Title: Security Policies
1Security Policies
2Elements of Information Protection
- Supports business objectives / mission of
organization - Integral part of due care
- Decision makers have
- Duty of Loyalty (decisions made in interest of
org) - Duty of Care (protect assets of business)
- Cost-effective
- Presupposes risk analysis
3Elements of Information Protection
- Makes protection responsibilities and
accountabilities explicit - Policy should identify roles and responsibilities
of all employees - Extends beyond the boundary of ones organization
- E.g. access to information is given to outsiders
- Protection of others assets
4Elements of Information Protection
- Requires a comprehensive and integrated approach
- Needs to be part of the system development life
cycle - Needs to extend to all groups in an organization
5Elements of Information Protection
- Needs to be periodically reassessed
- Constrained by the culture of organization.
6Information Protection
- Is more than just computer security
- Data is stored in a variety of ways.
7Guidelines, Standards, Policies
- Title III of E-Government Act (FISMA) tasks NIST
with developing - Standards to be used by all federal agencies
- Guidelines recommending
- Minimum Security Requirements (FIPS 200)
8Policies ?? Procedures
- Information Security Policies
- High level plans that describe the goals of
procedures - Procedures are implementation details
9Purpose of Policies
- Regulatory compliance
- Assumption is that existence of policies
increases security of assets - Liability Mitigation
- Policies should reflect best practices, but are
understood by the judicial system - Auditing
- Insurance companies need to assess risks of
monetary damage due to break-ins - Assigns roles and responsibilities in a
systematic manner
10Policies, Guidelines, Standards
- Policy
- written at a broad level
- requires supporting standards, procedures,
guidelines - Standards and guidelines
- specify technologies and methodologies to be used
on secure systems - Standards
- mandatory activities, actions, rules, or
regulations - Guidelines
- more general statements designed to achieve the
policy objective - Procedures are the detailed steps required to
accomplish a particular task or process
11In Class Exercise
- Develop for a parish organization regarding
access control to human resource files and donor
databases - A policy statement
- A standard
- A guideline
- A procedure
12Determination of Policy Needs
13Policy Development
- Determine goal of policies
- Determine range of assets that need to be
protected - Can be developed as a collection of documents
14Policy Development
- Preliminary risk assessment / analysis
- Distinguish technical risk and process risk
- Use outsiders
- Select based on
- up-to-date knowledge of security information
- knowledge of industry best practices
- relevant guidelines / standards
- Insiders are too much stakeholders
15Identification of Information Assets
- Map hardware / software to organizations mission
or business process. - Inventorize assets
- Includes also non-computer resources
- Documentation about business processes
- Pre-printed forms,
- Can be used to impersonate organization personnel
- Inventorize human resources
16Identification of Information Assets
- Identify threats and risks
- Authorized / unauthorized access to resources /
information - Unintended / unauthorized disclosure of
information - Bugs / user errors
17Excurse Survivable Network Analysis Method
- Networks are becoming an integral part of
business processes - Networks are no longer under control of
individual organizations
http//www.cert.org/archive/pdf/00tr013.pdf
18Survivable Network Analysis Method
- Survivability Capability of system to fulfill
its mission - Properties
- Resistance to attacks
- Strategies for repelling attacks Authentication
- Access controls
- Encryption
- Message filtering
- Survivability wrappers
- System diversification
- Functional isolation
- Recognition of attacks and damage
- Strategies for detecting attacks and evaluating
damage - Intrusion detection
- Integrity checking
http//www.cert.org/archive/pdf/00tr013.pdf
19Survivable Network Analysis Method
- Properties of survivable systems (cont.)
