Pages

CCNA Security Chapter 9 - Managing a Secure Network

The first step in establishing the security needs of an organization is to identify likely threats and perform a risk analysis. The results of the risk analysis are used to establish the security hardware and software implementations, mitigation policies, and network design.

Network design: The Cisco SecureX architecture is a comprehensive, end-to-end solution for network security that includes solutions to secure the network, email, web, access, mobile users and data center resources. Cisco Security Manager and CCP provide network management options for Cisco SecureX solutions.

After network was designed: After the network is designed, operations security entails the day-to-day practices necessary to first deploy and later maintain the secure system.

After a secure network is implemented and continuity plans are established, those plans and documents must be continuously updated based on the changing needs of the organization.

A network security system cannot completely prevent assets from being vulnerable to threats.

Labs: Security Policy Development and Implementation, Configure a Network for Secure Operation

Secure Network
Mitigating network attacks requires a comprehensive, end-to-end approach:
 - Secure network devices with AAA, SSH, role-based CLI, syslog, SNMP, and NTP.
 - Secure services using AutoSecure and CCP one-step lockdown.
 - Protect network endpoints (such as workstations and servers) against viruses, Trojan Horses, and worms, with Cisco NAC and Cisco IronPort.
 - Use Cisco IOS Firewall and accompanying ACLs to secure resources internally while protecting those resources from outside attacks.
 - Supplement Cisco IOS Firewall with Cisco IPS technology to evaluate traffic using an attack signature database.
 - Protect the LAN by following Layer 2 and VLAN recommended practices and by using a variety of technologies, including BPDU guard, root guard, PortFast, and SPAN.

The security policy developed in your organization drives all the steps taken to secure network resources.
To create an effective security policy, it is necessary to do:
- a risk analysis, which will be used to maximize the effectiveness of the policy and procedures that will be put in place,
- everyone should be aware of the policy; otherwise, it is doomed to fail.
All design guidelines and principles, and the resulting security architecture, should be aimed at managing risk. Risk is, or should be, the building block of information security.

An important part of implementing a secure network is creating and maintaining security policies to mitigate existing, as well as new kinds of attacks.

There are guidelines to help you avoid making wrong assumptions:
 - Expect that any aspect of a security system might fail. When designing a system, perform what-if analysis for failures of every element, assess the probability of failure, and analyze all possible consequences of a failure, taking into account cascading failures of other elements.
 - Identify any elements that fail-open. Fail-open occurs when a failure results in a complete bypass of the security function. Ideally, any security element should be fail-safe. If the element fails, it should default to a secure state, such as blocking all traffic.
 - Try to identify all attack possibilities. One way to accomplish this is with a top-down analysis of possible system failures, which involves evaluating the simplicity and probability of every attack on a system. This type of analysis is commonly referred to as an attack tree analysis.
 - Evaluate the probability of exploitation. Focus on the resources that are needed to create an attack, not the obscurity of a particular vulnerability. Be sure to account for technological advances.
 - Assume that people make mistakes. For example, end users might use a system improperly, compromising its security unintentionally.
 - Attackers might not use common and well-established techniques to compromise a system. Instead, they might hammer the system with seemingly random attacks, looking for possible information on how the system behaves under unexpected conditions.
 - Check all assumptions with other people. They might have a fresh perspective on potential threats and their probability. The more people that question the assumptions, the more likely a wrong assumption will be identified.
 Threat identification provides an organization with a list of threats that a system is subject to in a particular environment.
Risk analysis is the systematic study of uncertainties and risks.The first step in developing a risk analysis is to evaluate each threat to determine its severity and probability.
 There are two types of risk analysis in information security, quantitative and qualitative:
- Quantitative risk analysis uses a mathematical model that assigns a monetary figure to the value of assets, the cost of threats being realized, and the cost of security implementations.
Single Loss Expectancy = Asset Value * Exposure Factor
ARO (Annualized Rate of Occurrence) represents the estimated frequency that a threat is expected to occur.
ALE Annualized Loss Expectancy
Flood threat
SLE is US$10,000,000 * .60 = US$6,000,000 = Exposure Factor is 60 percent * AV of the enterprise is US$10,000,000
ARO is .01
ALE is US$6,000,000 * .01 = US$60,000

