UNIVERSITY INSTITUTE OF ENGINEERING

DEPARTMENT OF AIT - CSE

Bachelor of Engineering (CSE)
Security and Data Privacy Laws and Standards (21CSF-433)
By: Ms. Kirti(E16189)
Assistant Professor
AIT CSE

Lecture -1 DISCOVER . LEARN . EMPOWER

Introduction to Trusted System
Chapter Course Objectives

● Exhibit knowledge to secure corrupted systems, protect personal

1.
data, and secure computer networks in an organization.

Chapter Course Outcomes

After completion of this course, the student will be able to
● Know how to secure corrupted systems.
1.
● Aware of personal data protection and secured networking.

2
Contents

1.1 Designing Trusted Operating Systems

• What is a Trusted system?

• Security Policies Methods of security

3
 What is a Trusted System?
• Trusted System is a system used to enhance the ability to defend against an intruder and malicious programs
based on the security level.

• A trusted system indicates that system hardware and software are running as designed. The prerequisite for a
trusted system is that the system software integrity is high and free of intrusion or unauthorized modification.

4
 Purpose of a Trusted System
• Global communications service providers, enterprises, and government networks depend
on the running of communications networks. The integrity of data and IT infrastructure is
the basis for maintaining these networks and users' trust. In addition, the threat
environment is changing. Protecting networks from intrusion, forgery, and tampering
becomes critical.

• A communication device is composed of multiple embedded computer systems. The

software of a device may be attacked by viruses, or may be tampered with or attacked by
Trojan horses by means of vulnerabilities. Once untrusted devices access the network, the
security of the entire network may be compromised. A network can be trustworthy only
when it can be accessed only by trusted devices. With trusted boot, secure boot, and
remote attestation, users can ensure that all devices accessing the network are trusted.

5
 Benefits of TS
• A trusted system consists of trusted startup, secure startup, and RA
and offers the following benefits:
• Use the device hardware capability and initial startup code to
establish trustworthiness on the trusted startup platform.
• Trusted startup provides software integrity measurement, trusted
status query, and trusted status warning.
• Secure startup allows only trusted devices to start.
• RA allows users to remotely check device trustworthiness.

6
Difference Between Trust, Privacy &
Security

7
 Difference Between Trust & Security
Trust vs. Security

Here we discuss the term "trust" and specify why we prefer the term to something such as "security"

 Security is not a quality that can be quantified easily.

 Either a system is secure or not secure. It should be able to resist all the attacks. Therefore, the security claim
has to consider as either one accepts the claim or one does not.
 Trust is something that can be quantified.

 A system is called trusted if it meets the intended security requirements; thus, one can assign a level of trust to
a system depending on the degree to which it meets a specific set of requirements.

8
Importance of Security Policy

9
 Importance of Security Policy
• Information security policies can have the following benefits for an organization:
• Facilitates data integrity, availability, and confidentiality —effective information security policies
standardize rules and processes that protect against vectors threatening data integrity, availability, and
confidentiality.
• Protects sensitive data — Information security policies prioritize the protection of intellectual property
and sensitive data such as personally identifiable information (PII).
• Minimizes the risk of security incidents — An information security policy helps organizations define
procedures for identifying and mitigating vulnerabilities and risks. It also details quick responses to
minimize damage during a security incident.
• Executes security programs across the organization — Information security policies provide the
framework for operationalizing procedures.
• Provides a clear security statement to third parties — Information security policies summarize the
organization’s security posture and explain how the organization protects IT resources and assets. They
facilitate quick response to third-party requests for information by customers, partners, and auditors.
• Helps comply with regulatory requirements — Creating an information security policy can help
organizations identify security gaps related to regulatory requirements and address them.
10
Security Policies
• A Security Policy is a statement of the security that is enforced on the
system. Thus, a system can be characterized as trusted only to satisfy a security
policy.

11
Types of Policies
 Information Policy

 Security Policy

 Computer Use Policy

 Internet Use Policy

 E-Mail Use Policy

 User Management Procedures

 System Management Procedures

 Incident Response Procedures

 Configuration Management Policy

12
Key Requirements for Policy
A policy must have the following four sections,

Purpose Why has the policy been created, and how does the company benefit?

Scope What section of the company is affected by this policy?

Responsibility Who is accountable for the proper implementation of the policy.

A statement of who issued and how a person has the authority to define and
Authority
enforce the policy.

13
Data Classification’s in Security Policies

As shown in the
figure the data is classified into five different
categories. Based on the category policies are
enforce.

