Assignment

Cooper123

Chapter5SecurityPoliciesIM.pptx

Home >Computer Science homework help >Assignment

Chapter 5

Security Policies, Standards, Procedures, Guidelines

Introduction

This chapter covers the basics of

Policies

Standards

Procedures

Guidelines

with examples to illustrate the principles

Policies, Standards, Procedures, and Guidelines

The four components of security documentation are policies, standards, procedures, and guidelines.

Policies are high-level statements of requirements.

Standards specify how to configure devices, how to install and configure software, and how to use computer systems and other organizational assets, to be compliant with the intentions of the policy.

Procedures specify the step-by-step instructions to perform various tasks in accordance with policies and standards.

Guidelines are advice about how to achieve the goals of the security policies, but they are suggestions, not rules.

Security Policies

A security policy is the essential foundation for an effective and comprehensive security program.

A good security policy should be a high-level, brief, formalized statement of management’s intentions for employees and other stakeholders to follow.

A security policy should be concise and easy to understand so that everyone can follow the guidance set forth in it.

Security Policy Development

Use a top-down approach.

Take the time to understand the organization’s regulatory landscape, business objectives, and risk management concerns, including the corporation’s general policy statements.

Incorporate industry-specific regulation.

Policy Audience

For managers, a security policy identifies the expectations of senior management about roles and responsibilities, acceptable and unacceptable behavior.

For technical staff, a security policy clarifies which security controls should be used on the network, in the physical facilities, and on computer systems.

For all employees, a security policy describes how they should conduct themselves when using the computer systems, e-mail, phones, and voice mail.

Security Policy Essentials

Why should the policy address these particular concerns? (Purpose)

Who should the policy address? (Responsibilities)

Where should the policy be applied? (Scope)

What should the policy contain? (Content)

Phased Approach

Requirements gathering

Regulatory requirements (industry specific)

Advisory requirements (best practices)

Informative requirements (organization specific)

Project definition and proposal based on requirements

Policy development

Review and approval

Publication and distribution

Ongoing maintenance (and revision)

Security Policy Contributors

Shouldn’t be the sole responsibility of the IT department

Every department that has a stake in the security policy should be involved in its development

Employees

Contractors and temporary workers

Consultants, system integrators, and service providers

Business partners and third-party vendors

Employees of subsidiaries and affiliates

Customers who use the organization’s information resources

Security Policy Audience

Policy Categories

Regulatory

Advisory

Informative

Format

Author The policy writer

Sponsor The Executive champion

Authorizer The Executive signer with ultimate authority

Effective date When the policy is effective; generally when authorized

Review date Subject to agreement by all parties; annually at least

Purpose Why the policy exists; regulatory, advisory, or informative

Scope Who the policy affects and where the policy is applied

Policy What the policy is about

Exceptions Who or what is not covered by the policy

Enforcement How the policy will be enforced, consequences if not enforced

Definitions Terms the reader may need to know

References Links to other related policies and corporate documents

Frameworks – FISMA

FISMA-based approach: The Federal Information Security Management Act of 2002 imposes a mandatory set of processes that must follow a combination of Federal Information Processing Standards (FIPS) documents, the NIST Special Publications 800 series, and other legislation pertinent to federal information systems.

Frameworks – NIST 800-53

Access Control

Awareness and Training

Audit and Accountability

Security Assessment and Authorization

Configuration Management

Contingency Planning

Identification and Authentication

Incident Response

Maintenance

Media Protection

Physical and Environmental Protection

Planning

Personnel Security

Risk Assessment

System and Services Acquisition

System and Communications Protection

System and Information Integrity

Program Management

NIST Special Publication 800-53 is organized into 18 major categories:

Frameworks – HIPAA

May map NIST SP 800-53 control objectives to the HIPAA Security Rule.

HIPAA categorizes security controls (referred to as safeguards) into three major categories:

Administrative

Physical

Technical.

As an example, CFR Part 164.312 section (c)(1), which requires protection against improper alteration or destruction of data, is a HIPAA required control that maps to NIST 800-53 System and Information Integrity controls.

Frameworks – COBIT, OCTAVE, ISO

COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks.

Developing policy from a COBIT framework may take considerable collaboration with the Finance and Audit departments.

May need to combine COBIT with ITIL (IT Infrastructure Library) to ensure that service management objectives are met.

OCTAVE framework from CERT

ISO Family (27001 and 27002) from the International Standards Organization

Security Awareness

To be effective, security policies must be communicated to employees.

The first line of attack against any organization’s assets is often the trusted internal personnel, the employees who have been granted access to the internal resources.

One of the most effective strategies to combat the exposure of information by employees is education.

A good security awareness program should include communications and periodic reminders to employees about what they should and should not divulge to outside parties.

Training and education help mitigate the threats of social engineering and information leakage.

