Professional Documents
Culture Documents
Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures
Section 3 - Page 1
Without security policies, you have no general security framework. Policies define what behavior is and is not allowed. Policies will often set the stage in terms of what tools and procedures are needed for the organization. Policies communicate consensus among a group of governing people. Computer security is now a global issue and computing sites are expected to follow the good neighbor philosophy.
Section 3 - Page 2
Trust is a major principle underlying the development of security policies. Initial step is to determine who gets access.
use principle of least access
How much should you trust resources? How much should you trust people?
Section 3 - Page 3
Section 3 - Page 4
Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures
Section 3 - Page 5
People have different views about the need for security controls. People fear policies will be difficult to follow and implement. Policies affect everyone within the organization
most people resist measures which impede productivity some people strongly resist change some people strongly resist the big brother syndrome some people just like to rock the boat
Section 3 - Page 6
Users - policies will affect them the most. System support personnel - they will be required to implement and support the policies. Managers - concerned about protection of data and the associated cost of the policy. Business lawyers and auditors - are concerned about company reputation, responsibility to clients/customers.
Section 3 - Page 7
Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures
Section 3 - Page 8
Choose the policy development team. Designate a person or body to serve as the official policy interpreter. Decide on the scope and goals of the policy.
scope should be a statement about who is covered by the policy.
Section 3 - Page 9
All people affected by the policy should be provided an opportunity to review and comment on the policy before it becomes official.
very unrealistic for large organizations often difficult to get the information out and ensure people read it.
Incorporate policy awareness as a part of employee orientation. Provide refresher overview course on policies once or twice a year.
Section 3 - Page 10
Basic Requirements
Policies must:
be implementable and enforceable be concise and easy to understand balance protection with productivity be updated regularly to reflect the evolution of the organization
Policies should:
state reasons why policy is needed describe what is covered by the policies - whom, what, and where define contacts and responsibilities to outside agencies discuss how violations will be handled
Section 3 - Page 11
Security needs and culture play major role. Security policies MUST balance level of control with level of productivity. If policies are too restrictive, people will find ways to circumvent controls. Technical controls are not always possible. Must have management commitment on level of control.
Section 3 - Page 12
Dependent on company size and goals. One large document or several small ones?
smaller documents are easier to maintain and update
Some policies appropriate for every site, others are specific to certain environments. Some key policies:
Acceptable Use User Account Remote Access Information Protection
Section 3 - Page 13
Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures
Section 3 - Page 14
Discusses and defines the appropriate use of the computing resources. Users should be required to read and sign AU policy as part of the account request process. Many examples of AU policies can be found on:
http://www.eff.org/pub/CAF/policies/
Section 3 - Page 15
Should state responsibility of users in terms of protecting information stored on their accounts. Should state if users can read and copy files that are not their own, but are accessible to them. Should state if users can modify files that are not their own, but for which they have write access. Should state if users are allowed to make copies of systems configuration files (e.g., /etc/passwd) for /etc/passwd) their personal use, or to provide to other people.
Section 3 - Page 16
Should state if users are allowed to use .rhosts files and what types of entries are acceptable. Should state if users can share accounts. Should state if users can make copies of copyrighted software? Should state level of acceptable usage for electronic mail, Internet news and web access.
Section 3 - Page 17
Outlines the requirements for requesting and maintaining an account on the systems. Very important for large sites where users typically have accounts on many systems. Some sites have users read and sign an Account Policy as part of the account request process. Example User Account Policies are also available on the CAF archive along with the Acceptable Use Policies.
http://www.eff.org/pub/CAF/policies/
Section 3 - Page 18
Should state who has the authority to approve account requests. Should state who is allowed to use the resources (e.g., employees or students only) Should state any citizenship/resident requirements. Should state if users are allowed to share accounts or if users are allowed to have multiple accounts on a single host. Should state the users rights and responsibilities.
Section 3 - Page 19
Should state when the account should be disabled and archived. Should state how long the account can remain inactive before it is disabled. Should state password construction and aging rules.
