Security Policies

About This Presentation

Title:

Security Policies

Description:

Inventorize human resources. Identification of Information Assets. Identify threats and risks ... Adaptation and evolution to reduce effectiveness of future attacks ... – PowerPoint PPT presentation

Number of Views:53

Avg rating:3.0/5.0

Slides: 88

Provided by: thomass155

Learn more at: https://www.cse.scu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Security Policies

1
Security Policies

COEN 250

2
Elements of Information Protection

Supports business objectives / mission of
organization
Integral part of due care
Decision makers have
Duty of Loyalty (decisions made in interest of
org)
Duty of Care (protect assets of business)
Cost-effective
Presupposes risk analysis

3
Elements of Information Protection

Makes protection responsibilities and
accountabilities explicit
Policy should identify roles and responsibilities
of all employees
Extends beyond the boundary of ones organization
E.g. access to information is given to outsiders
Protection of others assets

4
Elements of Information Protection

Requires a comprehensive and integrated approach
Needs to be part of the system development life
cycle
Needs to extend to all groups in an organization

5
Elements of Information Protection

Needs to be periodically reassessed
Constrained by the culture of organization.

6
Information Protection

Is more than just computer security
Data is stored in a variety of ways.

7
Guidelines, Standards, Policies

Title III of E-Government Act (FISMA) tasks NIST
with developing
Standards to be used by all federal agencies
Guidelines recommending
Minimum Security Requirements (FIPS 200)

8
Policies ?? Procedures

Information Security Policies
High level plans that describe the goals of
procedures
Procedures are implementation details

9
Purpose of Policies

Regulatory compliance
Assumption is that existence of policies
increases security of assets
Liability Mitigation
Policies should reflect best practices, but are
understood by the judicial system
Auditing
Insurance companies need to assess risks of
monetary damage due to break-ins
Assigns roles and responsibilities in a
systematic manner

10
Policies, Guidelines, Standards

Policy
written at a broad level
requires supporting standards, procedures,
guidelines
Standards and guidelines
specify technologies and methodologies to be used
on secure systems
Standards
mandatory activities, actions, rules, or
regulations
Guidelines
more general statements designed to achieve the
policy objective
Procedures are the detailed steps required to
accomplish a particular task or process

11
In Class Exercise

Develop for a parish organization regarding
access control to human resource files and donor
databases
A policy statement
A standard
A guideline
A procedure

12
Determination of Policy Needs
13
Policy Development

Determine goal of policies
Determine range of assets that need to be
protected
Can be developed as a collection of documents

14
Policy Development

Preliminary risk assessment / analysis
Distinguish technical risk and process risk
Use outsiders
Select based on
up-to-date knowledge of security information
knowledge of industry best practices
relevant guidelines / standards
Insiders are too much stakeholders

15
Identification of Information Assets

Map hardware / software to organizations mission
or business process.
Inventorize assets
Includes also non-computer resources
Documentation about business processes
Pre-printed forms,
Can be used to impersonate organization personnel
Inventorize human resources

16
Identification of Information Assets

Identify threats and risks
Authorized / unauthorized access to resources /
information
Unintended / unauthorized disclosure of
information
Bugs / user errors

17
Excurse Survivable Network Analysis Method

Networks are becoming an integral part of
business processes
Networks are no longer under control of
individual organizations

http//www.cert.org/archive/pdf/00tr013.pdf
18
Survivable Network Analysis Method

Survivability Capability of system to fulfill
its mission
Properties
Resistance to attacks
Strategies for repelling attacks Authentication
Access controls
Encryption
Message filtering
Survivability wrappers
System diversification
Functional isolation
Recognition of attacks and damage
Strategies for detecting attacks and evaluating
damage
Intrusion detection
Integrity checking

http//www.cert.org/archive/pdf/00tr013.pdf
19
Survivable Network Analysis Method

Properties of survivable systems (cont.)
Recovery of essential and full services after
attack
Strategies for limiting damage, restoring
compromised information or functionality,
maintaining or restoring essential services
within mission time constraints, restoring full
services
Redundant components
Data replication
System backup and restoration
Contingency planning
Adaptation and evolution to reduce effectiveness
of future attacks
Strategies for improving system survivability
based on knowledge gained from intrusions
New intrusion recognition patterns

http//www.cert.org/archive/pdf/00tr013.pdf
20
Survivable Network Analysis Method
Spiral Model for Software Development
http//www.cert.org/archive/pdf/00tr013.pdf
21
Survivable Network Analysis Method