- Recovery of essential and full services after
attack - Strategies for limiting damage, restoring
compromised information or functionality,
maintaining or restoring essential services
within mission time constraints, restoring full
services - Redundant components
- Data replication
- System backup and restoration
- Contingency planning
- Adaptation and evolution to reduce effectiveness
of future attacks - Strategies for improving system survivability
based on knowledge gained from intrusions - New intrusion recognition patterns
http//www.cert.org/archive/pdf/00tr013.pdf
20Survivable Network Analysis Method
Spiral Model for Software Development
http//www.cert.org/archive/pdf/00tr013.pdf
21Survivable Network Analysis Method
- Need to add Survivability as an additional
primary motivation / driver
http//www.cert.org/archive/pdf/00tr013.pdf
22Survivable Network Analysis Method
- Life Cycle Activities
- Mission Definition
- Analysis of mission criticality and consequences
of failure - Estimation of cost impact of denial of service
attacks - Concept of Operations
- Definition of system capabilities in adverse
environments - Enumeration of critical mission functions that
must withstand attacks - Project Planning
- Integration of survivability into life-cycle
activities - Identification of defensive coding techniques for
implementation - Requirements Definition
- Definition of survivability requirements from
mission perspective - Definition of access requirements for critical
system assets during attacks - System Specification
- Specification of essential service and intrusion
scenarios - Definition of steps that compose critical system
transactions
http//www.cert.org/archive/pdf/00tr013.pdf
23Survivable Network Analysis Method
- Life Cycle Activities
- System Architecture
- Integration of survivability strategies into
architecture definition - Creation of network facilities for replication of
critical data assets - System Design
- Development and verification of survivability
strategies - Correctness verification of data encryption
algorithms - System Implementation
- Application of survivability coding and
implementation techniques - Definition of methods to avoid buffer overflow
vulnerabilities - System Testing
- Treatment of intruders as users in testing and
certification - Addition of intrusion usage to usage models for
statistical testing - System Evolution
- Improvement of survivability to prevent
degradation over time - Redefinition of architecture in response to
changing threat environment
http//www.cert.org/archive/pdf/00tr013.pdf
24Survivable Network Analysis Method
- Survivable Network Analysis Method
- Step 1 System Definition
- Step 2 Essential Capability Definition
- Step 3 Compromisable Capability Definition
- Set of representative intrusions is selected
- Intrusion scenarios are defined and traced
through the architecture - to identify compromisable components that
intrusions could damage - Step 4 Survivability Analysis
http//www.cert.org/archive/pdf/00tr013.pdf
25Survivable Network Analysis Method
http//www.cert.org/archive/pdf/00tr013.pdf
26Survivable Network Analysis Method
- Key Points
- Two types of network usage scenario
- NUS Normal Usage Scenario
- IUS Intrusion Usage Scenario
http//www.cert.org/archive/pdf/00tr013.pdf
27Data Security Considerations
- Information systems are about the flow and usage
of data. - Data handling
- Policies how data is handled and how to maintain
integrity and confidentiality of data - Existence of third party data
- Personal data
- Personnel data
- Privacy protection
28Data Security Considerations
- Information systems are about the flow and usage
of data. - Data handling
- Policies how data is handled and how to maintain
integrity and confidentiality of data - Existence of third party data
- Personal data
- Personnel data
- Privacy protection
- COTS (Commercial Off-The-Shelf) software
licensing
29Data Security Considerations
- Information systems are about the flow and usage
of data. - Backups, Archival Storage, Disposal of Data
- Backups
- Which data to back up
- Frequency of backups
- Revision of backup procedures
- On-site vs. Off-site storage of data
Policies Do Not Prescribe Implementation Details
30Data Security Considerations
- Information systems are about the flow and usage
of data. - Backups, Archival Storage, Disposal of Data
- Archival Storage of Backups
- Retention period
- Readability assurance
- Media life time lt retention period
- Disposal of Data
- Dumpster diving
- Analysis of old hard drives
31Data Security Considerations
- Information systems are about the flow and usage
of data. - Intellectual Property Rights and Policies
- Who owns the rights to IP
- Interaction with documents under IP control
- Labeling for IP enforcement
- Otherwise dissemination might destroy IP
- Incident Response and Forensics
- Single point of contact Assignment of
responsibilities - Procedures
32Information SecurityMission Statement
33Why a Mission Statement
- Mission statements establish scope of
responsibility for each department - Explain function of Information Assurance within
the organization - Pressures that push towards information assurance
- regulations and laws
- fear of litigation
- risks and costs
- ISO 17799 Section 4 Organization Security
34Business Goals vs. Security Goals
- Information Security is never a fundamental goal
of any organization - Business objectives are obtained from
- Agencies
- Law, constitution
- Business
- Report to stockholders
- Organizational charts
- Strategic planning information
- Annual corporate budget proposals
- Interviews with staff members
35Computer Security Objectives
- Before writing mission statement, explore
elements of a comprehensive information security
program - Ensure accuracy and integrity of data
- Protect classified data
- Protect against unauthorized access,
modification, destruction, or disclosure of data - Ensure ability to survive the loss of computing
capacity - Ensure management support for development and
