How To Build A Successful Security Infrastructure Policies and Procedures u Trust Models u Security Policy Basics u Policy Design Process u Key Security.

How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure

Policies and ProceduresPolicies and Procedures

Trust ModelsTrust Models

Security Policy BasicsSecurity Policy Basics

Policy Design ProcessPolicy Design Process

Key Security Policies Key Security Policies

Key Security Procedures Key Security Procedures


Security Policies - Why use Security Policies - Why use them?them?

Without security policies, you have no general Without security policies, you have no general security framework.security framework.

Policies define what behavior is and is not allowed. Policies define what behavior is and is not allowed.

Policies will often set the stage in terms of what tools Policies will often set the stage in terms of what tools and procedures are needed for the organization.and procedures are needed for the organization.

Policies communicate consensus among a group of Policies communicate consensus among a group of “governing” people.“governing” people.

Computer security is now a global issue and Computer security is now a global issue and computing sites are expected to follow the “good computing sites are expected to follow the “good neighbor” philosophy.neighbor” philosophy.


Who and What to TrustWho and What to Trust

Trust is a major principle underlying the development Trust is a major principle underlying the development of security policies.of security policies.

Initial step is to determine who gets access.Initial step is to determine who gets access. use principle of least accessuse principle of least access

Deciding on level of trust is a delicate balancing act.Deciding on level of trust is a delicate balancing act. too much -> eventual security problemstoo much -> eventual security problems too little -> difficult to find and keep satisfied employeestoo little -> difficult to find and keep satisfied employees

How much should you trust resources?How much should you trust resources?

How much should you trust people?How much should you trust people?


Possible Trust ModelsPossible Trust Models

Trust everyone all of the timeTrust everyone all of the time easiest to enforce, but impracticaleasiest to enforce, but impractical one bad apple can ruin the whole barrelone bad apple can ruin the whole barrel

Trust no one at no timeTrust no one at no time most restrictive, but also impracticalmost restrictive, but also impractical impossible to find employees to work under such conditionsimpossible to find employees to work under such conditions

Trust some people some of the timeTrust some people some of the time exercise caution in amount of trust placed in employeesexercise caution in amount of trust placed in employees access is given out as neededaccess is given out as needed technical controls are needed to ensure trust is not violatedtechnical controls are needed to ensure trust is not violated


Section Three:Section Three:Policies and ProceduresPolicies and Procedures





Key Security ProceduresKey Security Procedures


Why the Political Turmoil?Why the Political Turmoil? People view policies as:People view policies as:

an impediment to productivityan impediment to productivity measures to control behaviormeasures to control behavior

People have different views about the need for People have different views about the need for security controls. security controls.

People fear policies will be difficult to follow and People fear policies will be difficult to follow and implement.implement.

Policies affect everyone within the organizationPolicies affect everyone within the organization most people resist measures which impede productivitymost people resist measures which impede productivity some people strongly resist changesome people strongly resist change some people strongly resist the “big brother syndrome”some people strongly resist the “big brother syndrome” some people just like to “rock the boat”some people just like to “rock the boat”


Who Should be Concerned?Who Should be Concerned?

Users - policies will affect them the most.Users - policies will affect them the most.

System support personnel - they will be required to System support personnel - they will be required to implement and support the policies. implement and support the policies.

Managers - concerned about protection of data and Managers - concerned about protection of data and the associated cost of the policy.the associated cost of the policy.

Business lawyers and auditors - are concerned about Business lawyers and auditors - are concerned about company reputation, responsibility to company reputation, responsibility to clients/customers.clients/customers.









The Policy Design ProcessThe Policy Design Process

Choose the policy development team.Choose the policy development team.

Designate a person or “body” to serve as the official Designate a person or “body” to serve as the official policy interpreter.policy interpreter.

Decide on the scope and goals of the policy.Decide on the scope and goals of the policy. scope should be a statement about who is covered by the scope should be a statement about who is covered by the

policy.policy.