Need to add Survivability as an additional
primary motivation / driver

http//www.cert.org/archive/pdf/00tr013.pdf
22
Survivable Network Analysis Method

Life Cycle Activities
Mission Definition
Analysis of mission criticality and consequences
of failure
Estimation of cost impact of denial of service
attacks
Concept of Operations
Definition of system capabilities in adverse
environments
Enumeration of critical mission functions that
must withstand attacks
Project Planning
Integration of survivability into life-cycle
activities
Identification of defensive coding techniques for
implementation
Requirements Definition
Definition of survivability requirements from
mission perspective
Definition of access requirements for critical
system assets during attacks
System Specification
Specification of essential service and intrusion
scenarios
Definition of steps that compose critical system
transactions

http//www.cert.org/archive/pdf/00tr013.pdf
23
Survivable Network Analysis Method

Life Cycle Activities
System Architecture
Integration of survivability strategies into
architecture definition
Creation of network facilities for replication of
critical data assets
System Design
Development and verification of survivability
strategies
Correctness verification of data encryption
algorithms
System Implementation
Application of survivability coding and
implementation techniques
Definition of methods to avoid buffer overflow
vulnerabilities
System Testing
Treatment of intruders as users in testing and
certification
Addition of intrusion usage to usage models for
statistical testing
System Evolution
Improvement of survivability to prevent
degradation over time
Redefinition of architecture in response to
changing threat environment

http//www.cert.org/archive/pdf/00tr013.pdf
24
Survivable Network Analysis Method

Survivable Network Analysis Method
Step 1 System Definition
Step 2 Essential Capability Definition
Step 3 Compromisable Capability Definition
Set of representative intrusions is selected
Intrusion scenarios are defined and traced
through the architecture
to identify compromisable components that
intrusions could damage
Step 4 Survivability Analysis

http//www.cert.org/archive/pdf/00tr013.pdf
25
Survivable Network Analysis Method
http//www.cert.org/archive/pdf/00tr013.pdf
26
Survivable Network Analysis Method

Key Points
Two types of network usage scenario
NUS Normal Usage Scenario
IUS Intrusion Usage Scenario

http//www.cert.org/archive/pdf/00tr013.pdf
27
Data Security Considerations

Information systems are about the flow and usage
of data.
Data handling
Policies how data is handled and how to maintain
integrity and confidentiality of data
Existence of third party data
Personal data
Personnel data
Privacy protection

28
Data Security Considerations

Information systems are about the flow and usage
of data.
Data handling
Policies how data is handled and how to maintain
integrity and confidentiality of data
Existence of third party data
Personal data
Personnel data
Privacy protection
COTS (Commercial Off-The-Shelf) software
licensing

29
Data Security Considerations

Information systems are about the flow and usage
of data.
Backups, Archival Storage, Disposal of Data
Backups
Which data to back up
Frequency of backups
Revision of backup procedures
On-site vs. Off-site storage of data

Policies Do Not Prescribe Implementation Details
30
Data Security Considerations

Information systems are about the flow and usage
of data.
Backups, Archival Storage, Disposal of Data
Archival Storage of Backups
Retention period
Readability assurance
Media life time lt retention period
Disposal of Data
Dumpster diving
Analysis of old hard drives

31
Data Security Considerations

Information systems are about the flow and usage
of data.
Intellectual Property Rights and Policies
Who owns the rights to IP
Interaction with documents under IP control
Labeling for IP enforcement
Otherwise dissemination might destroy IP
Incident Response and Forensics
Single point of contact Assignment of
responsibilities
Procedures

