New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Systems Assurance Seminar

by: David Mayert

Systems Assurance Seminar CSE 583

Marketplace > Syracuse University > Computer Engineering > CSE 583 > Systems Assurance Seminar
David Mayert
GPA 3.74


Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Class Notes
25 ?




Popular in Course

Popular in Computer Engineering

This 17 page Class Notes was uploaded by David Mayert on Wednesday October 21, 2015. The Class Notes belongs to CSE 583 at Syracuse University taught by Staff in Fall. Since its upload, it has received 38 views. For similar materials see /class/225564/cse-583-syracuse-university in Computer Engineering at Syracuse University.

Similar to CSE 583 at Syracuse

Popular in Computer Engineering


Reviews for Systems Assurance Seminar


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/21/15
Security Policy CISCSE 583 What is a Security Policy o A document or documents outlining rules about who can do what to whom I entities actors objects I allowed actionsrelations I security configurationsprecautions I practices protection detection response How To De ne a Policy 0 Identify what you are trying to protect 0 Determine what you are trying to protect it from 0 Determine how likely the threats are 0 Implement measures which will protect your assets in a costeffective manner 0 Review the process continuously and make improvements each time a weakness is found Source M Fites et al Control and Security of Computer Information Systems Computer Science Press 1989 What Are You Trying to Protect 0 Your private company financial or research data I basis of competitive advantage 0 The integrity of your web server I critical to your business 0 Your users from outsiders and each other I reallife example elementary school children What are you Protecting From o What or whom o Vandalismdefaceme Theft nt special case of o Inadvertent 39ntegr39tY reveIation o Hackers terrorists industrial 0 Denial of service 39ona e o Integrity eSpl Q Hey those are just variations on confidentiality integrity and availability Determine How Likely the Threats Are 0 Risk assessment attack trees 0 Consider cost of security breach I direct cost of data damagedstolen I cost to repair I cost in reputation customer trust etc I cost depends on the use of the system c Prioritize risks by likelihood and cost Implement CostEffective Measures 0 Don t pay more for defense than it would cost you to fix it afterwards I Sometimes this can t be defined easily 0 This is the majority of what the document focuses on I but may or may not take the majority of the time in developing the policy 0 Specify P D R measures Review the Process o Are your initial definitions still correct 0 Do the relationships between subjects and objects still hold o Is the security policy being implemented properly audit 0 If a breach occurs review it and modify either the set of allowed actions or the security measures Notes on Policy 0 One document or many 0 Single large document holds everything but is cumbersome 0 Multiple small documents are easier to update and use but must be kept consistent Policy can also be Formally Speci ed 0 Define sets subjects 8 objects 0 actions A 0 Write down formal rules about when subject are allowed to act on objects leg Vs E S 0 60 a E A allowss o a iff true 2 no security owns o 2 ownership could include temporal relationships etc o The problem comes in the implementation a Why is Policy Important 0 Without it you have no framework to judge the security of the system I If the policy accurately reflects what you want I and the system faithfully implements the policy I then you re as secure as you want to be 0 Without a written policy you will not be secure 0 Security starts with policy definition Reallife Example 0 Organization acted 0 Thought that they as ISP for 40 could wave a magic school systems wand 0 Also maintained l firewall computers within l virus filter the systems SW amp I all done HVV o No desire to specify 0 Wanted to make POlle 0 security things secure 0 We walked away Example Policy Types o Acceptable 0 Email forwarding Encryption handling policy 0 Acceptable Use 0 Desktop security o AnalogISDN Lines Standards 0 AntiVirus Process sewer security a Audit Policy stafmdards o Dialin Access Policy VYD39IriEIeSS network 0 DMZ P Y Qualities of a Good Policy o Implementable enforceable 0 Easy to understand concise o Balanced between production and protection 0 Explains why policy is needed 0 Defines subjects objects relationships ac ons o Defines how violations will be handled The Most Common Policy AUP o A contract between the users of the system and the ownersproviders C Says what the users are allowed to use the system for and what they re not 0 Outlines rights ofprotections provided to the users 0 Describes penalty for violation 0 Did you know you signed one Procedures o Directions on how to comply with policy 0 Eg Policy might state that all desktop machines must use a standard configuration specified in a subdocument 0 Standard specifies configuration 0 Procedure tells how to configure and test system before installing 0 See handout for example audit policynote that it says nothing about procedure Network VS System Policies 0 Most security policies do not explicitly separate the two 0 Network policies firewall configuration DMZ rules running services protocols suppo ed 0 System policies password changing software installation configuration backup policy 0 AUP covers both k


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Allison Fischer University of Alabama

"I signed up to be an Elite Notetaker with 2 of my sorority sisters this semester. We just posted our notes weekly and were each making over $600 per month. I LOVE StudySoup!"

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.