Data entry error
SLE is US$1,000,000 * 0.00001 = US$10 = Exposure Factor is .001 percent * AV of data and databases is US$1,000,000
ARO is 125,000
ALE is US$10 * 125,000 = US$1,250,000
It is a justifiable decision to spend US$50,000 to enhance the security of database applications, in order to significantly reduce data entry errors. It is equally justifiable to reject a proposal to spend US$3,000,000, to enhance the defenses against a possible flood.

- There are various ways of conducting qualitative risk analysis. It focuses mostly on the understanding of why risk is present and how various solutions work to resolve the risk.

Risk management - This method deploys protection mechanisms to reduce risks to acceptable levels. Risk management is perhaps the most basic and the most difficult aspect of building secure systems, because it requires a good knowledge of risks, risk environments, and mitigation methods.
Risk avoidance - This method eliminates risk by avoiding the threats altogether, which is usually not an option in the commercial world, where controlled, or managed, risk enables profits.

Disaster Recovery and Business Continuity Planning  
Disasters do occur, and if such occurs to a data network, the results can prove devastatng, both financially and functionally. Examples include tornadoes, earthquakes, large scale physical attacks, and so on. Part of an overall policy that addresses availability should be the ability to recover from a disaster and keep the business moving. This is often referred to as disaster recovery (DR) and business continuity (BC) .
Companies that can afford no downtime might have two completely operational fault-tolerant sites in geographically different locations. If one site goes down, the other site is seamlessly used. The downside of this is that it is expensive. Other options include having sites that are ready to bring up, that could be fully functional within 24 hours or 48 hours or some other period of time.
In planning this, decisions would be made about the cost of the fault tolerance or backup site compared to the risk (financial loss) of not having a solution in place.
Some of the BC factors are:
 - MTD (maximum tolerable downtime)
 - RTO (recovery time objective) - is the number of hours or days set as the objective for resuming the business process in the event of a disaster
 - RPO (recovery point objective) - refers to the state at which the data is being restored. For example, an RPO of 4 hours restores data to the point where it was 4 hours earlier than the incident that triggered the RPO.

Cisco SecureX Architecture
Traditional network security consisted of two major components:
1) a heavy endpoint protection suite (i.e., antivirus, personal firewall, etc.),
2) perimeter-based network-scanning devices (i.e., firewalls, web proxies, and email gateways, etc.).
This architecture worked well in a world of high-powered PCs that were mainly on the LAN and behind the firewall.

In this new Borderless Network, access to resources can be initiated by users from many locations, on many types of endpoint devices, using various connectivity methods. To address these very issues, Cisco has outlined a security architecture called Cisco SecureX.

The SecureX security architecture for the Borderless Network relies on a lightweight, pervasive endpoint. Its role is not to scan content or run signatures. Instead, its sole focus is making sure every connection coming on or off the endpoint is pointed at a network scanning element somewhere in a Cisco security cloud.

This new security architecture uses a high-level policy language that can describe the full context of a situation, including who, what, where, when and how. 
With highly distributed security policy enforcement, security is pushed closer to where the end user is working, anywhere on the planet. 

This architecture is comprised of five major components:
 - Scanning engines: These are the foundation of security enforcement and can be viewed as the workhorses of policy enforcement (the proxies or network-level devices that examine content), can be a firewall/IPS, a proxy, or a fusion of the two) .
 - Delivery mechanisms: traditional network appliance, a module in a switch or a router, or an image in a Cisco security cloud.
 - Security intelligence operations (SIO): These distinguish good traffic from bad (identifying and stopping malicious traffic).
 - Policy management consoles: single point of policy definition that spans multiple enforcement points such as email, instant messaging, and the Web.
 - The next-generation endpoint: The role is not to scan content or run signatures, but rather to guarantee every connection coming on or off the endpoint.

