none
Politica de segurança, alguem tem algum exemplo ou site com exemplos? preciso criar uma e nunca fiz

    Question

  • o problema é o seguinte

    tenho que criar uma politica de segurança para a empresa, porem eu nunca fiz

    e nao teho nenhum exemplo, alguem poderia me indicar algum?

    falow t+ pessoal

    Wednesday, July 19, 2006 2:56 AM

Answers

All replies

  • Fala Krusst

    Política de segurança não deve ser copiada em primeiro lugar pois, cada empresa é diferente da outra e ter um exemplo só iria atrapalhar. Se você conseguir a NBR ISO 27001 será a melhor saída pois, nela têm um anexo somente com os tópicos necessários para um política de segurança ideal.

    Pode ajudar uma exemplo ? Sim, pode. Porém, pode embaralhar ainda mais a sua cabeça e acabar que sua política de segurança tenha muitas brechas !

    Para começar, faça uma política global, com definições para executivos (presidência, diretoria, gerência) e com os pontos básicos de segurança.

    Depois abra o leque de políticas com as necessidades de sua empresa tipo :

    Controle de acessos, controle de ativos de TI, Gerenciamento de Incidentes de Segurança, etc.....

    Depende da necessidade da empresa. Se conseguir enxergar mais coisas que o normal, bom pra vc....

    Sempre utilize algumas pessoas da alta administração para aprovação desta política, eles ajudam a enxergar coisas faltantes ou excessivas......

    Nunca esqueça também de realizar uma boa conscientização com "todos" da empresa !

    Se precisar de mais algumas coisa fala aí !

    Tiago Oliveira

     

    Tuesday, September 12, 2006 5:19 PM
  • valeu tiago

    é que como nunca fiz uma, é to querendo implementar aqui, eu preciso de uma base.
    mais vou dar uma olhada nessa ISO que tu me passou, e ver como que ela funciona...
    obrigado

    T+ cara

    falow

    Wednesday, September 13, 2006 11:43 AM
  • Estamos aí Krusst !

    Se vc participa da Academia, o material da matéria de ISO segunda parte têm uma explicação breve de como escrever uma política.

    Uma dica : Evita termos de informática. A política de segurança global serve para todos. Tenta também o apoio do seu presidente (ou alguém com um cargo parecido).

    Abaixo, segue em inglÊs os pontos necessários para todas as políticas que podem se encaixar em uma empresa. (fonte :

    http://www.freeforum101.com/securitysellers/viewtopic.php?t=8&sid=f1667567269ddaf554f22aea0580f9d9&mforum=securitysellers

    )

    Cada capítulo seria uma política.

    Obs. Nem  todas cabem no escopo da empresa, portanto vc têm que avaliar quais os pontos seriam interessantes abordar em suas políticas.

    Security Policies

    The following represents a template for a set of policies aligned with the standard. Note that these are headings, to assist with policy creation, rather than policy statements. However, similar policy sets are in use in a substantial number of organizations.

    Chapter Title
    ONE INFORMATION SECURITY ORGANIZATION
    Information Security Policy

    Information Security policy
    Senior Management Support
    Information Security Policy Review
    Inter-departmental collaboration

    Information Security Organization

    Independent Review of Information Security Policy
    Sharing Information with other Organizations



    TWO CLASSIFYING INFORMATION AND DATA

    Setting Classification Standards

    Defining Information
    Classifying Information
    Accepting Ownership for Classified Information
    Labeling Classified Information
    Storing and Handling Classified Information
    Isolating Top Secret Information
    Managing Network Security



    THREE CONTROLLING ACCESS TO INFORMATION AND SYSTEMS

    Controlling Access to Information and Systems

    Managing Access Control Standards
    Managing User Access
    Securing Unattended Workstations
    Management Duties
    Third Party Service Management
    Managing Network Access Controls
    Controlling Access to Operating System Software
    Managing Passwords
    Securing Against Unauthorized Physical Access
    Access Control Framework
    Access Policy
    Restricting Access
    Monitoring System Access and Use
    Giving Access to Files and Documents
    Managing Higher Risk System Access
    Controlling Remote User Access
    Types of Access Granted to Third Parties
    Why access is granted to third parties
    Controlled pathway
    Node authentication
    Diagnostic and Configuration Port Controls
    Granting Access to Customers
    Acceptable Usage of Information Assets
    Monitoring Third Party Services
    Third Party Service Changes



