Section Three: Policies and Procedures

    

Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures

How To Build A Successful Security Infrastructure

Section 3 - Page 1

Security Policies - Why use them?



Without security policies, you have no general security framework. Policies define what behavior is and is not allowed. Policies will often set the stage in terms of what tools and procedures are needed for the organization. Policies communicate consensus among a group of governing people. Computer security is now a global issue and computing sites are expected to follow the good neighbor philosophy.
Section 3 - Page 2

 

How To Build A Successful Security Infrastructure

Who and What to Trust



Trust is a major principle underlying the development of security policies. Initial step is to determine who gets access.
use principle of least access

Deciding on level of trust is a delicate balancing act.

too much -> eventual security problems too little -> difficult to find and keep satisfied employees

 

How much should you trust resources? How much should you trust people?

How To Build A Successful Security Infrastructure

Section 3 - Page 3

Possible Trust Models



Trust everyone all of the time

easiest to enforce, but impractical one bad apple can ruin the whole barrel

Trust no one at no time

most restrictive, but also impractical impossible to find employees to work under such conditions

Trust some people some of the time

exercise caution in amount of trust placed in employees access is given out as needed technical controls are needed to ensure trust is not violated

How To Build A Successful Security Infrastructure

Section 3 - Page 4

Section Three: Policies and Procedures

    

Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures

How To Build A Successful Security Infrastructure

Section 3 - Page 5

Why the Political Turmoil?



People view policies as:

an impediment to productivity measures to control behavior

People have different views about the need for security controls. People fear policies will be difficult to follow and implement. Policies affect everyone within the organization
most people resist measures which impede productivity some people strongly resist change some people strongly resist the big brother syndrome some people just like to rock the boat

How To Build A Successful Security Infrastructure

Section 3 - Page 6

Who Should be Concerned?

 

Users - policies will affect them the most. System support personnel - they will be required to implement and support the policies. Managers - concerned about protection of data and the associated cost of the policy. Business lawyers and auditors - are concerned about company reputation, responsibility to clients/customers.

How To Build A Successful Security Infrastructure

Section 3 - Page 7

Section Three: Policies and Procedures

    

Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures

How To Build A Successful Security Infrastructure

Section 3 - Page 8

The Policy Design Process

 

Choose the policy development team. Designate a person or body to serve as the official policy interpreter. Decide on the scope and goals of the policy.
scope should be a statement about who is covered by the policy.

Decide on how specific to make the policy

not a detailed implementation plan dont include facts which change frequently

How To Build A Successful Security Infrastructure

Section 3 - Page 9

The Policy Design Process



All people affected by the policy should be provided an opportunity to review and comment on the policy before it becomes official.
very unrealistic for large organizations often difficult to get the information out and ensure people read it.

Incorporate policy awareness as a part of employee orientation. Provide refresher overview course on policies once or twice a year.

How To Build A Successful Security Infrastructure

Section 3 - Page 10

Basic Requirements


Policies must:
be implementable and enforceable be concise and easy to understand balance protection with productivity be updated regularly to reflect the evolution of the organization

Policies should:
state reasons why policy is needed describe what is covered by the policies - whom, what, and where define contacts and responsibilities to outside agencies discuss how violations will be handled

How To Build A Successful Security Infrastructure

Section 3 - Page 11

Determining Level of Control

 

Security needs and culture play major role. Security policies MUST balance level of control with level of productivity. If policies are too restrictive, people will find ways to circumvent controls. Technical controls are not always possible. Must have management commitment on level of control.

 

How To Build A Successful Security Infrastructure

Section 3 - Page 12

Choosing A Policy Structure

 

Dependent on company size and goals. One large document or several small ones?
smaller documents are easier to maintain and update

Some policies appropriate for every site, others are specific to certain environments. Some key policies:
Acceptable Use User Account Remote Access Information Protection

How To Build A Successful Security Infrastructure

Section 3 - Page 13

Section Three: Policies and Procedures

    

Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures

How To Build A Successful Security Infrastructure

Section 3 - Page 14

The Acceptable Use Policy



Discusses and defines the appropriate use of the computing resources. Users should be required to read and sign AU policy as part of the account request process. Many examples of AU policies can be found on:
http://www.eff.org/pub/CAF/policies/

How To Build A Successful Security Infrastructure

Section 3 - Page 15

Some Elements of the Acceptable Use Policy



Should state responsibility of users in terms of protecting information stored on their accounts. Should state if users can read and copy files that are not their own, but are accessible to them. Should state if users can modify files that are not their own, but for which they have write access. Should state if users are allowed to make copies of systems configuration files (e.g., /etc/passwd) for /etc/passwd) their personal use, or to provide to other people.