Cisco SecureX Architecture

The architecture is built upon three foundational principles:
  - Context-aware policy uses a simplified descriptive business language to define security policies based on five parameters: the person’s identity, the application in use, the type of device being used for access, and the location and time of access. These security policies more closely align with business policies and are simpler to administer across an organization.
  - Context-aware security enforcement uses network and global intelligence to make enforcement decisions across the network and to deliver consistent and pervasive security anywhere in the organization. Flexible deployment options, such as integrated security services, standalone appliances, or cloud-based security services bring protection closer to the user, reducing network load and increasing protection.
  - Network and global intelligence provides deep insight into network activity and the global threat landscape for fast, accurate, and granular protection and policy enforcement:
     - Local intelligence from the Cisco network infrastructure takes context such as identity, device, posture, location, and behavior to enforce access and data integrity policies.
     - Global intelligence from Cisco Security Intelligence Operations (SIO) provides full, up-to-date threat context and behavior to enable real-time, accurate protection.

Benefits of The Cisco SecureX Architecture:
 •  Enables organizations to embrace mobility and cloud technology while protecting critical business assets,
 •  Delivers granular visibility and control, down to the user and device level, across the entire organization,
 •  Provides faster, more accurate protection from threats with always-on security and integrated global intelligence,
 •  Increases operational efficiency with simplified policies, integrated security options, and automatic security enforcement,
 •  Provides full security coverage with the industry’s most comprehensive security solutions and services.

The context-aware scanning architecture uses local network context from Cisco TrustSec technology.
This is a packet tagging technology that allows security elements to share information gathered from the scanning elements as well as the endpoint client. It is all governed by real-time global threat intelligence from Cisco Security Intelligence Operations (SIO), which helps distinguish good traffic from bad traffic.

Cisco SIO is the world's largest cloud-based security ecosystem, using almost a million live data feeds from deployed Cisco email, web, firewall, and IPS solutions. Cisco SIO weighs and processes the data, automatically categorizing threats and creating rules using more than 200 parameters.

The Cisco SecureX architecture refers to five product families: secure edge and branch, secure email and web, secure access, secure mobility, and secure data center and virtualization.

Secure Edge and Branch
 - deploy devices and systems to detect and block attacks and exploits, and prevent intruder access.
 - Cisco ASA 5500 Series: Combines industry-leading firewall, VPN, and intrusion prevention in a unified platform
 - Cisco Intrusion Prevention System:Identifies, classifies, and stops malicious traffic, including worms, spyware, adware, viruses, and application abuse
 - Cisco Integrated Services Router Generation 2: Delivers suite of built-in capabilities, including firewall, intrusion prevention, VPN, and cloud-based web security
 - Cisco Security Manager: Provides a comprehensive management solution for Cisco network and security devices, Enables consistent policy enforcement, quick troubleshooting of security events, and summarized reports across the deployment.

Secure Email and Web
 - Cisco IronPort Email Security Appliances: Fights spam, viruses, and blended threats for organizations of all sizes, Deployed by more than 40 percent of the world's largest enterprises
 - Cisco IronPort Web Security Appliances: Integrates web-usage controls, data security, reputation and malware filtering, Applies Cisco Security Intelligence Operations and global threat technology
 - Cisco ScanSafe Cloud Web Security: Analyzes web requests for malicious, inappropriate, or acceptable content, Offers granular control over open and encrypted web content

Secure Access
 - Cisco Identity Services Engine: Apply policy-based access control
 - Network Admission Control Appliance (NAC): Recognize users, their devices, and their roles in the network, Enforce security policies by blocking, isolating, and repairing noncompliant machines
 - Cisco Secure Access Control System: Controls network access based on dynamic conditions and attributes
 - Cisco Virtual Office: Extends highly secure, and manageable network services to remote employees, Delivers full IP phone, wireless, data, and video services.

Secure Mobility 
 - VPN Services for Cisco ASA Series: Provides remote access for up to 10,000 SSL or true IPsec
Supports functionality unavailable to a clientless, browser-based VPN connection
 - Cisco Adaptive Wireless IPS Software: Provides automated wireless vulnerability and performance monitoring, Automatically monitors and identifies unauthorized access and RF attacks
 - Cisco AnyConnect Secure Mobility Solutions: Provides comprehensive remote-access connectivity
Enforces context-aware policy, and protection from malware.