Decide on how specific to make the policyDecide on how specific to make the policy not a detailed implementation plannot a detailed implementation plan don’t include facts which change frequentlydon’t include facts which change frequently


The Policy Design ProcessThe Policy Design Process

All people affected by the policy should be provided All people affected by the policy should be provided an opportunity to review and comment on the policy an opportunity to review and comment on the policy before it becomes official.before it becomes official. very unrealistic for large organizationsvery unrealistic for large organizations often difficult to get the information out and ensure people often difficult to get the information out and ensure people

read it.read it.

Incorporate policy awareness as a part of employee Incorporate policy awareness as a part of employee orientation.orientation.

Provide refresher overview course on policies once or Provide refresher overview course on policies once or twice a year.twice a year.


Basic RequirementsBasic Requirements

Policies must:Policies must: be implementable and enforceablebe implementable and enforceable be concise and easy to understandbe concise and easy to understand balance protection with productivitybalance protection with productivity be updated regularly to reflect the evolution of the organizationbe updated regularly to reflect the evolution of the organization

Policies should:Policies should: state reasons why policy is neededstate reasons why policy is needed describe what is covered by the policies - whom, what, and wheredescribe what is covered by the policies - whom, what, and where define contacts and responsibilities to outside agenciesdefine contacts and responsibilities to outside agencies discuss how violations will be handleddiscuss how violations will be handled


Determining Level of ControlDetermining Level of Control

Security needs and culture play major role.Security needs and culture play major role.

Security policies MUST balance level of control with Security policies MUST balance level of control with level of productivity.level of productivity.

If policies are too restrictive, people will find ways to If policies are too restrictive, people will find ways to circumvent controls.circumvent controls.

Technical controls are not always possible.Technical controls are not always possible.

Must have management commitment on level of Must have management commitment on level of control.control.


Choosing A Policy StructureChoosing A Policy Structure

Dependent on company size and goals.Dependent on company size and goals.

One large document or several small ones?One large document or several small ones? smaller documents are easier to maintain and updatesmaller documents are easier to maintain and update

Some policies appropriate for every site, others are Some policies appropriate for every site, others are specific to certain environments.specific to certain environments.

Some key policies:Some key policies: Acceptable UseAcceptable Use User AccountUser Account Remote AccessRemote Access Information ProtectionInformation Protection









The Acceptable Use PolicyThe Acceptable Use Policy

Discusses and defines the appropriate use of the Discusses and defines the appropriate use of the computing resources.computing resources.

Users should be required to read and sign AU policy Users should be required to read and sign AU policy as part of the account request process.as part of the account request process.

Many examples of AU policies can be found on:Many examples of AU policies can be found on: http://www.eff.org/pub/CAF/policies/http://www.eff.org/pub/CAF/policies/


Some Elements of the Some Elements of the Acceptable Use PolicyAcceptable Use Policy

Should state responsibility of users in terms of Should state responsibility of users in terms of protecting information stored on their accounts.protecting information stored on their accounts.

Should state if users can read and copy files that are Should state if users can read and copy files that are not their own, but are accessible to them.not their own, but are accessible to them.

Should state if users can modify files that are not their Should state if users can modify files that are not their own, but for which they have write access.own, but for which they have write access.

Should state if users are allowed to make copies of Should state if users are allowed to make copies of systems configuration files (e.g., systems configuration files (e.g., /etc/passwd/etc/passwd) for their ) for their personal use, or to provide to other people.personal use, or to provide to other people.


Acceptable Use PolicyAcceptable Use Policy

Should state if users are allowed to use Should state if users are allowed to use .rhosts .rhosts files files and what types of entries are acceptable.and what types of entries are acceptable.

Should state if users can share accounts.Should state if users can share accounts.

Should state if users can make copies of copyrighted Should state if users can make copies of copyrighted software?software?

Should state level of acceptable usage for electronic Should state level of acceptable usage for electronic mail, Internet news and web access.mail, Internet news and web access.


User Account PolicyUser Account Policy

Outlines the requirements for requesting and Outlines the requirements for requesting and maintaining an account on the systems.maintaining an account on the systems.