32
Information SecurityMission Statement
33
Why a Mission Statement

Mission statements establish scope of
responsibility for each department
Explain function of Information Assurance within
the organization
Pressures that push towards information assurance
regulations and laws
fear of litigation
risks and costs
ISO 17799 Section 4 Organization Security

34
Business Goals vs. Security Goals

Information Security is never a fundamental goal
of any organization
Business objectives are obtained from
Agencies
Law, constitution
Business
Report to stockholders
Organizational charts
Strategic planning information
Annual corporate budget proposals
Interviews with staff members

35
Computer Security Objectives

Before writing mission statement, explore
elements of a comprehensive information security
program
Ensure accuracy and integrity of data
Protect classified data
Protect against unauthorized access,
modification, destruction, or disclosure of data
Ensure ability to survive the loss of computing
capacity
Ensure management support for development and
implementation of security policies
Protect management from charges of imprudence in
the event of a compromise
Protect against errors and omissions in data

36
Format

Brief paragraph Overall goals of CompuSec
program
List of responsibilities

37
ISO 17999-4.1.3

Responsibilities for carrying out specific
security processes shall be clearly defined.
Might establish role of information security
manager.
Typically, responsibility for implementing
controls remains with individual managers
Common practice
Appoint an owner for each information asset

38
NIST SP 800-55 Chapter 2

Specifies responsibilities for
Agency head
Chief Information Officer (CIO)
Senior Agency Information Security Officer
Program Manager / Information System Owner
Information System Security Officer (ISSO)

39
Sample Mission Statement
40
Example

To provide the Corporation with the highest level
of visibility and support for the philosophy of
protection and to provide the organization with a
focal point for solving information protection
problems.
Information Protection Group Responsibilities
Keep information protection policies and
practices current.
Prepare, publish, and maintain ISO guidelines and
standards for information protection
Answer all inquiries on compliance and
interpretation of corporate policies and ISO
practices
Develop, implement, and maintain the Corporate
Information Protection Awareness Program

41
Example

Assist the Corporate Organization Information
Protection Coordinators (OIPCs) to develop,
implement, and maintain their local information
protection programs.
Develop, implement, and maintain standard risk
assessment tools for use in determining critical
corporate resources.
Ensure the criteria for determining sensitive
information and critical applications and systems
are current and appropriate to the needs of the
Corporation.
Coordinate the development, testing, and
maintenance of a data center Business Continuity
Plan (BCP).
Assist OIPCs in the development of their
organization BCPs.

42
Example
Peltier Information Security Policies,
Procedures, and Standards, Auerbach, 2002

10. Review new system access and information
protection products and make recommendations on
these products to ensure they meet minimum
corporate requirements.
Provide account administration across all
platforms.
Provide consulting support for all application
development projects.
Act as a audit liaison for all information and
computer security related matters.
Assist in the investigation and reporting of
computer thefts, intrusions, viruses, and
breaches of information protection controls.
Assist in the development of effective monitoring
programs to ensure that corporate information is
protected as required.

43
Support for Mission Statement

Needs approval by
head of agency
Chairman of the Board
CEO, CFO, CIO

44
Creating Standards
45
Success Criteria for Standards

There must be a commitment to the standard
Standards must be
Reasonable
Flexible
Current
Reviewed regularly

46
Standard Commitment

Commitment must start with senior management
Pass down to line management

47
Policies, Standards, Procedures

Policy
States a goal in general terms
Standards
Define what is to be accomplished in specific
terms
Procedures
How to meet the standards

48
What belongs into a standard

Sources and Examples
ISO 17799 BS 7799
NIST SP and FIPS
Standards require compliance
Not following self-set standards can have legal
consequences
Do not over-specify standards
Standards need to be up-to-date, but changing
standards is costly
Should be used judiciously
Standards need to be substantial enough

49
Writing Procedures
50
Procedure Contents

Level of Specificity varies from organization to
organization
How to
Establish need for procedure
Identify target audience
Describe task that procedure will cover
Make the intent known to users
Describe procedure

51
Procedure Checklist

Title
Intent
Scope
Responsibilities
Sequence of events
Approvals
Prerequisites
Definitions
Equipment required
Warnings
Precautions
Procedure body
This lists the actual steps to be performed in
the execution of the procedure