Secure Data Center and Virtualization
 - Cisco ASA 5585-X: Combines a proven firewall, comprehensive intrusion prevention, and VPN
 - Cisco Catalyst 6500 ASA Services Module: Combines full-featured switching with best-in-class security, provides up to 16 Gbps multiprotocol throughput for 300,000 connections per second
 - Cisco Virtual Security Gateway (VSG): Delivers security policy enforcement and visibility at a virtual machine level
 - Cisco ASA 1000V Cloud Firewall: Spans and helps to secure multiple VMware ESX hosts
Enables consistency across physical, virtual, and cloud infrastructures

Cisco Self-Defending Network
Principles of Secure Network Design
 - Ensuring a Network is Secure (Developing Security Policies, Guidelines)
 - Threat Identification and Risk Analysis (Risk Analysis, Quantitative Analysis, Annualized Rate of Occurrence)
 - Risk Management and Risk Avoidance

The Cisco Self-Defending Network is a strategic systems approach to security that uses the network to identify, prevent, and adapt to threats from internal and external sources.
1) Secure Network Platform
  The secure network platform is a strong, secure, flexible base from which you build your own Self-Defending Network. At Cisco, security is considered an integral and fundamental network feature. Capabilities that were traditionally provided only by point solution overlays are now a fundamental feature of the network infrastructure.
  Many traditional security point solutions such as firewalls, access control systems, network antivirus protection, intrusion prevention systems (IPSs), IP Security (IPSec) virtual private networks (VPNs), and Secure Sockets Layer (SSL) VPNs are now fully integrated and embedded in secure network platforms built with Cisco technology.

2) Cisco Threat Control and Containment Solutions
Cisco’s threat control and containment solution consists of innovative, advanced technologies that go beyond simply defending against threats—they proactively and collaboratively control and contain them. 
 - Threat control for endpoints: This element defends against threats most commonly introduced by Internet use, such as viruses, spyware, and other malicious content.
- Threat control for infrastructure: This element safeguards the server and application infrastructure against attacks and intrusions. It also defends against internal and external attempts to penetrate or attack servers and information resources through application and operating system vulnerabilities.
 - Threat control for e-mail: This element protects business productivity, resource availability, and confidential information by stopping e-mail initiated threats.

Examples of the advanced technologies used to achieve these benefits include behavioral-based endpoint protection, distributed denial-of-service (DDoS) attack mitigation, intrusion prevention, network antivirus protection, policy enforcement, and proactive response. 

2) Secure Communications (Confidential Communications)
Cisco’s confidential communications solution enables your organization to take advantage of and enjoy the positive business benefits of data, voice, video, and wireless communications, while ensuring the privacy and integrity of critical business communications over these media.
Benefits to implementing a secure communication structure:
 - Improve business productivity and efficiency
 - Enable new business applications
 - Help comply with information privacy regulations

3) Secure Transaction
Today’s agile organizations rely on application-to-application transactions for business and customer-facing transactions. In many cases, the transactional information resides on highly vulnerable custom or homegrown applications. Hackers can exploit security holes in the custom code of these vulnerable applications and steal, intercept, change, or destroy critical application data. Cisco’s secure transactions solution helps ensure the security and availability of vulnerable applications and the privacy of the most sensitive information residing on them. The solution inspects and protects application transactions using Layer 4–7 inspection, encryption, policy enforcement, and application control.

4) Operational Control and Policy Management (with Cisco Security Manager and MARS)
Cisco’s operational management and policy control solution is a framework of integrated, collaborative, and adaptive security management tools.
Cisco’s powerful monitoring, analysis, and response technology simplifies security management and provides end-to-end visibility into the information used for compliance reporting and the auditing process.
The Cisco Security Management Suite provides a number of benefits:
  - Increases speed and accuracy of policy deployment
- Improves visibility to monitor end-to-end security
  - Provides more rapid response to threats
  - Enforces corporate policy compliance
  - Enhances proper workflow management

Operations Security
Operations security is concerned with the day-to-day practices necessary to first deploy and later maintain a secure system.
The operations team usually has the objectives of preventing reoccurring problems, reducing hardware failures to an acceptable level, and reducing the impact of hardware failure or disruption. They should investigate any unusual or unexplained occurrences, unscheduled initial program loads, deviations from standards, and other abnormal conditions occurring on the network.

