Tài liệu Basic Security Policy doc

Trang 1

Basic Security Policy

Security Essentials The SANS Institute

CONTRIBUTING AUTHORS:

Doug Austin Dyncorp Information Systems, LLC

Alexander Bryce Alexander, Ltd

Rob Dinehart IBJ Whitelhall Financial Group

Brian M Estep Adelphia

Stephen Joyce bitLab, LLC

Carol Kramer SANS Institute

Randy Marchany Virginia Tech Computing Center

Stephen Northcutt Global Incident Analysis Center

John Ritter Intecs International, Inc

Matt Scarborough IC

Arrigo Triulzi Albourne Parners, Ltd

Eric Cole SANS Institute

Trang 2

Preface

I never cease to be amazed by the fact that you can’t take a class

in Information Security without being told to do this or that in

accordance with “your security policy”, but nobody ever

explains what the policy is, let alone how to write or

evaluate it.

That is why we undertook this research and education project into

basic security policy We hope you will find this module useful and

that you will participate in its evolution Consensus is a powerful

tool We need the ideas and criticisms from the information

security community in order to make this, The Roadmap, a usable,

and effective policy Thank you!

Stephen Northcutt

I never cease to be amazed by the fact that you can’t take a class in Information Security without

being told to do this or that in accordance with “your security policy”, but nobody ever explains

what the policy is, let alone how to write or evaluate it.

That is why we undertook this research and education project into basic security policy We hope you will find this module useful and that you will participate in its evolution Consensus is a

powerful tool We need the ideas and criticisms from the information security community in order to make this, The Roadmap, a usable and effective policy Thank you!

Stephen Northcutt

Trang 3

Objectives

• Defining Security Policy

• Using Security Policy to Manage Risk

• Identifying Security Policy

• Evaluating Security Policy

• Issue-specific Security Policy

• Exercise: Writing a Personal Security

Policy

This page intentionally left blank

Trang 4

achievable security goals

Without a security policy, any organization can be left exposed to the world In order to determine your policy needs, a risk assessment must first be conducted This may require an organization to define levels of sensitivity with regard to information, processes, procedures, and systems

During this presentation three references to policy types will be made It may be inferred that the

policy being described when not specified is that of a program policy Issue-specific polices will also

be covered, as well as system-specific policies Let’s define these policy types before we get started

Program Policy: This high-level policy sets the overall tone of an organization’s security approach

Typically guidance is provided with this policy to enact the other types of policies and specify who is responsible This policy may provide direction for compliance with industry standards such as ISO,

QS, BS, AS, etc

Issue-specific Policy: These policies are intended to address specific needs within an organization

This may include password procedures, Internet usage guidelines, etc This is not as broad a policy

Trang 5

Defining a Policy (2)

• What makes up a policy?

– Purpose – Related documents – Cancellation

– Background – Scope

– Policy statement – Action

– Responsibility

Most organizations have a guide which dictates the makeup of all company policies This guide likely contains some or all of the following:

Purpose - the reason for the policy.

Related documents - lists any documents (or other policies) that affect the contents of this policy Cancellation - identifies any existing policy that is cancelled when this policy becomes effective Background - provides amplifying information on the need for the policy.

Scope - states the range of coverage for the policy (to whom or what does the policy apply).

Policy statement - identifies the actual guiding principles or what is to be done The statements are

designed to influence and determine decisions and actions within the scope of coverage The statements should be prudent, expedient, and/or advantageous to the organization

Action - specifies what actions are necessary and when they are to be accomplished.

Responsibility - states who is responsible for what Subsections might identify who will develop

additional detailed guidance and when the policy will be reviewed and updated

Trang 6

Defining a Policy (3)

• Who can sign the policy?

• What process is used to:

– draft a policy – approve a policy – implement a policy

In addition, some organizations further define:

Who can sign the policy.