implementation of security policies - Protect management from charges of imprudence in
the event of a compromise - Protect against errors and omissions in data
36Format
- Brief paragraph Overall goals of CompuSec
program - List of responsibilities
37ISO 17999-4.1.3
- Responsibilities for carrying out specific
security processes shall be clearly defined. - Might establish role of information security
manager. - Typically, responsibility for implementing
controls remains with individual managers - Common practice
- Appoint an owner for each information asset
38NIST SP 800-55 Chapter 2
- Specifies responsibilities for
- Agency head
- Chief Information Officer (CIO)
- Senior Agency Information Security Officer
- Program Manager / Information System Owner
- Information System Security Officer (ISSO)
39Sample Mission Statement
40Example
- To provide the Corporation with the highest level
of visibility and support for the philosophy of
protection and to provide the organization with a
focal point for solving information protection
problems. - Information Protection Group Responsibilities
- Keep information protection policies and
practices current. - Prepare, publish, and maintain ISO guidelines and
standards for information protection - Answer all inquiries on compliance and
interpretation of corporate policies and ISO
practices - Develop, implement, and maintain the Corporate
Information Protection Awareness Program
41Example
- Assist the Corporate Organization Information
Protection Coordinators (OIPCs) to develop,
implement, and maintain their local information
protection programs. - Develop, implement, and maintain standard risk
assessment tools for use in determining critical
corporate resources. - Ensure the criteria for determining sensitive
information and critical applications and systems
are current and appropriate to the needs of the
Corporation. - Coordinate the development, testing, and
maintenance of a data center Business Continuity
Plan (BCP). - Assist OIPCs in the development of their
organization BCPs.
42Example
Peltier Information Security Policies,
Procedures, and Standards, Auerbach, 2002
- 10. Review new system access and information
protection products and make recommendations on
these products to ensure they meet minimum
corporate requirements. - Provide account administration across all
platforms. - Provide consulting support for all application
development projects. - Act as a audit liaison for all information and
computer security related matters. - Assist in the investigation and reporting of
computer thefts, intrusions, viruses, and
breaches of information protection controls. - Assist in the development of effective monitoring
programs to ensure that corporate information is
protected as required.
43Support for Mission Statement
- Needs approval by
- head of agency
- Chairman of the Board
- CEO, CFO, CIO
44Creating Standards
45Success Criteria for Standards
- There must be a commitment to the standard
- Standards must be
- Reasonable
- Flexible
- Current
- Reviewed regularly
46Standard Commitment
- Commitment must start with senior management
- Pass down to line management
47Policies, Standards, Procedures
- Policy
- States a goal in general terms
- Standards
- Define what is to be accomplished in specific
terms - Procedures
- How to meet the standards
48What belongs into a standard
- Sources and Examples
- ISO 17799 BS 7799
- NIST SP and FIPS
- Standards require compliance
- Not following self-set standards can have legal
consequences - Do not over-specify standards
- Standards need to be up-to-date, but changing
standards is costly - Should be used judiciously
- Standards need to be substantial enough
49Writing Procedures
50Procedure Contents
- Level of Specificity varies from organization to
organization - How to
- Establish need for procedure
- Identify target audience
- Describe task that procedure will cover
- Make the intent known to users
- Describe procedure
51Procedure Checklist
- Title
- Intent
- Scope
- Responsibilities
- Sequence of events
- Approvals
- Prerequisites
- Definitions
- Equipment required
- Warnings
- Precautions
- Procedure body
- This lists the actual steps to be performed in
the execution of the procedure
52Involving Local Experts
- Local experts employees who will handle
procedure - Possibilities
- Let local experts write procedure
- Typically, will be delayed since it adds to the
workload - Typically, procedure not well written and
over-technical - Conduct interviews with local experts and use
documentation expert - Needs to be verified by local experts
- Create review panel
- Ascertain that procedures described are in place
(or almost in place)
53Procedure Styles
- Headline Styles
- Title lines placed above text
- Captions
- Words appear in left margin of text
- Matrix
- Narrative
- Flowchart
- Playscript
54Examples
55Physical Security
56Problems
- Sometimes, security depends on physical security
- Access to logs
- Access to consoles
- Computer equipment needs to be protected against
mishaps - Server room in basement subject to flooding when
water main breaks - Pollution even less tolerated by computers
- Air vent for emergency generators next to air
conditioning intake for computer room
57Physical Security
- Faculty requirements
- Locks and barriers
- Access Control
- Environmental support
- Air conditioning
- Power
- Humidity
58Example Policy
- Computing facilities shall be off sufficient size
and not be located on the ground floor, with
multiple entry doors and more than one fire exit. - The area reserved for servers should have
sufficient environmental controls for temperature
and humidity. - Each server facility shall have an automated
access control that includes procedures to add
and remove the access rights of people. The
procedures should be auditable. Furthermore,
access to server facilities should be logged. - Visitors shall be required to provide
identification before entering any server
facility and shall be escorted during their
presence on the premises.