    FOUR PROCESSING INFORMATION AND DOCUMENTS

    Networks

    Configuring Networks
    Managing the Network
    Network Segregation
    Controlling Shared Networks
    Routing Controls
    Network Security
    Accessing your Network Remotely
    Defending your Network Information from Malicious Attack
    Time-out Facility
    Exploitation of Covert Channels
    Authentication of Network Connecting Equipment

    System Operations and Administration

    Appointing System Administrators
    Administrating Systems
    Controlling Data Distribution
    System Utilities
    System Use Procedures
    Internal Processing Controls
    Permitting Third Party Access
    Managing Electronic Keys
    Managing System Operations and System Administration
    Managing System Documentation
    Synchronizing System Clocks
    Monitoring Error Logs
    Scheduling Systems Operations
    Scheduling Changes to Routine Systems Operations
    Monitoring Operational Audit Logs
    Responding to System Faults
    Managing or Using Transaction / Processing Reports
    Commissioning Facilities Management - FM
    Third Party Service Delivery
    Log-on Procedures
    Corruption of Data
    Corrupt Data Controls
    Controlling On-Line Transactions

    E-mail and the Worldwide Web

    Downloading Files and Information from the Internet
    Electronic Business Communications
    Policy on Electronic Business Communications
    Using and Receiving Digital Signatures
    Sending Electronic Mail (E-mail)
    Receiving Electronic Mail (E-mail)
    Retaining or Deleting Electronic Mail
    Developing a Web Site
    Receiving Misdirected Information by E-mail
    Forwarding E-mail
    Using Internet for Work Purposes
    Giving Information when Ordering Goods on Internet
    Setting up Intranet Access
    Setting up Extranet Access
    Setting up Internet Access
    ‘Out of the Box’ Web Browser Issues
    Using Internet ‘Search Engines’
    Maintaining your Web Site
    Filtering Inappropriate Material from the Internet
    Certainty of File Origin
    Cryptographic Keys
    Key Management Procedures
    Controlling Mobile Code

    Telephones & Fax

    Making Conference Calls
    Recording of Telephone Conversations
    Receiving Misdirected Information by Fax
    Giving Information when Ordering Goods on Telephone
    Persons Giving Instructions over the Telephone
    Using Video Conferencing Facilities
    Persons Requesting Information over the Telephone
    Receiving Unsolicited Faxes

    Data Management

    Transferring and Exchanging Data
    Permitting Emergency Data Amendment
    Receiving Information on Disks
    Setting up a New Folder / Directory
    Amending Directory Structures
    Sharing Data on Project Management Systems
    Archiving Documents
    Information Retention Policy
    Setting up New Spreadsheets
    Setting up New Databases
    Linking Information between Documents and Files
    Updating Draft Reports
    Deleting Draft Reports
    Using Version Control Systems
    Updating Customer Information
    Using Meaningful File Names
    Managing Data Storage
    Managing Databases
    Using Headers and Footers
    Using and Deleting ‘Temp’ Files
    Using Customer and Other Third Party Data Files
    Saving Data / Information by Individual Users

    Backup, Recovery and Archiving

    Restarting or Recovering your System
    Archiving Information
    Backing up Data on Portable Computers
    Managing Backup and Recovery Procedures
    Archiving Electronic Files
    Recovery and Restoring of Data Files

    Document Handling

    Managing Hard Copy Printouts
    The Countersigning of Documents
    Checking Document Correctness
    Approving Documents
    Verifying Signatures
    Receiving Unsolicited Mail
    Style and Presentation of Reports
    Photocopying Confidential Information
    Filing of Documents and Information
    Transporting Sensitive Documents
    Shredding of Unwanted Hardcopy
    Using Good Document Management Practice

    Securing Data

    Using Encryption Techniques
    Sending Information to Third Parties
    Maintaining Customer Information Confidentiality
    Handling of Customer Credit Card Details
    Fire Risks to Your Information
    Sending Out Reports
    Sharing Information
    Dealing with Sensitive Financial Information
    Deleting Data Created / Owned by Others
    Protecting Documents with Passwords
    Printing of Classified Documents