To ensure a secure working environment within the operations department, certain core principles should be integrated into the day-to-day activities:
 - Separation of duties (SoD)
   SoD states that no single individual has control over two or more phases of a transaction or operation. Instead, responsibilities are assigned in a way that incorporates checks and balances. 
 - Rotation of duties
Rotation of duties, or job rotation, is a security measure in which individuals are given a specific assignment for a certain amount of time before moving to a new assignment.
 - Trusted recovery
The most common way to prepare for failure is to back up data on a regular basis.
 - Change and configuration controls
 A change should be approved by management, be cost effective, and be an enhancement to business processes with a minimum of risk to the IT infrastructure and security.

Network Security Testing
Network security testing is performed on a network to ensure all security implementations are operating as expected. Typically, network security testing is conducted during the implementation and operational stages, after the system has been developed, installed, and integrated.
Security Test and Evaluation (ST&E).
Tests should be repeated periodically and whenever a change is made to the system.
After a network is operational, it is important to ascertain its security status. Many tests can be conducted to assess the operational status of the system:
 * Network scanning
 * Vulnerability scanning
 * Password cracking
 * Log review
 * Integrity checkers
 * Virus detection
 * Wardialing
 * Wardriving (802.11 or wireless LAN testing)
 * Penetration testing
Tools:
 - Nmap (open source) - s a security scanner used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
 - GFI LANGuard (commercial) - network and security scanner which detects vulnerabilities.
 - Tripwire (commercial) - assesses and validates IT configuration against internal policies , security best practices.
 - Nessus - Vulnerability scanning software, focusing on remote access, misconfigured passwords, and DoS against the TCP/IP stack. This proprietary scanning program is free of charge for personal use in a non-enterprise network.  For full support and functionality in an enterprise network, commercial organizations must purchase a license.
 - L0phtcrack (commercial) - password auditing and recovery tool.
 - Metasploit (open source) -  is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
 - SuperScan (open source) - connect-based port scanning software designed to detect open TCP and UDP ports on a target computer, determine which services are running on those ports, and run queries such as whois, ping, ICMP traceroute, and Hostname lookups.

SecTools.Org: Top 125 Network Security Tools http://sectools.org/

Planning and Disaster Recovery
Disaster recovery is the process of regaining access to the data, hardware, and software necessary to resume critical business operations after a natural or human-induced disaster.
When planning for disaster recovery and business continuity, the first step is identifying the possible types of disasters and disruptions.

The only way to deal with destruction is redundancy.

On a much larger scale, an organization might require a redundant facility if some catastrophic event results in facility destruction. Redundant facilities are referred to as hot, warm, and cold sites.
Each type of facility is available for a different price with different resulting downtimes:
 -  hot sites, a completely redundant facility is required with almost identical equipment. The copying of data to this redundant facility is part of normal operations, so in the case of a catastrophe, only the latest data changes must be applied to restore full operations.
 - warm sites are physically redundant facilities, but software and data are not stored and updated on the equipment. Depending on how much software and data is involved, it can take days before operations are ready to resume.
 - cold site is usually an empty data center with racks, power, WAN links, and heating, ventilation, and air conditioning (HVAC) already present, but no equipment. In this instance, an organization must first acquire routers, switches, firewalls, servers, and other equipment to rebuild everything. This option is the least expensive in terms of money spent annually, but usually requires weeks to resume operations.