Section 3 - Page 20
Outlines and defines acceptable methods of remotely connecting to the internal network. Essential in large organization where networks are geographically dispersed and even extend into the homes. Should cover all available methods to remotely access internal resources:
dialdial-in (SLIP, PPP) ISDN/Frame Relay telnet access from Internet Cable modem
Section 3 - Page 21
Should define who is allowed to have remote access capabilities. Should define what methods are allowed for remote access. Should discuss if dial-out modems are allowed. dialShould discuss who is allowed to have high-speed highremote access such as ISDN, Frame Relay or cable modem.
what extra requirements are there? can other members of household use network?
Section 3 - Page 22
Should discuss any restrictions on data that can be accessed remotely. If partners connections are commonplace, should discuss requirements and methods.
Section 3 - Page 23
Provides guidelines to users on the processing, storage and transmission of sensitive information. Main goal is to ensure information is appropriately protected from modification or disclosure. May be appropriate to have new employees sign policy as part of their initial orientation. Should define sensitivity levels of information.
Section 3 - Page 24
Should define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc). Should define on which systems sensitive information can be stored. Should discuss what levels of sensitive information can be printed on physically insecure printers.
Section 3 - Page 25
Should define how sensitive information is removed from systems and storage devices.
degaussing of storage media scrubbing of hard drives shredding of hardcopy output
Should discuss any default file and directory permissions defined in system-wide configuration systemfiles.
Section 3 - Page 26
Describes how firewall hardware and software is managed and how changes are requested and approved. Should discuss who can obtain privileged access to firewall systems. Should discuss the procedure to request a firewall configuration change and how the request is approved. Should discuss who is allowed to obtain information regarding the firewall configuration and access lists. Should discuss review cycles for firewall system configurations.
Section 3 - Page 27
Defines requirements for requesting and using special systems accounts (root, bkup,). Should discuss how users can obtain special access. Should discuss how special access accounts are audited. Should discuss how passwords for special access accounts are set and how often they are changed. Should discuss reasons why special access is revoked.
Section 3 - Page 28
Defines requirements for adding new devices to the network. Well suited for sites with multiple support teams. Important for sites which are not behind a firewall. Should discuss:
who can install new resources on network what approval and notification must be done how changes are documented what are the security requirements how unsecured devices are treated
Section 3 - Page 29
Policy which addresses forwarding of email to offsite addresses. Policy which addresses wireless networks. Policy which addresses baseline lab security standards. Policy which addresses baseline router configuration parameters.
Section 3 - Page 30
Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures
Section 3 - Page 31
Security Procedures
Policies only define "what" is to be protected. Procedures define "how" to protect resources and are the mechanisms to enforce policy. Procedures define detailed actions to take for specific incidents. Procedures provide a quick reference in times of crisis. Procedures help eliminate the problem of a single point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis).
Section 3 - Page 32
Defines how new hardware/software is tested and installed. Defines how hardware/software changes are documented. Defines who must be informed when hardware and software changes occur. Defines who has authority to make hardware and software configuration changes.
Section 3 - Page 33
Defines which file systems are backed up. Defines how often backups are performed. Defines how often storage media is rotated. Defines how often backups are stored off-site. offDefines how storage media is labeled and documented.
Section 3 - Page 34
A "cookbook" procedure for frontline support personnel. Defines who to call and when. Defines initial steps to take. Defines initial information to record.
Section 3 - Page 35
Defines how to handle intruder attacks. Defines areas of responsibilities for members of the response team. Defines what information to record and track. Defines who to notify and when. Defines who can release information and the procedure for releasing the information. Defines how a follow-up analysis should be followperformed and who will participate.
Section 3 - Page 36
Main goal of plan is to outline tasks to keep critical resources running and to minimize impact of disaster. Ensure critical information needed for disaster response is kept off-site and easily accessible after offthe onset of a disaster.
Section 3 - Page 37
Plan should outline several operating modes based on level of damage to resources. Determine the need for hot or cold sites. Disaster preparedness drills should be conducted several times a year.
Section 3 - Page 38
Section 3 - Page 39
Ensure policies and procedures are provided to managers, users and support staff. Ensure polices are in line with the security philosophy and any regulations the organization is required to follow. Ensure policies are reviewed on a regular basis and are updated as necessary. Ensure sufficient training is provided on a regular basis.
Section 3 - Page 40
Section 3 - Page 41
Section 3 - Page 42
Section 3 - Page 43