    Other Information Handling and Processing

    Using Dual Input Controls
    Loading Personal Screen Savers
    Speaking to the Media
    Speaking to Customers
    Need for Dual Control / Segregation of Duties
    Using Clear Desk Policy
    Misaddressing Communications to Third Parties
    Using External Disposal Firms
    Using Photocopier for Personal Use
    Verifying Correctness of Information
    Traveling on Business
    Checking Customer Credit Limits



    FIVE PURCHASING AND MAINTAINING COMMERCIAL SOFTWARE

    Purchasing and Installing Software

    Specifying User Requirements for Software
    Implementing New / Upgraded Software
    Selecting Business Software Packages
    Selecting Office Software Packages
    Using Licensed Software
    Technical Vulnerability Management

    Software Maintenance & Upgrade

    Applying ‘Patches’ to Software
    Responding to Vendor Recommended Upgrades to Software
    Interfacing Applications Software / Systems
    Supporting Application Software
    Operating System Software Upgrades
    Upgrading Software
    Support for Operating Systems
    Recording and Reporting Software Faults

    Other Software Issues

    Disposing of Software



    SIX SECURING HARDWARE, PERIPHERALS AND OTHER EQUIPMENT

    Purchasing and Installing Hardware

    Specifying Information Security Requirements for New Hardware
    Specifying Detailed Functional Needs for New Hardware
    Installing New Hardware
    Testing Systems and Equipment

    Cabling, UPS, Printers and Modems

    Supplying Continuous Power to Critical Equipment
    Using Centralized, Networked or Stand-Alone Printers
    Managing and Maintaining Backup Power Generators
    Using Fax Machines / Fax Modems
    Using Modems / ISDN / DSL connections
    Installing and Maintaining Network Cabling

    Consumables

    Controlling IT Consumables
    Using Removable Storage Media including Diskettes and CDs

    Working Off Premises or Using Outsourced Processing

    Contracting or Using Outsourced Processing
    Using Mobile Phones
    Using Business Centre Facilities
    Issuing Laptop / Portable Computers to Personnel
    Using Laptop/Portable Computers
    Working from Home or Other Off-Site Location (Tele-working)
    Moving Hardware from One Location to Another
    Day to Day Use of Laptop / Portable Computers

    Using Secure Storage

    Using Lockable Storage Cupboards
    Using Lockable Filing Cabinets
    Using Fire Protected Storage Cabinets
    Using a Safe

    Documenting Hardware

    Managing and Using Hardware Documentation
    Maintaining a Hardware Inventory or Register

    Other Hardware Issues

    Disposing of Obsolete Equipment
    Recording and Reporting Hardware Faults
    Clear Screen Policy
    Logon and Logoff from your Computer
    Dealing with Answering Machines / Voice Mail
    Taking Equipment off the Premises
    Maintaining Hardware (On-site or Off-site Support)
    Using Speed Dialing Telephone Options
    Cleaning of Keyboards and Screens
    Damage to Equipment
    Insuring Hardware
    Insuring Laptops / Portables for use Domestically or Abroad



    SEVEN COMBATING CYBER CRIME

    Combating Cyber Crime

    Defending Against Premeditated Cyber Crime Attacks
    Minimizing the Impact of Cyber Attacks
    Collecting Evidence for Cyber Crime Prosecution
    Defending Against Premeditated Internal Attacks
    Defending Against Opportunistic Cyber Crime Attacks
    Safeguarding Against Malicious Denial of Service Attack
    Defending Against Hackers, Stealth-and Techno-Vandalism
    Handling Hoax Virus Warnings
    Defending Against Virus Attacks
    Responding to Virus Incidents
    Collecting Evidence for Cyber Crime Prosecution
    Installing Virus Scanning Software



    EIGHT CONTROLLING E-COMMERCE INFORMATION SECURITY

    E-Commerce Issues

    Structuring E-Commerce Systems including Web Sites
    Securing E-Commerce Networks
    Configuring E-Commerce Web Sites
    Using External Service Providers for E-Commerce