The primary goal of disaster recovery is to restore the network to a fully functional state.
Two of the most critical components of a functional network are the router configuration and the router image files. The secure copy (SCP) feature provides a secure and authenticated method for copying router configuration or router image files.
Because SCP relies on SSH for secure transport, before enabling SCP, you must correctly configure SSH, and the router must have an RSA key pair.
!
username SCPadmin privilege 15 password 0 scpPa55w0rd
ip domain-name scp.mycompany.com
crypto key generate rsa general-keys modulus 1024
aaa new-model
aaa authentication login default local
aaa authorization exec default local
ip scp server enable
! for troubleshooting
 debug ip scp
SDLC
Business continuity and disaster recovery plans are ever-changing documents. They must be adjusted to changes in environment, equipment, and business needs.
System development life cycle (SDLC) includes five phases:
1. Initiation
     - Security categorization (low, moderate, high),
     - Preliminary risk assessment (Initial description of the basic security needs of the system).
2. Acquisition and development
     - Risk assessment
     - Security assurance requirements
     - Security cost considerations and reporting
     - Security planning (Complete document of the agreed-upon security controls )
     - Developmental security test and evaluation
3. Implementation
     - Inspection and acceptance
     - System integration
     - Security certification
     - Security accreditation
4. Operation and maintenance
     - Configuration management and control (stablishing an initial baseline of hardware, software, and firmware components )
     - Continuous monitoring
5. Disposition
     - Information preservation (Retain information as necessary to conform to legal requirements and accommodate future technology changes)
     - Media sanitization (Ensure that data is deleted, erased, and written over, as necessary)
     - Hardware and software disposal (Dispose of hardware and software as directed by the information system security officer)
At each phase of the system development life cycle a minimum set of security requirements  should be addressed.

Security Policy
A security policy is a set of security objectives for a company, rules of behavior for users and administrators, and system requirements.
Much like a continuity plan, a security policy is a constantly evolving document based on changes in technology, business, and employee requirements.

Security policies are used to inform users, staff, and managers of an organization's requirements for protecting technology and information assets.

One of the most common security policy components is an acceptable use policy (AUP) (or appropriate) .
This component defines what users are allowed and not allowed to do on the various system components. This includes the type of traffic that is allowed on the network. For example, an AUP might list specific websites, newsgroups, or bandwidth intensive applications that are prohibited from being accessed by company computers or from the company network.

The audience for the security policy is anyone who has access to the network.
 - The internal audience includes various personnel, such as managers and executives, departments and business units, technical staff, and employees.
 - The external audience is also a varied group that includes partners, customers, suppliers, consultants, and contractors.

Most corporations use a suite of policy documents to meet their wide and varied needs. These documents are often broken into a hierarchical structure:
 - Governing policy - High-level treatment of the security guidelines that are important to the entire company. Managers and technical staff are the intended audience. The governing policy controls all security-related interactions among business units and supporting departments in the company.
 -- Technical policy - Used by security staff members as they carry out security responsibilities for the system. These policies are more detailed than the governing policy and are system-specific or issue-specific. For example, access control and physical security issues are described in a technical policy.
   General |  Email   |   Remote-access    |   Telephony   |   Application usage   |   Network usage   |   Wireless communication
 -- End user policy - Covers all security topics that are important to end users. End users can include employees, customers, and any other individual user of the network.

The security policy documents are high-level overview documents. The security staff uses detailed documents to implement the security policies.
These include the standards, guidelines, and procedures documents:
 - Standards Documents
Standards documents include the technologies that are required for specific uses, hardware and software versioning requirements, program requirements, and any other organizational criteria that must be followed. For example, if an organization supports 100 routers, it is important that all 100 routers are configured using the established standards. Device configuration standards are defined in the technical section of an organization's security policy.
 - Guideline Documents
Guidelines provide a list of suggestions on how to do things better. They are similar to standards, but are more flexible and are not usually mandatory. Some of the most helpful guidelines are found in organizational repositories called best practices.
 - Procedure Documents
Procedure documents are longer and more detailed than standards and guidelines. Procedure documents include implementation details, usually with step-by-step instructions and graphics. Procedure documents are extremely important for large organizations to have the consistency of deployment that is necessary for a secure environment.