How To Build A Successful Security Infrastructure

Section 3 - Page 16

Acceptable Use Policy



Should state if users are allowed to use .rhosts files and what types of entries are acceptable. Should state if users can share accounts. Should state if users can make copies of copyrighted software? Should state level of acceptable usage for electronic mail, Internet news and web access.

 

How To Build A Successful Security Infrastructure

Section 3 - Page 17

User Account Policy



Outlines the requirements for requesting and maintaining an account on the systems. Very important for large sites where users typically have accounts on many systems. Some sites have users read and sign an Account Policy as part of the account request process. Example User Account Policies are also available on the CAF archive along with the Acceptable Use Policies.
http://www.eff.org/pub/CAF/policies/

How To Build A Successful Security Infrastructure

Section 3 - Page 18

Elements of a User Account Policy



Should state who has the authority to approve account requests. Should state who is allowed to use the resources (e.g., employees or students only) Should state any citizenship/resident requirements. Should state if users are allowed to share accounts or if users are allowed to have multiple accounts on a single host. Should state the users rights and responsibilities.

 

How To Build A Successful Security Infrastructure

Section 3 - Page 19

Elements of User Account Policy



Should state when the account should be disabled and archived. Should state how long the account can remain inactive before it is disabled. Should state password construction and aging rules.

How To Build A Successful Security Infrastructure

Section 3 - Page 20

Remote Access Policy



Outlines and defines acceptable methods of remotely connecting to the internal network. Essential in large organization where networks are geographically dispersed and even extend into the homes. Should cover all available methods to remotely access internal resources:
dialdial-in (SLIP, PPP) ISDN/Frame Relay telnet access from Internet Cable modem

How To Build A Successful Security Infrastructure

Section 3 - Page 21

Elements of Remote Access Policy



Should define who is allowed to have remote access capabilities. Should define what methods are allowed for remote access. Should discuss if dial-out modems are allowed. dialShould discuss who is allowed to have high-speed highremote access such as ISDN, Frame Relay or cable modem.
what extra requirements are there? can other members of household use network?

 

How To Build A Successful Security Infrastructure

Section 3 - Page 22

Elements of Remote Access Policy



Should discuss any restrictions on data that can be accessed remotely. If partners connections are commonplace, should discuss requirements and methods.

How To Build A Successful Security Infrastructure

Section 3 - Page 23

Information Protection Policy



Provides guidelines to users on the processing, storage and transmission of sensitive information. Main goal is to ensure information is appropriately protected from modification or disclosure. May be appropriate to have new employees sign policy as part of their initial orientation. Should define sensitivity levels of information.

How To Build A Successful Security Infrastructure

Section 3 - Page 24

Key Elements of Information Protection Policy



Should define who can have access to sensitive information.

special circumstances nonnon-disclosure agreements

Should define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc). Should define on which systems sensitive information can be stored. Should discuss what levels of sensitive information can be printed on physically insecure printers.
Section 3 - Page 25

How To Build A Successful Security Infrastructure

Key Elements of Information Protection Policy



Should define how sensitive information is removed from systems and storage devices.
degaussing of storage media scrubbing of hard drives shredding of hardcopy output

Should discuss any default file and directory permissions defined in system-wide configuration systemfiles.

How To Build A Successful Security Infrastructure

Section 3 - Page 26

Firewall Management Policy



Describes how firewall hardware and software is managed and how changes are requested and approved. Should discuss who can obtain privileged access to firewall systems. Should discuss the procedure to request a firewall configuration change and how the request is approved. Should discuss who is allowed to obtain information regarding the firewall configuration and access lists. Should discuss review cycles for firewall system configurations.
Section 3 - Page 27

How To Build A Successful Security Infrastructure

Special Access Policy



Defines requirements for requesting and using special systems accounts (root, bkup,). Should discuss how users can obtain special access. Should discuss how special access accounts are audited. Should discuss how passwords for special access accounts are set and how often they are changed. Should discuss reasons why special access is revoked.