Very important for large sites where users typically Very important for large sites where users typically have accounts on many systems.have accounts on many systems.

Some sites have users read and sign an Account Some sites have users read and sign an Account Policy as part of the account request process.Policy as part of the account request process.

Example User Account Policies are also available on Example User Account Policies are also available on the CAF archive along with the Acceptable Use the CAF archive along with the Acceptable Use Policies.Policies. http://www.eff.org/pub/CAF/policies/http://www.eff.org/pub/CAF/policies/


Elements of a User Account Elements of a User Account PolicyPolicy

Should state who has the authority to approve Should state who has the authority to approve account requests.account requests.

Should state who is allowed to use the resources Should state who is allowed to use the resources (e.g., employees or students only)(e.g., employees or students only)

Should state any citizenship/resident requirements.Should state any citizenship/resident requirements.

Should state if users are allowed to share accounts or Should state if users are allowed to share accounts or if users are allowed to have multiple accounts on a if users are allowed to have multiple accounts on a single host.single host.

Should state the users’ rights and responsibilities.Should state the users’ rights and responsibilities.


Elements of User Account PolicyElements of User Account Policy

Should state when the account should be disabled Should state when the account should be disabled and archived.and archived.

Should state how long the account can remain Should state how long the account can remain inactive before it is disabled.inactive before it is disabled.

Should state password construction and aging rules.Should state password construction and aging rules.


Remote Access PolicyRemote Access Policy

Outlines and defines acceptable methods of remotely Outlines and defines acceptable methods of remotely connecting to the internal network.connecting to the internal network.

Essential in large organization where networks are Essential in large organization where networks are geographically dispersed and even extend into the geographically dispersed and even extend into the homes.homes.

Should cover all available methods to remotely Should cover all available methods to remotely access internal resources:access internal resources: dial-in (SLIP, PPP)dial-in (SLIP, PPP) ISDN/Frame RelayISDN/Frame Relay telnet access from Internettelnet access from Internet Cable modemCable modem


Elements of Remote Access Elements of Remote Access PolicyPolicy

Should define who is allowed to have remote access Should define who is allowed to have remote access capabilities.capabilities.

Should define what methods are allowed for remote Should define what methods are allowed for remote access.access.

Should discuss if dial-out modems are allowed.Should discuss if dial-out modems are allowed.

Should discuss who is allowed to have high-speed Should discuss who is allowed to have high-speed remote access such as ISDN, Frame Relay or cable remote access such as ISDN, Frame Relay or cable modem.modem. what extra requirements are there?what extra requirements are there? can other members of household use network?can other members of household use network?


Elements of Remote Access Elements of Remote Access PolicyPolicy

Should discuss any restrictions on data that can be Should discuss any restrictions on data that can be accessed remotely.accessed remotely.

If partners connections are commonplace, should If partners connections are commonplace, should discuss requirements and methods.discuss requirements and methods.


Information Protection PolicyInformation Protection Policy

Provides guidelines to users on the processing, Provides guidelines to users on the processing, storage and transmission of sensitive information.storage and transmission of sensitive information.

Main goal is to ensure information is appropriately Main goal is to ensure information is appropriately protected from modification or disclosure.protected from modification or disclosure.

May be appropriate to have new employees sign May be appropriate to have new employees sign policy as part of their initial orientation.policy as part of their initial orientation.

Should define sensitivity levels of information.Should define sensitivity levels of information.


Key Elements of Key Elements of Information Protection PolicyInformation Protection Policy

Should define who can have access to sensitive Should define who can have access to sensitive information.information. special circumstancesspecial circumstances non-disclosure agreementsnon-disclosure agreements

Should define how sensitive information is to be stored Should define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, and transmitted (encrypted, archive files, uuencoded, etc).etc).

Should define on which systems sensitive information Should define on which systems sensitive information can be stored.can be stored.

Should discuss what levels of sensitive information can Should discuss what levels of sensitive information can be printed on physically insecure printers.be printed on physically insecure printers.


