization recover and safeguard information in the event of a security incident/network failure Location of data backup Name and contact of authorized personnel who can access backups Backup schedule (i [l [ I N © Design Considerations I Type of backup method used Hardware and software requirements for taking backups Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Data Backup Policy Creating a backup policy is one of the most important things you can do for your data security plan. Optimized backup policies and procedures will save your organization time and money. The backup policy helps an organization recover and safeguard information in the event of a security incident/network failure. One important reason for this policy is to bring the backup and recovery process in line with actual requirements. It will also ensure a smooth recovery process in the event of a hard drive failure, virus attack, or natural disaster. Backup policies and procedures vary according to the needs of an organization and industry. There are certain elements of a data backup and restore process that every company should identify: = Determining What Files Should Be Backed Up: Before implementing a backup policy on a system, the security professional should identify the important files for business activity. Data that help run the business should be backed up. Data that include financial, tax, or personal employee information are important and should be backed up. = Determine Who Can Access Backups: Administrators should assign privileges to access backups to only those employees who work on the data. It is important to keep track of the backup data. Keep the backup logs updated regularly. = Determine How Often to Backup: An organization backup policy should define the backup schedule employees must use. Informing employees beforehand helps them prioritize their data for this requirement. Module 05 Page 588 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 The schedule should be created by considering the business of an organization and the criticality of the data on the machines. It is not necessary to run a backup on all devices simultaneously. Certain files or databases have to be backed at a different time. The backup policy should also mention the time the backups should run. Usually an organization prefers to perform backups after business hours. Based on the backup policy, the backup process can be initiated by administrators. What Type of Backup is Required? While drafting the backup policies and procedures, the security professional should also determine the type of backup required. The type of backup depends on an organization’s needs. The three basic types of backup include: o Full Backups: This includes a backup of all data. It is the simplest form of backup, but a highly time-consuming process. o Incremental Backups: Here, the backup is created only when the data are changed since the last full backup. It is a less time-consuming process. o Differential Backups: It backs up all selected files that are new and changed since the last full backup. Where to Back Up Data: The backup policy should mention the location of the backed-up data and where they will be stored. Administrators can store the data on a physical external device, cloud, or both. Design Considerations Location of data backup Name and contact of authorized personnel who can access backups Backup schedule Type of backup method used Hardware and software requirements for taking backups It is important to test and evaluate all backup policies. Module 05 Page 589 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. nician y Tech rsecuritTec Certified Cybeecu hnician ers rityCont rati ied Cyb trolsrols — Administ ConCont Certif rols ve ve ati Network Secutyrity trols = Administr Con uri Sec k Networ " cycy olili onn PPo tiio ennt ette a RRe atta pDDa es sforfor a setof ofrulrule icy cyis isa set The data retentio ion npolpoli lomlnalor or The data retent eratatio for op data tain main g data for oper nganand inining ervi ta pres in ma d ng vi eser 4 Ny pr nts uir ents ememe quir ce erereq regulatory compli ananc regulatory compli EI E tio nsns Design Considera atio Design Consider % » and actacts s ies, rulrules es, ,and regulations, polices, Applicable lawlaws, regulations, polici s, e abl lic App v incl ed » Types of data tobebe inc lududed » Types of data to » personnel of authoriz contact izeded personnel Name and con tact of authoritem and Name onsi ble for each data m resp le for each data ite responsib 9 A YY sche dele le and del edudule on sch etition Record retention and Record retention data for dat ents a irem requ ts for and software re emen quir % Hardware re and software rdwa Ha n retentio retention. r NS ? NI ~ cy licy Poli ta is t da rtan Data Retention Po poort im data is att all ant th imp ré all su en tha Data Retention to ure ens cy li policy ionn po ntio retteent taining dattaa re d ma devveelo ngg an lop a da shoouuld ervi maiinntaining esser zattiion pr and ld de orggaani r fo vin sh Everyy or s pre le on ru for es of za rul ni t set quired cy is @a se Ever polliicy ionn po the re retteent ntio ness the dattaa re Thee da defiine.. Th required red cy def sto liicy ly po ori e act Th sattiisf ed pol or ts st The en. em ly nts ireme requuir yingg royin sa sfactori ancee req desttro lianc for des comppli reg rds for dards toryy com all or lator stannda ion guula rat re m ope or mu sta dattaa for na m mu io e ni at th mi er ts the se s for op alsoo set da and als s, and typees, fer dif dataa typ ss for ent dat iod erent per ff di ion r fo retteent od ri pe re ntion ies tries coun all cou n information. cerrttai n. emss inin all st ntr sy d an s, tem se sys ce ain informatio es and proc cesses, s, pro unitts, ss uni ees, ness oyees ine busi empl all bus lie ors, ctors isis app re , iedd toto all di icy pl pol loy , ap rs emp ion ce , ent fi ret of ect cy a dir li ‘s po A dat rs, on ice n zati nizat ion's off ga ani or t, org ec an an ll to to co A data retentio d d lie n ie app ca is pl It ap o es. wh can collect, rat ope. It is ers who ion es zat id at ani ov er pr op e ree anan org on ic ers wheer ti vid rv za pro se organi rs, oror service as sors, iso advi such wh ts, s, adv nts suc sul tant con ments ultan rs, cto docu cons tra all doc h as con s, to es, or liat d ct ume ie ra , affi pl nt ap all co agents to is , d it es lie er, it is app over, eov More es.s. Mor agents, affiliat a typ type data fer tot0o dif ent dat etc. erent ess ff acc di e files, orof hav s, ss ces vide ce s, etc. prooc ac and vid eoo file have audi ioo and aud s, , nts nt ume me pr ess, doc cu y do cop t sof py , soft co nts, d copy documents ilsls,, har emaai hard copy docume em ign Dessi De gn == == =« «= = = siderations Con Considerations acsts and act les, and rues, es, rul licies, ns,s, pol poici ulalatio reg on s, ti law e gu abl re lic App , ws la Applicable cludeded data to be inc inlud Typ itmem pesooff datato pbe daata ite Tyes eahch dat for eac e for bl si on le sp sib re pon res l ne nel on son rs pe izded per thorize auhor me Na ntact t ofof aut cotac and con me and Na lele hedu onon sch scedu leti deeti retention and d del Rec cord retention an Reord ion tent ion reent daata ret eme ents forfor dat uir emnts req ir re qu twa re sof and re wa re ft dwa so Har Hardware and Page 590 590 Module 05 05 Page ule ge-council yright © byEc-C n Cop ciaCopy ouncil hnian y Tec right © Strbyictly ecurit ersurit nici prohibited. cVb Tech y ied tif rsec is Cer Cybe d ifie ion Cert uct ed. rod ibit Rep Proh tly ed. Stric is erv rved. Reproduction ReseRes ts hts RighRig All All