Software/Application Security Policy PDF

Summary

This document outlines a software/application security policy. It covers securing in-built and purchased applications throughout their lifecycle. The policy emphasizes validating data, managing users and sessions, and implementing authorization and encryption.

Full Transcript

Certified Cybersecurity Technician
Network Security Controls — Administrative Controls
Exam 212-82
Software/Application Securit}rfi""'
Securityj‘-fl'
Policy
RS M
Policy
i
QQO Application security policy mandates proper
measures that enhance the security of in-house
and purchased applications.....
’
Design Considerations
Error Handling and
Configuration
Management
Authentication
Data Protectionin
Storage and Transit
User and Session
Management
Logging and
Auditing
Authorization
Data Validation
Encryption
Exception
Management
[4:
Copyright © by E
iLIL All Rights Reserved.
Reproductionis Strictly Prohibited.
Software/Application Security Policy
Application security involves securing the inbuilt and purchased applications running on the
system. The security policy covers the application throughout its complete life cycle. The threat
to an application is caused by software tampering, parameter manipulation, authorization, or
cryptography.
Drafting the guidelines for application security mandates
application, further enhancing how the system works.
the
proper
functioning
of the
The key factors in documenting a software/application security policy are:
1.
Data validation
2.
User and Session Management
3.
Authentication
4.
Authorization
5.
Encryption
6.
Logging and Auditing
ry &
Data Protection in Storage and Transit
8.
Configuration Management
9.
Error Handling and Exception Management
A security professional’s role in enforcing application policies is:
1.
Criteria for Data Validation: It is required to set measures to validate data flowing in and
out of the application.
Module 05 Page 586
Certified Cybersecurity Technician Copyright © by EG-GCouncil
EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Network Security Controls — Administrative Controls
2.
Exam 212-82
Authentication Process: Security professionals should set up an authentication policy for
all systems. If a user is attempting to install a third-party application, the system will
prompt
for
an
administrator
password.
This
will
restrict
users
from
installing
such
applications without administrator rights.
3.
Authorization Standards: Security professionals should authorize application use for only
those who need it. The authorization can also be limited to certain parts of the
application’s data.
4.
Encryption
Policy: Security professionals can encrypt the sensitive application data,
preventing users from gaining access to it.
5.
Monitoring: Every employee application session should be monitored.
Module 05 Page 587
Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Network Security Controls — Administrative Controls
Exam 212-82
Data Backup Policy
QO The backup policy helps an organization recover and safeguard information in
the event of a security incident/network failure
Location of data backup
Name and contact of authorized personnel who can access backups
Backup schedule
(i
[l
[
I
N
©
Design Considerations
I
Type of backup method used
Hardware and software requirements for taking backups
Copyright
© by
EC-Council
All Rights Reserved. Reproduction
is Strictly Prohibited.
Data Backup Policy
Creating a backup policy is one of the most important things you can do for your data security
plan. Optimized backup policies and procedures will save your organization time and money. The
backup policy helps an organization recover and safeguard information in the event of a security
incident/network failure. One important reason for this policy is to bring the backup and recovery
process in line with actual requirements. It will also ensure a smooth recovery process in the
event of a hard drive failure, virus attack, or natural disaster.
Backup
policies and procedures vary according to the needs of an organization and industry.
There are certain elements of a data backup and restore process that every company should
identify:
=
Determining What Files Should Be Backed Up:
Before implementing a backup policy on a system, the security professional should
identify the important files for business activity. Data that help run the business should
be backed up. Data that include financial, tax, or personal employee information are
important and should be backed up.
=
Determine Who Can Access Backups:
Administrators should assign privileges to access backups to only those employees who
work on the data. It is important to keep track of the backup data. Keep the backup logs
updated regularly.
=
Determine How Often to Backup:
An organization backup policy should define the backup schedule employees must use.
Informing employees beforehand helps them prioritize their data for this requirement.
Module 05 Page 588
Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Network Security Controls — Administrative Controls
Exam 212-82
The schedule should be created by considering the business of an organization and the
criticality of the data on the machines. It is not necessary to run a backup on all devices
simultaneously. Certain files or databases have to be backed at a different time. The
backup policy should also mention the time the backups should run. Usually an