Key Elements of Key Elements of Information Protection PolicyInformation Protection Policy

Should define how sensitive information is removed Should define how sensitive information is removed from systems and storage devices.from systems and storage devices. degaussing of storage mediadegaussing of storage media scrubbing of hard drivesscrubbing of hard drives shredding of hardcopy outputshredding of hardcopy output

Should discuss any default file and directory Should discuss any default file and directory permissions defined in system-wide configuration permissions defined in system-wide configuration files.files.


Firewall Management PolicyFirewall Management Policy

Describes how firewall hardware and software is Describes how firewall hardware and software is managed and how changes are requested and approved.managed and how changes are requested and approved.

Should discuss who can obtain privileged access to Should discuss who can obtain privileged access to firewall systems.firewall systems.

Should discuss the procedure to request a firewall Should discuss the procedure to request a firewall configuration change and how the request is approved.configuration change and how the request is approved.

Should discuss who is allowed to obtain information Should discuss who is allowed to obtain information regarding the firewall configuration and access lists.regarding the firewall configuration and access lists.

Should discuss review cycles for firewall system Should discuss review cycles for firewall system configurations.configurations.


Special Access PolicySpecial Access Policy

Defines requirements for requesting and using special Defines requirements for requesting and using special systems accounts (root, bkup,).systems accounts (root, bkup,).

Should discuss how users can obtain special access.Should discuss how users can obtain special access.

Should discuss how special access accounts are Should discuss how special access accounts are audited.audited.

Should discuss how passwords for special access Should discuss how passwords for special access accounts are set and how often they are changed.accounts are set and how often they are changed.

Should discuss reasons why special access is Should discuss reasons why special access is revoked.revoked.


Network Connection PolicyNetwork Connection Policy

Defines requirements for adding new devices to the Defines requirements for adding new devices to the network.network.

Well suited for sites with multiple support teams.Well suited for sites with multiple support teams.

Important for sites which are not behind a firewall.Important for sites which are not behind a firewall.

Should discuss:Should discuss: who can install new resources on networkwho can install new resources on network what approval and notification must be donewhat approval and notification must be done how changes are documentedhow changes are documented what are the security requirementswhat are the security requirements how unsecured devices are treatedhow unsecured devices are treated


Other Important PoliciesOther Important Policies

Policy which addresses forwarding of email to offsite Policy which addresses forwarding of email to offsite addresses.addresses.

Policy which addresses wireless networks.Policy which addresses wireless networks.

Policy which addresses baseline lab security Policy which addresses baseline lab security standards.standards.

Policy which addresses baseline router configuration Policy which addresses baseline router configuration parameters.parameters.









Security Procedures Security Procedures

Policies only define "what" is to be protected. Policies only define "what" is to be protected. Procedures define "how" to protect resources and are Procedures define "how" to protect resources and are the mechanisms to enforce policy.the mechanisms to enforce policy.

Procedures define detailed actions to take for specific Procedures define detailed actions to take for specific incidents.incidents.

Procedures provide a quick reference in times of Procedures provide a quick reference in times of crisis.crisis.

Procedures help eliminate the problem of a single Procedures help eliminate the problem of a single point of failure (e.g., an employee suddenly leaves or point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis).is unavailable in a time of crisis).


Configuration Management Configuration Management ProcedureProcedure

Defines how new hardware/software is tested and Defines how new hardware/software is tested and installed.installed.

Defines how hardware/software changes are Defines how hardware/software changes are documented.documented.

Defines who must be informed when hardware and Defines who must be informed when hardware and software changes occur.software changes occur.

Defines who has authority to make hardware and Defines who has authority to make hardware and software configuration changes.software configuration changes.


Data Backup and Off-site Data Backup and Off-site Storage ProceduresStorage Procedures

Defines which file systems are backed up.Defines which file systems are backed up.

Defines how often backups are performed.Defines how often backups are performed.

Defines how often storage media is rotated.Defines how often storage media is rotated.

Defines how often backups are stored off-site.Defines how often backups are stored off-site.

