Standards, Policies, Procedures, and Guidelines

1
Standards, Policies, Procedures, and Guidelines

• Lesson 20

2
Some Definitions(from Information Security
Policies, Procedures and Standards)

• Policy a high-level statement of an
  organizations beliefs, goals, and objectives and
  the general means for their attainment for a
  specified subject area.
• Standards mandatory activities, actions, rules
  or regulations designed to provide policies with
  a support structure and specific direction.
• Guidelines more general statements that provide
  a framework within which to implement procedures.
  Guidelines are recommendations.
• Procedures outline the specifics of how
  policies, standards and guidelines will actually
  be implemented in the operating environment.

3
Put another way

• Policies state a goal in general terms.
• Standards define what is to be accomplished in
  specific terms
• Procedures tell how to meet the standards.

4
ExampleAccess to Company information is
restricted.

• Policy Access to and use of company information
  systems is restricted to authorized users.
• Standard Users are required to have unique
  userids and passwords.
• Guideline Passwords should be from 5 to 8
  characters in length and contain both alpha and
  numeric characters.
• Procedure Requests for userids and passwords
  must include the signature of the authorized
  information owner. Approval signatures will be
  verified with the company authorized signature
  verification list.

5
Security Policy(fromActive Policy Management
The Cornerstone of Security)

• Often cited as the first, most critical component
  to any information security program.
• Can describe anything from acceptable use of an
  email system to privacy expectations of computer
  users.
• To serve their purpose by communicating
  management intent, they must be read and
  understood.
• Problems and issues, or just plain indifference,
  are almost foregone conclusions.
• Best practices for policies include
• Being realistic
• Being concise yet thorough
• Manage the policy life cycle
• Educate and test

6
Key elements of a Policy

• Be easy to understand
• Be applicable
• Be doable and enforceable
• Be phased in
• Be proactive (state what has to be done, dont
  make thou shall not pronouncements).
• Meet organizational objectives
• Never, ever use absolutes (ok, avoid) you might
  get backed into a corner you dont want to be in.
• Dont state violators of the password policy
  will have their employment terminated unless you
  are willing to live with the consequences.

7
Security Operational Process

• Security Posture Assessment

• Users
• System Admin
• Security Operations
• Technology Deployment

• Security Design Review
• Security Integration

• 24x7 Monitoring

8
Security Operational Process
9
Policy Management Life Cycle
10
Types of policies(from Information Security
Policies, Procedures and Standards)

• Program Policies
• Used to create the overall security vision for
  the organization.
• Topic-specific policies
• Address specific issues.
• e.g. email policy, Internet usage, physical
  security
• Application-specific policies
• Designed to protect specific applications or
  systems.
• e.g. controls established for payroll system

11
Program Policies

• A high-level policy issued by senior management.
• Defines the intent of the security program and
  its scope within the organization.
• Should include
• Topic and scope
• Responsibilities
• Compliance issues

12
Program Policy Example(from Information Security
Policies, Procedures and Standards)
The Company relies on various kinds of
information resources in its daily operations.
These resources include data-processing systems,
electronic mail, voice-mail, telephones, copiers,
facsimile machines, and other information-generati
on and exchange methods. It is very important
for users to recognize that these resources are
made available to them to help the company meet
short- and long-term goals, objectives and
competitive challenges. Any improper use of any
resource is not acceptable and will not be
permitted.
13
Program Policy example (cont.)

• The company policies listed here form the basis
  for the Information Resources Protection Policy
  (IRPP)
• Data and information about the company and its
  employees are collected and retained to satisfy
  legitimate business purposes or as required by
  law.
• Protecting company information is every
  employees responsibility. Company people share
  a common interest in ensuring information is not
  intentionally, accidentally, or improperly
  disclosed, lost, or mis-used.
• Positive steps must be taken to prevent improper
  disclosure of company information and
  unauthorized access to company information
  resources.
• Data, information, and resources are company
  assets that may be used only for
  management-approved company business and not for
  personal use or gain.
• Like any other company asset, the company
  reserves the right to inspect information
  resources and their use at any time.
• Company records and information are available to
  individuals only on a need-to-know basis. Access
  or attempted access to information and resources
  outside ones authority are prohibited.
• Protective measures must be provided to control
  access and to protect the integrity of all
  information systems that process information.