59Physical Security
- Policy does not (yet) address
- Contingency planning
- Disaster recovery
- Intrusion recovery
- System Maintenance
- Audits
- Staffing
60Authentication and Network Setup
61Networking Layout Concerns
- DHCP
- DNS
- Addressing
- Expanding networks, creating subnets
- Non-routable addressing
- Plan ahead for merging networks
- Use addresses not likely to be duplicated after
merger - E.g. Use 10.29.100.X instead of 10.0.0.X
- Address assignation
- Static
- Dynamic
- Mixed
62Network Access Policy Topics
- Gateways
- Dial In / Dial Out access
- Wireless access points
- Internet connections
- Virtual Private Networks
63Network Access Policy Topics
- Login Security
- Login Requirements and Procedures
- Account Creation and Management
- Guest accounts
- Dormant accounts
- Employee termination procedures
- Login banners
- Login controls
- Login reporting
64Network Access Policy Topics
- Session Restrictions
- Users accessing sensitive information should use
additional cautions - Special Privileges
- Some uses require special privileges
- Root access to computers
- Running dangerous applications
- Sniffers, Intrusion Detection,
- Absence of anti-virus tools
65Password Policies
- Password Strength
- Password Storage
- Default Passwords
66Telecommuting / Remote Access
- Employee Equipment
- What can be used?
- How is it protected?
- Employee Responsibilities
67Internet Connection Policy(Firewalls etc.)
68Firewall Policies
- Policies for
- incoming traffic
- out-going traffic
- Establishment of a DMZ
- Services located in DMZ
- Protection of services in DMZ
- Resulting policies for users
- No usenet postings
- Because usenet postings allow network
recognizance -
69HTTP WWW Policies
- Web Browser Settings
- Running and Downloading Mobile Code
- Active X
- Javascript
- Cross Scripting Attacks
- Java
- Content Filtering
- Privacy Expectations
70E-mail Related Policies
71Email
- Establish right to monitor email
- Handling, scanning, archiving email
- Use of email for confidential data
- Digital Signing Email
72Virus Protection
73Virus Protection Policies
- All users shall have anti-virus protection
software installed before or when connecting the
system to the network. - Users shall participate in keeping the anti-virus
protection software updated and shall not disable
its facilities. - When software installation requires the disabling
of the anti-virus tool, users shall scan the
system immediately after installation.
74System Integrity Checking
- Give criteria when system shall be trip-wired
75Software Updates and Installations
- Rules for handling third party software
76Encryption
77Legal Issues
- Use of encryption can be restricted by law
(Export Controls) - Some countries forbid the use of encryption in
communication without giving keys to a government
agency. - Warrants affecting encrypted data
- Key recovery
78Crypto-Issues
- Key generation
- Key management
- Disclosure
- Storage
- Transmission
79Acceptable Use Policy
80Acceptable Use Policy (AUP)
- Summarizes overall policy for users
- Lays out requirements and duties of users.
- Needs to be short.
- Will be signed by user when hired / given access.
81Compliance Enforcement
82Effectiveness of Policies
- Establish User Training Guidelines
- Establish measures of compliance
- Records of security violations
- Records of exceptions made
- Responsibility for publishing policy changes
83Effectiveness of Policies
- Monitoring, Controls, Remedies, Sanctions
- Establish administrator responsibilities
- Establish right to log
84Incident Response
85Incidence Response
- Assign responder responsibility
- Plan for interaction with law enforcement
86Policy Review
87Policy Review Process
- Review triggered by
- Incidents
- Number of exceptions to established policies
- Recognition of new threats