    NINE DEVELOPING AND MAINTAINING IN-HOUSE SOFTWARE

    Controlling Software Code

    Managing Operational Program Libraries
    Controlling Software Code during Software Development
    Controlling Program Listings
    Controlling Program Source Libraries
    Controlling Old Versions of Programs
    Managing Program Source Libraries

    Software Development

    Software Development
    Establishing ownership for System Enhancements
    Justifying New System Development
    Managing Change Control Procedures
    Making Emergency Amendments to Software
    Separating Systems Development and Operations

    Testing & Training

    Controlling Test Environments
    Using Live Data for Testing
    Testing Software before Transferring to a Live Environment
    Capacity Planning and Testing of New Systems
    Parallel Running
    Training in New Systems

    Documentation

    Documenting New and Enhanced Systems

    Other Software Development

    Acquiring Vendor Developed Software



    TEN DEALING WITH PREMISES RELATED CONSIDERATIONS

    Premises Security

    Preparing Premises to Site Computers
    Securing Physical Protection of Computer Premises
    Challenging Strangers on the Premises
    High Security Locations
    Delivery and loading areas
    Duress Alarm
    Ensuring Suitable Environmental Conditions
    Physical Access Control to Secure Areas
    Environmental and other external threats

    Data Stores

    Managing On-Site Data Stores
    Managing Remote Data Stores

    Other Premises Issues

    Electronic Eavesdropping
    Cabling Security
    Disaster Recovery Plan



    ELEVEN ADDRESSING PERSONNEL ISSUES RELATING TO SECURITY

    Contractual Documentation

    Preparing Terms and Conditions of Employment
    Using Non Disclosure Agreements (Staff and Third Party)
    Misuse of Organization Stationery
    Lending Keys to Secure Areas to Others
    Lending Money to Work Colleagues
    Complying with Information Security Policy
    Establishing Ownership of Intellectual Property Rights
    Employing / Contracting New Staff
    Contracting with External Suppliers / other Service Providers
    Employees' Responsibility to Protect Confidentiality of Data

    Confidential Personnel Data

    Respecting Privacy in the Workplace
    Handling Confidential Employee Information
    Giving References on Staff
    Checking Staff Security Clearance
    Sharing Employee Information with Other Employees
    Sharing Personal Salary Information

    Personnel Information Security Responsibilities

    Using the Internet in an Acceptable Way
    Keeping Passwords / PIN Numbers Confidential
    Sharing Organization Information with Other Employees
    Signing for the Delivery of Goods
    Signing for Work done by Third Parties
    Ordering Goods and Services
    Verifying Financial Claims and Invoices
    Approving and Authorization of Expenditure
    Responding to Telephone Enquiries
    Sharing Confidential Information with Family Members
    Gossiping and Disclosing Information
    Spreading Information through the Office ‘Grape Vine’
    Using E-Mail and Postal Mail Facilities for Personal Reasons
    Using Telephone Systems for Personal Reasons
    Using the Organization’s Mobile Phones for Personal Use
    Using Organization Credit Cards
    Playing Games on Office Computers
    Using Office Computers for Personal Use

    HR Management

    Dealing with Disaffected Staff
    Taking Official Notes of Employee Meetings

    Staff Leaving Employment

    Handling Staff Resignations
    Completing Procedures for Terminating Staff or Contractors
    Obligations of Staff Transferring to Competitors

    HR Issues Other

    Recommending Professional Advisors



    TWELVE DELIVERING TRAINING AND STAFF AWARENESS

    Awareness

    Delivering Awareness Programmes to Permanent Staff
    Drafting Top Management Security Communications to Staff
    Third Party Contractor : Awareness Programmes
    Delivering Awareness Programmes to Temporary Staff
    Providing Regular Information Updates to Staff

    Training

    Information Security Training on New Systems
    Information Security Officer : Training
    User : Information Security Training
    Technical Staff : Information Security Training
    Training New Recruits in Information Security



    THIRTEEN COMPLYING WITH LEGAL AND POLICY REQUIREMENTS

    Complying with Legal Obligations

    Being Aware of Legal Obligations
    Complying with Copyright and Software Licensing Legislation
    Complying with the Data Protection Act or Equivalent
    Complying with General Copyright Legislation
    Complying with Database Copyright Legislation
    Legal Safeguards against Computer Misuse