Defines how storage media is labeled and Defines how storage media is labeled and documented.documented.


Security Incident Escalation Security Incident Escalation ProcedureProcedure

A "cookbook" procedure for frontline support A "cookbook" procedure for frontline support personnel.personnel.

Defines who to call and when.Defines who to call and when.

Defines initial steps to take.Defines initial steps to take.

Defines initial information to record.Defines initial information to record.


Incident Handling ProcedureIncident Handling Procedure

Defines how to handle intruder attacks.Defines how to handle intruder attacks.

Defines areas of responsibilities for members of the Defines areas of responsibilities for members of the response team.response team.

Defines what information to record and track.Defines what information to record and track.

Defines who to notify and when.Defines who to notify and when.

Defines who can release information and the Defines who can release information and the procedure for releasing the information. procedure for releasing the information.

Defines how a follow-up analysis should be performed Defines how a follow-up analysis should be performed and who will participate.and who will participate.


Disaster Planning and ResponseDisaster Planning and Response

A disaster is a large scale event which affects major A disaster is a large scale event which affects major portions of an organization.portions of an organization. a major earthquake, flood, hurricane, or tornadoa major earthquake, flood, hurricane, or tornado a major power outage lasting > 48 hoursa major power outage lasting > 48 hours destruction of building structuresdestruction of building structures

Main goal of plan is to outline tasks to keep critical Main goal of plan is to outline tasks to keep critical resources running and to minimize impact of disaster.resources running and to minimize impact of disaster.

Ensure critical information needed for disaster Ensure critical information needed for disaster response is kept off-site and easily accessible after response is kept off-site and easily accessible after the onset of a disaster.the onset of a disaster.


Disaster Planning and ResponseDisaster Planning and Response

Plan should outline several operating modes based Plan should outline several operating modes based on level of damage to resources.on level of damage to resources.

Determine the need for “hot” or “cold” sites.Determine the need for “hot” or “cold” sites.

Disaster preparedness drills should be conducted Disaster preparedness drills should be conducted several times a year.several times a year.


Resources For Security Resources For Security Policies and ProceduresPolicies and Procedures

RFC2196 - The Site Security Procedures HandbookRFC2196 - The Site Security Procedures Handbook obsoletes rfc1244 as of 9/97.obsoletes rfc1244 as of 9/97. http://ds.internic.net/rfc/rfc2196.txthttp://ds.internic.net/rfc/rfc2196.txt

Some useful Web sites:Some useful Web sites: http://www.gatech.edu/itis/policy/usage/contents.htmlhttp://www.gatech.edu/itis/policy/usage/contents.html http://csrc.ncsl.nist.gov/secplcy/http://csrc.ncsl.nist.gov/secplcy/


Section Three RecapSection Three Recap

Ensure policies and procedures are provided to Ensure policies and procedures are provided to managers, users and support staff.managers, users and support staff.

Ensure polices are in line with the security philosophy Ensure polices are in line with the security philosophy and any regulations the organization is required to and any regulations the organization is required to follow.follow.

Ensure policies are reviewed on a regular basis and Ensure policies are reviewed on a regular basis and are updated as necessary.are updated as necessary.

Ensure sufficient training is provided on a regular Ensure sufficient training is provided on a regular basis.basis.


Three RecapThree Recap

Important policies every site should have:Important policies every site should have: Acceptable Use PolicyAcceptable Use Policy Remote Access PolicyRemote Access Policy Information Protection PolicyInformation Protection Policy Firewall Management PolicyFirewall Management Policy

Important Procedures every site should have:Important Procedures every site should have: Configuration Management ProcedureConfiguration Management Procedure Data Backup and Off-site StorageData Backup and Off-site Storage Incident Handling ProcedureIncident Handling Procedure Disaster Recovery ProcedureDisaster Recovery Procedure

How To Build A Successful Security Infrastructure Policies and Procedures u Trust Models u Security Policy Basics u Policy Design Process u Key Security.

Documents

u security policies

u computer security

access u

update u

u managers

conditions u

organization u policies

u users policies