14
Program Policy example (cont.)
8. Established corporate and unit procedures are
to be used for budgeting approval, and
acquisition of information-processing facilities,
equipment, software, and support services. 9.
Appropriate safeguards must be built into
information-processing facilities. These
safeguards should minimize the extent of loss of
information or processing support that could
result from such hazards as fire, water, or other
natural disasters while maintaining operational
effectiveness. Business recovery plans must
provide for continuation of vital business
functions if loss failure should occur. 10.
Independent reviews to ensure that program
objectives are being met are an integral part of
this effort. These reviews may be conducted by
Corporate Auditing, the internal audit staff of a
unit, or external auditors. 11. Deliberate
unauthorized acts against Company or customer
information system(s) or facilities, including
but not limited to misuse, misappropriation,
destruction of information or system resources,
the deliberate and unauthorized disclosure of
information, or the use of unauthorized
software/hardware, will result in disciplinary
action as deemed by management.
15
Topic-Specific Policies

• Unlike Program Policies, Topic-specific policies
  narrow the focus to one issue at a time.
• Basic components include
• Thesis statement
• Goals and objectives of this policy
• Relevance
• To whom does this policy apply?
• Responsibilities
• Establishment of roles by position or job title
• Compliance
• Describe unacceptable behavior and consequences
• (additional information)

16
Topic-specific Policy example (from Information
Security Policies, Procedures and Standards)
Telecommuting Policy The Company allows
telecommuting where there are opportunities for
improved employee performance, reduced commuting
miles, and/or potential for savings for the
Company or business unit. Provisions Business
units may implement telecommuting as a work
option for certain employees based upon specific
criteria and procedures consistently applied
throughout the agency. -- Consideration may be
given to employees who have demonstrated work
habits and performance well suited to successful
telecommuting. -- Telecommuting criteria and
procedures shall be evaluated to ensure its
benefits and effectiveness. The telecommuters
conditions of employment shall remain the same as
for non-telecommuting employees. -- Business
visits, meetings with Your Company customers, or
regularly scheduled meetings with co-workers
shall not be held at the home. -- Telecommuting
employees shall not act as primary caregivers
for dependents nor perform other personal
business during hours agreed upon as work
hours.
17
Topic-specific example (cont.)
The Company shall provide tele-workers office
supplies. Equipment and software, if provided by
the business unit for use at the tele-worksite,
shall be for the purpose of conducting Company
business. Responsibilities Employee shall sign
and abide by a telecommuting agreement between
the employee and the supervisor. --
Telecommuting shall be voluntary. -- The
agreement shall specify individual work
schedules. Compliance Company management has
the responsibility to manage corporate
information, personnel, and physical property
relevant to business operations, as well as the
right to monitor the actual utilization of all
corporate assets. Employees who fail to comply
with the policies will be considered to be in
violation of Your Companys Employee Standards of
Conduct and will be subject to appropriate
corrective action.
18
Application-specific policies

• Focuses on one specific system or application.
• As the construction of the security architecture
  for a site takes place, the Program and
  Topic-specific policies need to be translated to
  specific applications and systems.
• To develop a comprehensive series of policies
• Define the business objectives then establish
  which security tools will support those
  objectives.
• Establish the rules for operating the system or
  application. Determine who has access to what
  resources and when.
• Determine what automated tools may help with this
  policy.

19
Application-specific Policy example (from
Information Security Policies, Procedures and
Standards)
Dial-In Access Policy All incoming dial-up
connections (via PSTN or ISDN) should use a
strong one-time password authentication system
(such as SecurID). Dial-in access to the
corporate network should only be allowed where
necessary and where the following conditions are
met -- Assurance. The dial-in server
configuration shall be accurately
documented. It shall be subjected to yearly
audits. -- Identification and Authentication.
All incoming dial-up connections shall use a
strong authentication system one-time
passwords, challenge- response, etc.
Administrator log-in shall not send passwords in
clear text. The call-back or closed user
groups features should be used where
possible. -- Access Control. Dial-up servers
shall not share file or printer resources
with other internal machines that is, they
shall not be file or printer servers. Only
administrative personnel shall be allowed to log
on locally. Dial-up servers shall be
installed in a physically secured/locked room.
20
Some other policies you should think about having