Security Awareness Plan

A plan for an effective security awareness program should include the following:

A statement of measurable goals for the awareness program

Identification and categorization of the audience

Specification of the information to be included in the program

Description of how the employees will benefit from the program

Security Awareness Topics

Specific topics that are contained in most awareness programs include

Privacy of personal, customer, and the organization’s information (including payroll, medical, and personnel records)

The scope of inherent software and hardware vulnerabilities and how the organization manages this risk

Hostile software or malicious code (for example, viruses, worms, Trojans, back doors, and spyware) and how it can damage the network and compromise the privacy of individuals, customers, and the organization

The impact of distributed attacks and distributed denial-of-service attacks and how to defend against them

The principle of shared risk in networked systems (the risk assumed by one employee is imposed on the entire network)

Typical Topics

How to report potential security events, including who should be notified and what to do during and after an incident, the timeframe for such reporting, and what to do about unauthorized or suspicious activity. Some situations may require use of verbal communication instead of e-mail, such as when another employee (especially a system administrator) is acting suspicious, when a computer system is under attack, or when e-mail may be intercepted by the intruder.

How to use information technology systems in a secure manner.

How to create and manage passwords, safely conduct file transfers and downloads, and handle e-mail attachments.

Example Topics – Acceptable Use

Protect the organization’s intellectual property and keep it confidential.

Report any unauthorized or inappropriate use, or any security concerns.

Do not forward, provide access, store, distribute, and/or process confidential information to unauthorized people or places, or post confidential information on Internet bulletin boards, chat rooms, or other electronic forums.

Do not access information resources, records, files, information, or any other data when there is no proper, authorized, job-related need.

Do not use any account and/or password that has not been assigned to you.

Do not view offensive web sites, send or forward offensive e-mail.

Do not place personal files on the organization’s computing servers.

Do not connect any equipment not owned and managed by the organization to the organization’s network.

Example Topics – Data Classification

Personal Not owned by the organization, belonging to private individuals

Public Intended for distribution to and viewing by the general public

Confidential For use by employees, contractors, and business partners only

Proprietary To be handled by authorized parties only

Secret For use only by designated individuals with a need to know

Example Topics – Accounts

Account/Password Authentication

New Account Requests

Account Changes

Two-Factor Authentication

Generic User Accounts

Inactive Screen Lock

Failed Login Account Disabling

Password Construction

Password Expiration

Password Privacy

Password Reset

Password Reuse

Employee Account Lifetime

Contractor Account Lifetime

Business Partner Account Lifetime

Same Passwords

Generic Application Accounts

Inactive Accounts

Unattended Session Logoff

User-Constructed Passwords

User Separation

Multiple Simultaneous Logins

Example Topics – Networks

Extranet Connection Access Control

System Communication Ports

Inbound Internet Communication Ports

Outbound Internet Communication Ports

Unauthorized Internet Access Blocking

Extranet Connection Network Segmentation

Virtual Private Network

Virtual Private Network Authentication

Home System Connections

Example Topics – Data Privacy

E-mail Monitoring

Intellectual Property

Clear Text Passwords

Clear Text E-mail

Customer Information Sharing

Employee Information Sharing

Employee Communication Monitoring

Examination of Data on the Organization’s Systems

Search of Personal Property

Encryption of Data Backups

Encryption of Extranet Connection

Shredding of Private Documents

Destruction of Computer Data

Cell Phone Privacy

Confidential Information Monitoring

Unauthorized Data-Access Blocking

Data Access

Server Access

Highly Protected Networks

Example Topics – Data Integrity

Workstation Antivirus Software

Virus-Signature Updating

Central Virus-Signature Management

E-mail Virus Blocking

E-mail Subject Blocking

Virus Communications

Virus Detection, Monitoring, and Blocking

Back-out Plan

Software Testing

Division of Environments

Version Zero Software

Backup Testing

Online Backups

Onsite Backup Storage

Fireproof Backup Storage

Offsite Backup Storage

Quarter-End and Year-End Backups

Change Control Board

Minor Changes

Major Changes

Vendor-Supplied Application Patches

Vendor-Supplied Operating System Patches

Vendor-Supplied Database Patches

Disaster Recovery

System Redundancy

Network Redundancy

Example Topics – Personnel Management

Application Monitoring

Desktop System Administration

Intrusion-Detection Monitoring

Firewall Monitoring

Network Security Monitoring

System Administrator Authorization

System Administrator Account Monitoring

System Administrator Authentication

System Administrator Account Login

System Administrator Monitoring

Remote Virus-Signature Management

Remote Server Security Management

Remote Network Security Monitoring

Remote Firewall Management

Example Topics – Security Management

Employee Nondisclosure Agreements

Nondisclosure Agreements

System Activity Monitoring

Software Installation Monitoring

System Vulnerability Scanning

Security Document Lifecycle

Security Audits

Penetration Testing

Security Drills

Extranet Connection Approval

Non-employee Access to Corporate Information

New Employee Access Approval

Employee Access Change Approval

Contractor Access Approval

Employee Responsibilities

Security Personnel Responsibilities

Employee Responsibility for Security

Sensitive HR Information

Security Policy Enforcement

HR New Hire Reporting

HR Termination Reporting

Contractor Information Reporting

Background Checks

Reference Checks

Example Topics – Physical Security

Building and Campus Security:

Room Access Based on Job Function

Physical Security for Laptops

Position of Computer Monitors

Badges on the Organization’s Premises

Temporary Badges

Guards for Private Areas

Badge Checking

Tailgating

Employee Responsibility for Security

Security Policy Enforcement

Example Topics – Physical Security

Data Center Security:

Physical Security for Critical Systems

Security Zones

Non-employee Access to Corporate Systems

Asset Tags

Equipment Entrance Pass

Equipment Exit Pass

Access Authorization

Access from Inside

Employee Access Lifetime

Inactive Access Badges

New Access Requests

Production Staff Access

Access Monitoring

Access via Secure Area

Buddy System

Three-Badge Access Requirement

Biometric Authentication

Production Staff Access

Room Access Based on Job Function

Example Topics – Health and Safety

Search of Personal Property

Tailgating

Security Drills

Security Standards

Standards describe how to comply with the policy

Specify technology settings, platforms, or behaviors

Security Standard Example

SERVICES

Specific services that are required for general operation of the systems and resident vendor applications services are to be reviewed for security risks and approved by the Security Manager.

Services that are not needed are to be disabled during boot.

INITIAL PASSWORD AND LOGIN SETTINGS

The default login setting is to be set to lock out the session after three failed password login attempts.

Default password settings must enforce a minimum of eight characters.

The ability to log in directly over the network to the root account must be disabled.

SENDMAIL

The sendmail service is to be disabled on all non-mail servers unless required by an application running on the system. Applications requiring sendmail services must first be approved by IT system operations manager.

BANNER/NOTICE

Configure the login banner with the standard warning notice.

LOGGING

Turn on logging for Internet standard services.

Turn on logging for LOG_AUTHPRIV facility.

Log connection tracing to inetd/xinetd and messages sent to AUTH facility.

Set logging for sudo activities.

Send all kernel authorization, debug, and daemon notices to a syslog server.

Security Procedures

Procedures are step-by-step instructions on performing a specific task.

Security Procedure Example

Compile and install the server software as follows:

./configure --prefix=/usr/local/apache --disable-module=all --server-uid=apache --server-gid=apache --enable-module=access --enable-module=log_config --enable-module=dir --enable-module=mime --enable-module=auth

make

umask 022

make install

chown -R root:sys /usr/local/apache

mknod /chroot/httpd/dev/null c 2 2

chown root:sys /chroot/httpd/dev/null

chmod 666 /chroot/httpd/dev/null

Restart the system.

Security Guidelines

Guidelines give advice.

They are not mandatory—they are just suggestions on how to follow the policy.

Guidelines are meant to make life easier.

Security Guideline Example

PASSWORD SELECTION GUIDELINES

Use as many different characters as possible including numbers, punctuation characters, and mixed upper- and lowercase letters.

Select passwords that are easy to remember, so they do not have to be written down.

Don’t use any of the following easily guessed items in your password:

Your name, the names of any family or friends, names of fictional characters

Phone number, license or Social Security numbers

Any word in the dictionary

Passwords of all the same letter or any variation on the word “password”

Simple patterns on the keyboard, such as qwerty

Any word spelled backward

Suggestions:

Use the first one or two letters of each word in a phrase, song, or poem you can easily remember. Add a punctuation mark and a number.

Or use intentionally misspelled words with a number or punctuation mark in the middle.

You can also alternate between one consonant and one or two vowels, and include a number and a punctuation mark. This provides a pronounceable nonsense word that you can remember.

Or you can choose two short words and concatenate them together with a punctuation character between them.

Or interlace two words or a word and a number (such as a year) by alternating characters.

Reference

Charles Cresson Wood published a comprehensive set of sample policies that can be customized:

Wood, Charles C. Information Security Policies Made Easy. Version 10. Baseline Software, 2008.

Summary

This chapter is about how to develop security policies and their associated standards, procedures, and guidelines.

A security policy forms the foundation for a productive security program. It is a statement about how to protect an organization.

Security policies should tell their audience what must be done, not how these things should be done.

A security policy provides instructions about what kinds of behavior or resource usage are required and acceptable, and about what is forbidden and unacceptable.

Every department that has a stake in the security policy should be involved in its development.

Understand the regulatory and business requirements first, select an appropriate framework or approach, and follow a phased approach to security policy development.