If you are part of a Department of Defense organization, the authority may be reserved for the senior military officer In other cases, it may be a senior vice president or a CIO or other manager In any case, the policy must be signed by someone with sufficient authority and credibility that it is

accepted by members of the organization to which it applies

The process used to get policy drafted, signed, and implemented.

Once you’ve identified what should be in the policy and who will sign it, you need to identify the folks who will help develop and review the policy before you submit it for signature Typical participants (in addition to the security staff) can include members of the legal and human resources staff, as well as a representative from one or more collective bargaining units

Trang 7

Security Policy Protects

Information

Safeguarding information is challenging when records are created

and stored on computers

We live in a world where computers are globally linked and accessible, making digitized information especially vulnerable to theft, manipulation, and destruction Security breaches are inevitable Crucial decisions and defensive action must be prompt and precise

A security policy establishes what must be done to protect information stored on computers A written policy contains sufficient definition of “what” to do so that the “how” can be identified and measured or evaluated

Trang 8

Objectives

• Defining Security Policy

• Using Security Policy to Manage

Risk

Policy

Trang 9

Managing Risks in Your Job

• Identify risks

• Communicate your findings

• Update (create) policy as needed

• Develop metrics to measure

compliance

PROBLEM: The only secure computer is one that is not connected to a network and is powered off

Use of computers to process information has associated risks You need a methodology to validate that the organization is responsible and accountable for managing that risk

ACTION: Learn how to manage risks related to your job.

Step 1: Identify risks

Determine how your organization uses computers and networks in the conduct of business, both routinely and under emergency circumstances This will provide insight into the risks that you face Examples of some things that can pose risks include: using the Internet, not using anti-virus software

on desktop computers, permitting customers/suppliers/partners to bypass the protection afforded by your firewall, and permitting personal use of corporate computers and networks

Step 2: Communicate your findings

Identifying risks is necessary, but not sufficient Decision-makers need to know what the risks are,

as well as options for managing those risks Be sure you have adequately communicated the

situation in writing to folks who can make a difference

Step 3: Update (create) policy as needed

If there is no written policy in place, write it and get it signed by upper level management A written policy, signed by top executives, will identify the corporation’s values and demonstrate that senior management supports the information security activities required by the policy

well-Step 4: Develop metrics to measure compliance

If you cannot measure compliance (conformance), the policy is unenforceable

Trang 10

Risk Assessment

• What do you do?

– The “important bid” story – When is it okay to violate or change policy?

– Who has the authority to do it?

– What are the risks involved?

It’s 2:00 a.m on a Saturday morning Your team is trying to finish a time-critical project - an important bid - by sending a file There are problems getting through the firewall The obvious solution is to modify the firewall, but this is prohibited by the security policy The team faces a dilemma If they don’t act, they will not meet the deadline If they do act, they risk the consequences

of violating a written security policy

What do they do?

What policy may provide guidance on this subject?

What risks are involved in doing this?

Policy should also take into account any possible exceptions to the policy, and define:

• what types of exceptions can be made

• who has the authority to make them

• what review process should be followed to evaluate “emergency” exceptions

These considerations protect both the organization’s assets (by defining which changes are

acceptable and which are not) and those people responsible (by defining the responsible parties and empowering them to make decisions and take action within the scope of the policy)

Trang 11

Checkpoint: Policy In Action

Finding Policy Wins The Game!

Think of a football game Picture the coach at practice sessions, in the locker room before the game What is the coach doing? He is presenting, refining, and reworking a plan for winning the game, a plan that’s practiced over and over until it’s perfect! We can see team captains and players referring

to the plan before each play What does a game plan have to do with a computer security policy? The game plan is actually a policy on how to win the game The team that identifies its capabilities and limitations, along with the capabilities and limitations of its opponents, will devise the best plan and the best chance of winning if they follow it.