• Internet use policy
• What can you do, where can you go (e.g.
  pornography, online brokerage, online gaming,
  online auctions)
• Email Use policy
• What is not acceptable (e.g. threats, harassment,
  spam)
• Acceptable use policy
• What else can the systems be used for (e.g.
  running your own home business, downloading and
  storing music/videos, games)

21
The definitions again

• Policies state a goal in general terms.
• Standards define what is to be accomplished in
  specific terms
• Procedures tell how to meet the standards.

22
Standards

• Policies alone do not offer the guidance required
  to actually implement a security program.
• Standards are mandatory rules, activities,
  actions, or regulations designed to provide
  policies with the details needed to be effective.

23
An example

• Policy It is the Company policy that all orders
  will be processed as quickly as possible.
• Standard Each order must be processed within
  six working days of receipt.
• Procedure The following steps will be followed
  to process orders
• Day 1 Set up file for correspondence
• Day 2 Enter order data into the system
• Day 3 Verify order in stock and Process Credit
  Card
• Day 4 Retrieve order and send to shipping
• Day 5 Package order for shipment
• Day 6 Mail order and receipt

24
A word on standards

• Be aware of legislative and regulatory
  requirements, risks, protective measures, and
  practices that are relevant to your specific area
  of responsibility or business.
• Two examples of international standards are
• BS 7799 (British Standard)
• ISO 17799 (based on BS 7799)

25
Original BS 7799

• Organized into 10 major sections
• Business continuity planning
• System access control
• System development and maintenance
• Physical and environmental security
• Compliance
• Personnel security
• Security organization
• Computer and Network management
• Asset classification and control
• Security policy

26
The definitions again

• Policies state a goal in general terms.
• Standards define what is to be accomplished in
  specific terms
• Procedures tell how to meet the standards.

27
Procedures

• Procedures spell out the steps of how the policy
  and its supporting standards and guidelines will
  actually be implemented in the organizations
  environment.
• Procedures are a description of tasks that must
  be accomplished in a specified order.

28
Some items to consider for procedures(From
Information Security Policies, Procedures, and
Standards)

• Title
• Intent
• Scope
• Responsibilities
• Sequence of events
• Approvals
• Prerequisites
• Definitions
• Equipment required
• Warnings
• Precautions
• Procedure body (the steps)

29
Authorship of Policies, standards,

• The task of actually writing the policies and
  their supporting standards, guidelines, and
  procedures would typically be handled by
  personnel in the computer security office.
• Support from IS/IT personnel helpful
• External consultants can also be useful
• Final draft should be submitted to management for
  approval.

30
Policy Checklist From Computer Security
Handbook, 3ed, John Wiley Press
31
And a word on writing(From Information Security
Policies, Procedures, and Standards)

• Avoid alliteration. Always.
• Prepositions are not words to end sentences with.
• Avoid cliches like the plague. (They are old
  hat.)
• Employ the vernacular.
• Eschew ampersands abbreviations, etc.
• Parenthetical remarks (however relevant) are
  unnecessary.
• It is wrong to ever split an infinitive.
• Contractions arent necessary.
• Foreign words and phrases are not apropos.
• One should never generalize.
• Comparisons are as bad as cliches.
• Even if a mixed metaphor sings, it should be
  derailed.

• Eliminate quotations. As Ralph Waldo Emerson
  once said I hate quotations. Tell me what you
  know.
• Do not be redundant do not use more words than
  necessary, it is highly superfluous.
• Profanity sucks.
• Be more or less specific.
• Understatement is always best.
• Exaggeration is a billion times worse than
  understatement.
• One-word sentences? Eliminate.
• Analogies in writing are like feathers on a
  snake.
• The passive voice is to be avoided.
• Go around the barn at high noon to avoid
  colloquialisms.
• Who needs rhetorical questions?

32
Summary

• What is the Importance and Significance of this
  material?
• How does this topic fit into the subject of
  Voice and Data Security?