    Complying with Policies

    Managing Media Storage and Record Retention
    Complying with Information Security Policy

    Avoiding Litigation

    Safeguarding against Libel and Slander
    Using Copyrighted Information from the Internet
    Sending Copyrighted Information Electronically
    Using Text directly from Reports, Books or Documents
    Infringement of Copyright

    Other Legal Issues

    Recording Evidence of Incidents (Information Security)
    Reviewing System Compliance Levels
    Renewing Domain Name Licenses – Web Sites
    Insuring Risks
    Recording Telephone Conversations
    Admissibility of Evidence
    Adequacy of Evidence
    Collection of Evidence



    FOURTEEN DETECTING AND RESPONDING TO IS INCIDENTS

    Reporting Information Security Incidents

    Reporting Information Security Incidents
    Reporting IS Incidents to Outside Authorities
    Reporting Information Security Breaches
    Software Errors and Weaknesses
    Notifying Information Security Weaknesses
    Witnessing an Information Security Breach
    Being Alert for Fraudulent Activities
    When and How to Notify Authorities

    Investigating Information Security Incidents

    Investigating the Cause and Impact of IS Incidents
    Collecting Evidence of an Information Security Breach
    Recording Information Security Breaches
    Responding to Information Security Incidents

    Corrective Activity

    Establishing Remedies to Information Security Breaches

    Other Information Security Incident Issues

    Ensuring the Integrity of IS Incident Investigations
    Analyzing IS Incidents Resulting from System Failures
    Monitoring Confidentiality of Information Security Incidents
    Breaching Confidentiality
    Establishing Dual Control / Segregation of Duties
    Using Information Security Incident Check Lists
    Detecting Electronic Eavesdropping and Espionage Activities
    Risks in System Usage
    Reviewing System Usage



    FIFTEEN PLANNING FOR BUSINESS CONTINUITY

    Business Continuity Management

    Initiating the Business Continuity Project
    Assessing the Business Continuity Security Risk
    Developing the Business Continuity Plan
    Testing the Business Continuity Plan
    Training and Staff Awareness on Business Continuity
    Maintaining and Updating the Business Continuity Plan
    Realistic Testing Environment for Business Continuity Plans
    Impact of the Pace of change on the Business Continuity Plan

     

    Friday, September 15, 2006 1:41 PM
  • Krusst,

     

    Para começar a elaborar uma política de segurança, é muito importante você ter o seu ambiente atual e o modelo esperado em mente.

    Onde trabalho, elaboramos uma política após discussões com os gerente e a superintendência. Decidimos incorporar um termo de compromisso ao contrato de trabalho de cada funcionário e distribuímos cópias da política para toda empresa.

    Um dos tópicos de nossa política, é que ela será revisada constantemente, podendo ser alterada e que é necessário que o funcionário esteja sempre atento às mudanças, que são divulgadas pela intranet, correio interno, etc.

    Bem, resumindo, acho que o importante é começar. Implante a cultura de utilização de uma política de segurança que será um bom começo. Depois é só revisar a cada solicitação da diretoria ou necessidade do departamento de TI.

     

    Abraços,

    Thomas

    Monday, September 25, 2006 1:19 PM
  • Krusst,

    Segue site com exemplo:

    http://icp-brasil.certisign.com.br/repositorio/AC_CertiSign.htm

     

    Abraço,

    Adriano

     

    Friday, October 27, 2006 7:20 PM
  • Krusst

    Segue alguns pontos que devem ser abordados na construção da política:

    - Objetivos e requisitos da política de segurança
    - Definição das autoridades, responsabilidades e auditorias de segurança
    - Conjunto de regras e procedimentos para cada um dos aspectos de segurança
    - Planejamento de implantação
    - Acompanhamento, avaliação e auditoria interna e externa periódica

    Como mencionado anteriormente pelo Thomas a política de segurança deve ser encarada como um processo cíclico e não como um projeto (inicio/meio/fim) ficando basicamente da seguinte forma:

    --> auditoria --> Risco --> Política --> Implementação --> Administração --
    |                                                                                                                             |
    <<-------------------------------------------------------------------------------------------------

    Thursday, November 09, 2006 5:47 PM