Risks have been identified and policy has been defined in broad terms Next we look at concrete policies

Trang 12

Levels of Policy

• Recognize that policies can exist on

different levels

– Enterprise-wide/corporate policy – Division-wide policy

– Local policy – Issue-specific policy – Procedures and checklists

Unless you are at the top of the organizational hierarchy, there is likely to be a part of the

organization above your level that issues policy that you are expected to implement A common hierarchy for policy in an organization might look like this:

Enterprise-wide or Corporate Policy: the highest level (perhaps national); consists of high-level

documents that provide a direction or thrust to be implemented at lower levels in the enterprise

Division-wide Policy: typically consists of an amplification of enterprise-wide policy as well as

implementation guidance This level might apply to a particular region of a national corporation

Local Policy: contains information specific to the local organization or corporate element

Issue-specific Policy: policy related to specific issues, e.g firewall or anti-virus policy.

Security Procedures and Checklists: local Standard Operating Procedures (SOPs); derived from the

security policy

Trang 13

Objectives

• Identifying Security Policy

Policy

Trang 14

Identifying Security Policy

• Who does the procedure?

• What is the procedure?

• When is the procedure done?

• Where is the procedure done?

• Why is the procedure done?

Given specifics of the anti-virus rollout, how can we construct a policy?

Step 1: Who does the procedure? The network administrator rolls out anti-virus updates to local

desktops.

Why? To protect against virus infections Certain administrative rights are needed to configure the

push to users’ local drives.

Step 2: What is the procedure? Definitions are unpacked, and placed in a shared directory Login

scripts download the files, apply the update, and reboot the machines Machine names are flagged in the database as having been updated.

Why? Automate the process; create an exception list.

Step 3: When is the procedure done? The procedure is done weekly.

Why? To keep up-to-date with the latest virus attacks Our vendor rolls out new definitions every

Thursday.

Step 4: Where is the procedure done? The procedure is done from any administrative

workstation The procedure is applied to all desktops running Windows 9x at any location.

Why? No special location is required to apply the procedure All desktops need to have the most

current updates.

Trang 15

Objectives

• Evaluating Security Policy

Policy

Trang 16

Evaluating Security Policy

• What if your existing policy is

confusing and hard to read?

• What if it doesn’t cover all the

Trang 17

Evaluating Security Policy (2)

– Does it provide sufficient guidance?

Verify that the security policies contain the most common elements.

Look for the following elements (discussed earlier), and note what is missing: Purpose, Related

documents, Cancellation, Background, Scope, Policy statement, Responsibility, and Action (Note:

Not all sections are required If your search for a Policy Development Guide was successful, consult

it to determine required sections If there is no written guide, use the above template and check with other folks who have been successful in getting other policies signed and implemented.)

Examine the security policy to see if it is clear.

One simple way to test for clarity is to have one of the individuals identified as being responsible determine whether he or she understands the responsibility

Examine the security policy to see if it is concise.

A specific policy topic (e.g anti-virus signature updates) shouldn’t exceed two pages Many

organizations limit them to one page

Examine the policy to see if it is realistic.

Security policy shouldn’t require people to try to implement things that can’t be implemented

Examine the policy to see if it provides sufficient guidance so that a specific procedure can be developed from it.

Policies address what is to be done and why Procedures specify how things are done and are how policy ultimately gets implemented For example, if you have an Internet connection policy, you should be able to use that policy to create step-by-step procedures that allow you to configure your firewall Procedures are also the basis for written checklists

Tiêu đề	Basic Security Policy
Tác giả	Doug Austin, Alexander Bryce, Rob Dinehart, Brian M. Estep, Stephen Joyce, Carol Kramer, Randy Marchany, Stephen Northcutt, John Ritter, Matt Scarborough, Arrigo Triulzi, Eric Cole
Người hướng dẫn	Stephen Northcutt
Trường học	SANS Institute
Chuyên ngành	Information Security
Thể loại	bài viết
Năm xuất bản	2001
Thành phố	Unknown

Định dạng
Số trang	34
Dung lượng	443,13 KB