Roles and Responsibilities
Some of the more common executive titles include:
 - CEO (Chief Executive Officer) - Is ultimately responsible for the success of an organization. All executive positions report to the CEO.
 - CTO (Chief Technology Officer) - Identifies and evaluates new technologies and drives new technology development to meet organization objectives. Maintains and enhances the current enterprise systems, while providing direction in all technology-related issues in support of operations.
 - CIO (Chief Information Officer) - Responsible for the information technology and computer systems that support enterprise goals, including successful deployment of new technologies and work processes. Small- to medium-sized organizations typically combine the responsibilities of CTO and CIO into a single position that can use either title. When an organization has both a CTO and CIO, the CIO is generally responsible for processes and practices supporting the flow of information, and the CTO is responsible for technology infrastructure.
- CSO (Chief Security Officer) - Develops, implements, and manages the organization's security strategy, programs, and processes associated with all aspects of business operation, including intellectual property. A major aspect of this position is to limit exposure to liability in all areas of financial, physical, and personal risk.
 - CISO (Chief Information Security Officer) - Similar to the CSO, except that this position has a specific focus on IT security. One of the major responsibilities of the CISO is developing and implementing the security policy. The CISO might choose to be the primary author of the security policy or to delegate some or all of the authoring. In either case, the CISO is responsible and accountable for security policy content.

Security Awareness and Training
Technical, administrative, and physical security is easily breached if the end user community is not purposefully abiding security policies. To help ensure the enforcement of the security policy, a security awareness program must be put in place. Leadership must develop a program that keeps everyone aware of security issues and educates staff on how to work together to maintain the security of their data.

A security awareness program usually has two major components:
 - Awareness campaigns,
 - Training and education.

a) Awareness Campaigns
There are several methods of increasing security awareness:
 - Lectures, videos
 - Posters, newsletter articles, and bulletins
 - Awards for good security practices
 - Reminders, such as login banners, mouse pads, coffee cups, and notepads

b) Training and Education
An effective security training course requires proper planning, implementation, maintenance, and periodic evaluation. The life cycle of a security training course includes several steps:
Step 1. Identify course scope, goals, and objectives.
The scope of the course provides training to all types of people who interact with IT systems. Because users need training that relates directly to their use of particular systems, it is necessary to supplement a large organization-wide program by more system-specific courses.

Step 2. Identify and educate training staff. 
It is important that trainers have sufficient knowledge of computer security issues, principles, and techniques. It is also vital that they know how to communicate information and ideas effectively.

Step 3. Identify target audiences. 
Not everyone needs the same degree or type of computer security information to perform an assigned job. Security training courses that present only the information that is needed by the particular audience and omit irrelevant information have the best results.

Step 4. Motivate management and employees. 
Consider using motivational techniques to show management and employees how their participation in a training course benefits the organization.

Step 5. Administer the courses. 
Important considerations for administering the course include selecting appropriate training methods, topics, materials, and presentation techniques.

Step 6. Maintain the courses. 
Stay informed of changes in computer technology and security requirements. Training courses that meet the needs of an organization today can become ineffective when the organization starts to use a new application or changes its environment, such as the deployment of VoIP.

Step 7. Evaluate the courses.
An evaluation seeks to ascertain how much information is retained, to what extent computer security procedures are being followed, and the general attitude toward computer security.

Laws and Ethics

Laws
For many businesses today, one of the biggest considerations for setting security policies and implementing awareness programs is compliance with the law. Network security professionals must be familiar with the laws and codes of ethics that are binding on Information Systems Security (INFOSEC) professionals

Ethics
Ethics is a standard that is higher than the law. 
It is a set of moral principles that govern civil behavior. Ethical principles are often the foundation of many of the laws currently in place. These principles are frequently formalized into codes of ethics. Individuals that violate the code of ethics can face consequences such as loss of certification, loss of employment, and even prosecution by criminal or civil court. The information security profession has a number of formalized codes:
 - International Information Systems Security Certification Consortium, Inc (ISC)2 Code of Ethics
 - Computer Ethics Institute (CEI)
 - Internet Activities Board (IAB)
 - Generally Accepted System Security Principles (GASSP)