 

How To Build A Successful Security Infrastructure

Section 3 - Page 28

Network Connection Policy



Defines requirements for adding new devices to the network. Well suited for sites with multiple support teams. Important for sites which are not behind a firewall. Should discuss:
who can install new resources on network what approval and notification must be done how changes are documented what are the security requirements how unsecured devices are treated

  

How To Build A Successful Security Infrastructure

Section 3 - Page 29

Other Important Policies



Policy which addresses forwarding of email to offsite addresses. Policy which addresses wireless networks. Policy which addresses baseline lab security standards. Policy which addresses baseline router configuration parameters.

 

How To Build A Successful Security Infrastructure

Section 3 - Page 30

Section Three: Policies and Procedures

    

Trust Models Security Policy Basics Policy Design Process Key Security Policies Key Security Procedures

How To Build A Successful Security Infrastructure

Section 3 - Page 31

Security Procedures


Policies only define "what" is to be protected. Procedures define "how" to protect resources and are the mechanisms to enforce policy. Procedures define detailed actions to take for specific incidents. Procedures provide a quick reference in times of crisis. Procedures help eliminate the problem of a single point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis).

How To Build A Successful Security Infrastructure

Section 3 - Page 32

Configuration Management Procedure



Defines how new hardware/software is tested and installed. Defines how hardware/software changes are documented. Defines who must be informed when hardware and software changes occur. Defines who has authority to make hardware and software configuration changes.

How To Build A Successful Security Infrastructure

Section 3 - Page 33

Data Backup and Off-site Storage OffProcedures

    

Defines which file systems are backed up. Defines how often backups are performed. Defines how often storage media is rotated. Defines how often backups are stored off-site. offDefines how storage media is labeled and documented.

How To Build A Successful Security Infrastructure

Section 3 - Page 34

Security Incident Escalation Procedure



A "cookbook" procedure for frontline support personnel. Defines who to call and when. Defines initial steps to take. Defines initial information to record.

  

How To Build A Successful Security Infrastructure

Section 3 - Page 35

Incident Handling Procedure

 

Defines how to handle intruder attacks. Defines areas of responsibilities for members of the response team. Defines what information to record and track. Defines who to notify and when. Defines who can release information and the procedure for releasing the information. Defines how a follow-up analysis should be followperformed and who will participate.

  

How To Build A Successful Security Infrastructure

Section 3 - Page 36

Disaster Planning and Response



A disaster is a large scale event which affects major portions of an organization.

a major earthquake, flood, hurricane, or tornado a major power outage lasting > 48 hours destruction of building structures

Main goal of plan is to outline tasks to keep critical resources running and to minimize impact of disaster. Ensure critical information needed for disaster response is kept off-site and easily accessible after offthe onset of a disaster.

How To Build A Successful Security Infrastructure

Section 3 - Page 37

Disaster Planning and Response



Plan should outline several operating modes based on level of damage to resources. Determine the need for hot or cold sites. Disaster preparedness drills should be conducted several times a year.

 

How To Build A Successful Security Infrastructure

Section 3 - Page 38

Resources For Security Policies and Procedures



RFC2196 - The Site Security Procedures Handbook

obsoletes rfc1244 as of 9/97. http://ds.internic.net/rfc/rfc2196.txt

Some useful Web sites:

http://www.gatech.edu/itis/policy/usage/contents.html http://csrc.ncsl.nist.gov/secplcy/

How To Build A Successful Security Infrastructure

Section 3 - Page 39

Section Three Recap



Ensure policies and procedures are provided to managers, users and support staff. Ensure polices are in line with the security philosophy and any regulations the organization is required to follow. Ensure policies are reviewed on a regular basis and are updated as necessary. Ensure sufficient training is provided on a regular basis.

How To Build A Successful Security Infrastructure

Section 3 - Page 40

Section Three Recap



Important policies every site should have:

Acceptable Use Policy Remote Access Policy Information Protection Policy Firewall Management Policy

Important Procedures every site should have:

Configuration Management Procedure Data Backup and Off-site Storage OffIncident Handling Procedure Disaster Recovery Procedure

How To Build A Successful Security Infrastructure

Section 3 - Page 41

End of Section Three

Class Exercise & Questions

How To Build A Successful Security Infrastructure

Section 3 - Page 42

Class Exercise Three:



What is the trust model in use at your company?

How long does someone have to wait to get root or enable level access?

Describe your policy design process?

How many people are involved? What is the approval process?

What are the key policies in use are your site?

Which key policies dont you have that you would like to have?

How do you inform the user community about a new policy?

Do you feel users read and understand the polices?

How To Build A Successful Security Infrastructure

Section 3 - Page 43