organization prefers to perform backups after business hours. Based on the backup policy,
the backup process can be initiated by administrators.
What Type of Backup is Required?
While drafting the backup policies and procedures, the security professional should also
determine the type of backup required. The type of backup depends on an organization’s
needs. The three basic types of backup include:
o
Full Backups: This includes a backup of all data. It is the simplest form of backup, but
a highly time-consuming process.
o
Incremental Backups: Here, the backup is created only when the data are changed
since the last full backup. It is a less time-consuming process.
o
Differential Backups: It backs up all selected files that are new and changed since
the last full backup.
Where to Back Up Data:
The backup policy should mention the location of the backed-up data and where they will
be stored. Administrators can store the data on a physical external device, cloud, or both.
Design Considerations
Location of data backup
Name and contact of authorized personnel who can access backups
Backup schedule
Type of backup method used
Hardware and software requirements for taking backups
It is important to test and evaluate all backup policies.
Module 05 Page 589
Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
nician
y Tech
rsecuritTec
Certified Cybeecu
hnician
ers rityCont
rati
ied Cyb
trolsrols
— Administ
ConCont
Certif
rols
ve ve
ati
Network Secutyrity
trols = Administr
Con
uri
Sec
k
Networ
"
cycy
olili
onn PPo
tiio
ennt
ette
a RRe
atta
pDDa
es sforfor
a setof ofrulrule
icy cyis isa set
The data retentio
ion npolpoli
lomlnalor or
The data retent
eratatio
for
op
data
tain
main
g data for oper
nganand
inining
ervi
ta
pres
in
ma
d
ng
vi
eser
4
Ny
pr
nts
uir
ents
ememe
quir
ce erereq
regulatory compli
ananc
regulatory compli
EI
E
tio
nsns
Design Considera
atio
Design Consider
%
»
and actacts
s
ies, rulrules
es, ,and
regulations, polices,
Applicable lawlaws,
regulations, polici
s,
e
abl
lic
App
v
incl
ed
» Types of data tobebe inc
lududed
» Types of data to
»
personnel
of authoriz
contact
izeded personnel
Name and con
tact of authoritem
and
Name onsi
ble for each data m
resp
le for each data ite
responsib
9
A
YY
sche
dele
le
and del
edudule
on sch
etition
Record retention and
Record retention
data
for dat
ents
a
irem
requ
ts for
and software re
emen
quir
% Hardware
re and software
rdwa
Ha
n
retentio
retention.
r NS
? NI
~
cy
licy
Poli
ta is
t da
rtan
Data Retention Po
poort
im
data is
att all
ant
th
imp
ré
all
su
en
tha
Data Retention
to
ure
ens
cy
li
policy
ionn po
ntio
retteent
taining
dattaa re
d ma
devveelo
ngg an
lop a da
shoouuld
ervi
maiinntaining
esser
zattiion
pr
and
ld de
orggaani
r
fo
vin
sh
Everyy or
s
pre
le
on
ru
for
es
of
za
rul
ni
t
set
quired
cy is @a se
Ever
polliicy
ionn po
the re
retteent
ntio
ness the
dattaa re
Thee da
defiine.. Th
required
red
cy def
sto
liicy
ly
po
ori
e
act
Th
sattiisf
ed
pol
or
ts
st
The
en.
em
ly
nts
ireme
requuir
yingg
royin
sa sfactori
ancee req
desttro
lianc
for des
comppli
reg
rds for
dards
toryy com
all or
lator
stannda
ion
guula
rat
re
m
ope
or
mu
sta
dattaa for
na
m
mu
io
e
ni
at
th
mi
er
ts
the
se s
for op
alsoo set
da
and als
s, and
typees,
fer
dif
dataa typ
ss for
ent dat
iod
erent
per
ff
di
ion
r
fo
retteent
od
ri
pe
re ntion
ies
tries
coun
all cou
n information.
cerrttai
n.
emss inin all
st
ntr
sy
d
an
s,
tem
se
sys
ce ain informatio
es
and
proc
cesses,
s, pro
unitts,
ss uni
ees,
ness
oyees
ine
busi
empl
all bus
lie
ors,
ctors
isis app
re
,
iedd toto all
di
icy
pl
pol
loy
,
ap
rs
emp
ion
ce
,
ent
fi
ret
of
ect
cy
a
dir
li
‘s
po
A dat
rs,
on
ice
n
zati
nizat
ion's off
ga
ani
or
t,
org
ec
an
an
ll
to
to
co
A data retentio
d
d
lie
n
ie
app
ca
is
pl
It
ap
o
es.
wh can collect,
rat
ope. It is
ers who
ion
es
zat
id
at
ani
ov
er
pr
op
e
ree anan org
on
ic
ers
wheer
ti
vid
rv
za
pro
se
organi
rs, oror service
as
sors,
iso
advi
such
wh
ts,
s, adv
nts suc
sul
tant
con
ments
ultan
rs,
cto
docu
cons
tra
all doc
h as
con
s,
to
es,
or
liat
d
ct
ume
ie
ra
, affi
pl
nt
ap
all
co
agents
to
is
,
d
it
es
lie
er, it is app
over,
eov
More
es.s. Mor
agents, affiliat
a typ
type
data
fer
tot0o dif
ent dat
etc.
erent
ess
ff
acc
di
e
files,
orof hav
s,
ss
ces
vide
ce
s, etc.
prooc
ac
and vid
eoo file
have
audi
ioo and
aud
s,
,
nts
nt
ume
me
pr ess,
doc
cu
y
do
cop
t
sof
py
, soft co
nts,
d copy documents
ilsls,, har
emaai
hard copy docume
em
ign
Dessi
De gn
==
==
=«
«=
= =
siderations
Con
Considerations
acsts
and act
les, and
rues,
es, rul
licies,
ns,s, pol
poici
ulalatio
reg
on
s,
ti
law
e
gu
abl
re
lic
App
,
ws
la
Applicable
cludeded
data to be inc
inlud
Typ
itmem
pesooff datato pbe
daata ite
Tyes
eahch dat
for eac
e for
bl
si
on
le
sp
sib
re
pon
res
l
ne
nel
on
son
rs
pe
izded per
thorize
auhor
me
Na
ntact t ofof aut
cotac
and con
me and
Na
lele
hedu
onon sch
scedu
leti
deeti
retention and d del
Rec
cord retention an
Reord
ion
tent
ion
reent
daata ret
eme
ents forfor dat
uir
emnts
req
ir
re
qu
twa
re
sof
and
re
wa
re
ft
dwa
so
Har
Hardware and
Page 590 590
Module 05 05
Page
ule
ge-council
yright © byEc-C
n Cop
ciaCopy
ouncil
hnian
y Tec
right © Strbyictly
ecurit
ersurit
nici
prohibited.
cVb
Tech
y
ied
tif
rsec
is
Cer
Cybe
d
ifie
ion
Cert
uct
ed.
rod
ibit
Rep
Proh
tly
ed.
Stric
is
erv
rved. Reproduction
ReseRes
ts hts
RighRig
All All