14
 A data Classification Policy
• A data classification policy should contain the following sections:
1. Purpose: at a high level, a data classification policy exists to provide a framework for protecting
the data that is created, stored, processed or transmitted within the organization. It’s the
foundation for formulating specific policies, procedures, and controls necessary for protecting
confidential data.
2. Scope: The scope explains whether this policy applies to all information systems within an
organization or whether there are certain exceptions.
3. Roles and responsibilities: This outlines the key people in the organization who will be
involved in creating the policy, educating stakeholders about security best practices, identifying
risks to information, implementing controls, keeping controls up-to-date, and ensuring
compliance with the data classification policy.
4. Data classification categories: This details the categories of data that all data will be classified
into (e.g. Confidential vs. Public) and lists out what specific types of data fall into each category.
For instance, for a state government agency, confidential data includes the criminal justice
information the police departments within the state collected (e.g. criminal history record
information). Public information includes any data that may be released to the public such as
reports on the performance of a governmental function. The section should outline how
confidential information should be handled, moved or processed.
15
 Cont…

• Data classification, security policy, and risk analysis are related functions an
organization deploy together to enhance security:
• A data classification policy expresses an organization’s tolerance for risk
• A security policy outlines how an organization wants to approach information
security to detect and forestall the compromise of information through the
misuse of data, networks, computer systems, and applications
• A risk analysis helps an organization determine how to best protect
organizational assets (including valuable information) while balancing
business objectives and resource constraints.

16
 What are the types of data classification?

• Classifications can be unique to an organization but always define data sensitivity level. For
example, one company might use public, controlled, restricted, and confidential terms while
another uses classified, sensitive, and critical. Effective policies govern how each
classification of data may be handled, stored, and used in addition to availability and access
restrictions.

• Data classification policies should play a large role in your overall security policy and
reflect your organization’s risk tolerance. Keep in mind that an effective data classification
policy will help your team keep pace with compliance requirements, industry best practices,
and customer expectations.

17
 Why to Have A Data Classification Policy?
• Below are some notable benefits provided by a detailed data classification
policy:
• Creates and communicates a defined framework of rules, processes, and
procedures for protecting data
• Provides an effective system to maintain data integrity and meet regulatory
requirements
• Helps unify data governance strategy and drive a culture of compliance
• Guides investment in security controls based on the identification of
sensitive data

18
 Best practices for data classification policy
• Guessing, you grasp the impact that having a defined data classification policy can have on your organization’s
infosec and data management plan, including keeping you out of trouble with regulators, saving you money,
and allowing your brand to shine in your customer’s eyes.
• So, what are the best practices for creating a healthy data classification policy?
• Base classifications on your organization’s specific criteria and privacy requirements after conducting a
thorough regulatory assessment.
• Use automation technology to simplify classification by rapidly analyzing and grouping data based on
established guidelines.
• Identify and understand your data profile. Some questions your policy should answer would include
where and by whom the information was collected, where it’s stored, who’s responsible for confirming
data accuracy and who’s responsible for managing data within the organization.
• Set clear, definable goals for what your policy will cover and accomplish in alignment with your
company’s purpose and ideology.
• Establish ownership to delegate responsibilities and ensure accountability.
• Keep the policy simple with as few classifications as possible.
• Review your policy at least annually to stay current with internal and external changes.
19
Summary
• Studied about trusted and secured system

• Importance of security policies, data classifications and its types/methods of security policies

20
Home Work
Q1. List down and explain the types of security policies.

Q2. Why we required a trusted system, and how trust differs from security? Give an example.

21
References
Text Books:
• V. D. Dudeja ,”Cyber Crime and Law Enforcement”, Commonwealth Publishers, 2003.
• C. Davis,”IT Auditing: Using Controls to protect Information Assets”, TMH, 2011.
Reference Books:
• G.E. Kennedy & L.S.P. Prabhu, “Data Privacy Law: A Practical Guide”, Interstice; 2nd edition,
2017.
• June M. Sullivan & Shannon B. Hartsfield, “HIPAA: A Practical Guide to the Privacy and Security
of Health Data”, American Bar Association; 2nd edition, 2020.
Journals:
• Pankaj Sharma, “Cyber Surveillance & Data Privacy Law: The Reconciliation”,
[Link]
e_Reconciliation?channel=doi&linkId=5d60da79a6fdccc32cccd626&showFulltext=true, 2019.
Online References:
• What is Trusted Computing?: [Link]
• Need for Trusting an Operating System: [Link]

22
THANK YOU

For queries
Email: kirti.e16189@[Link]