52
Involving Local Experts

Local experts employees who will handle
procedure
Possibilities
Let local experts write procedure
Typically, will be delayed since it adds to the
workload
Typically, procedure not well written and
over-technical
Conduct interviews with local experts and use
documentation expert
Needs to be verified by local experts
Create review panel
Ascertain that procedures described are in place
(or almost in place)

53
Procedure Styles

Headline Styles
Title lines placed above text
Captions
Words appear in left margin of text
Matrix
Narrative
Flowchart
Playscript

54
Examples
55
Physical Security
56
Problems

Sometimes, security depends on physical security
Access to logs
Access to consoles
Computer equipment needs to be protected against
mishaps
Server room in basement subject to flooding when
water main breaks
Pollution even less tolerated by computers
Air vent for emergency generators next to air
conditioning intake for computer room

57
Physical Security

Faculty requirements
Locks and barriers
Access Control
Environmental support
Air conditioning
Power
Humidity

58
Example Policy

Computing facilities shall be off sufficient size
and not be located on the ground floor, with
multiple entry doors and more than one fire exit.
The area reserved for servers should have
sufficient environmental controls for temperature
and humidity.
Each server facility shall have an automated
access control that includes procedures to add
and remove the access rights of people. The
procedures should be auditable. Furthermore,
access to server facilities should be logged.
Visitors shall be required to provide
identification before entering any server
facility and shall be escorted during their
presence on the premises.

59
Physical Security

Policy does not (yet) address
Contingency planning
Disaster recovery
Intrusion recovery
System Maintenance
Audits
Staffing

60
Authentication and Network Setup
61
Networking Layout Concerns

DHCP
DNS
Addressing
Expanding networks, creating subnets
Non-routable addressing
Plan ahead for merging networks
Use addresses not likely to be duplicated after
merger
E.g. Use 10.29.100.X instead of 10.0.0.X
Address assignation
Static
Dynamic
Mixed

62
Network Access Policy Topics

Gateways
Dial In / Dial Out access
Wireless access points
Internet connections
Virtual Private Networks

63
Network Access Policy Topics

Login Security
Login Requirements and Procedures
Account Creation and Management
Guest accounts
Dormant accounts
Employee termination procedures
Login banners
Login controls
Login reporting

64
Network Access Policy Topics

Session Restrictions
Users accessing sensitive information should use
additional cautions
Special Privileges
Some uses require special privileges
Root access to computers
Running dangerous applications
Sniffers, Intrusion Detection,
Absence of anti-virus tools

65
Password Policies

Password Strength
Password Storage
Default Passwords

66
Telecommuting / Remote Access

Employee Equipment
What can be used?
How is it protected?
Employee Responsibilities

67
Internet Connection Policy(Firewalls etc.)
68
Firewall Policies

Policies for
incoming traffic
out-going traffic
Establishment of a DMZ
Services located in DMZ
Protection of services in DMZ
Resulting policies for users
No usenet postings
Because usenet postings allow network
recognizance

69
HTTP WWW Policies

Web Browser Settings
Running and Downloading Mobile Code
Active X
Javascript
Cross Scripting Attacks
Java
Content Filtering
Privacy Expectations

70
E-mail Related Policies
71
Email

Establish right to monitor email
Handling, scanning, archiving email
Use of email for confidential data
Digital Signing Email

72
Virus Protection
73
Virus Protection Policies

All users shall have anti-virus protection
software installed before or when connecting the
system to the network.
Users shall participate in keeping the anti-virus
protection software updated and shall not disable
its facilities.
When software installation requires the disabling
of the anti-virus tool, users shall scan the
system immediately after installation.

74
System Integrity Checking

Give criteria when system shall be trip-wired

75
Software Updates and Installations

Rules for handling third party software

76
Encryption
77
Legal Issues

Use of encryption can be restricted by law
(Export Controls)
Some countries forbid the use of encryption in
communication without giving keys to a government
agency.
Warrants affecting encrypted data
Key recovery

78
Crypto-Issues