Security Policies COEN 250. Elements of Information Protection Supports business objectives / mission of organization Integral part of due care Decision.

Security Policies

COEN 250

Elements of Information Protection

Supports business objectives / mission of organization

Integral part of due careDecision makers have

Duty of Loyalty (decisions made in interest of org) Duty of Care (protect assets of business)

Cost-effectivePresupposes risk analysis


Makes protection responsibilities and accountabilities explicit Policy should identify roles and responsibilities of all

employees

Extends beyond the boundary of one’s organization E.g. access to information is given to outsiders Protection of others’ assets


Requires a comprehensive and integrated approachNeeds to be part of the system development

life cycleNeeds to extend to all groups in an

organization


Needs to be periodically reassessed Constrained by the culture of organization.

Information Protection

Is more than just computer securityData is stored in a variety of ways.

Guidelines, Standards, Policies

Title III of E-Government Act (FISMA) tasks NIST with developingStandards to be used by all federal agenciesGuidelines recommending Minimum Security Requirements (FIPS 200)

Policies Procedures

Information Security PoliciesHigh level plans that describe the goals of

proceduresProcedures are implementation details

Purpose of Policies

Regulatory compliance Assumption is that existence of policies increases security of

assets Liability Mitigation

Policies should reflect best practices, but are understood by the judicial system

Auditing Insurance companies need to assess risks of monetary damage

due to break-ins Assigns roles and responsibilities in a systematic manner

Policies, Guidelines, Standards

Policy written at a broad level requires supporting standards, procedures, guidelines

Standards and guidelines specify technologies and methodologies to be used on secure

systems Standards

mandatory activities, actions, rules, or regulations Guidelines

more general statements designed to achieve the policy objective Procedures are the detailed steps required to

accomplish a particular task or process

In Class Exercise

Develop for a parish organization regarding access control to human resource files and donor databasesA policy statementA standardA guidelineA procedure

Determination of Policy Needs

Policy Development

Determine goal of policies Determine range of assets that need to be

protected Can be developed as a collection of

documents

Policy Development

Preliminary risk assessment / analysis Distinguish technical risk and process risk

Use outsiders: Select based on

up-to-date knowledge of security information knowledge of industry best practices relevant guidelines / standards

Insiders are too much stakeholders

Identification of Information Assets

Map hardware / software to organization’s mission or business process.

Inventorize assets Includes also non-computer resources

Documentation about business processes Pre-printed forms, …

Can be used to impersonate organization personnel

Inventorize human resources

Identification of Information Assets

Identify threats and risksAuthorized / unauthorized access to

resources / informationUnintended / unauthorized disclosure of

informationBugs / user errors

Excurse: Survivable Network Analysis Method Networks are becoming an integral part of

business processes Networks are no longer under control of

individual organizations

http://www.cert.org/archive/pdf/00tr013.pdf

Survivable Network Analysis Method Survivability = Capability of system to fulfill its mission Properties

Resistance to attacks Strategies for repelling attacks Authentication

Access controls Encryption Message filtering Survivability wrappers System diversification Functional isolation

Recognition of attacks and damage Strategies for detecting attacks and evaluating damage

Intrusion detection Integrity checking


Survivable Network Analysis Method Properties of survivable systems (cont.)

Recovery of essential and full services after attack Strategies for limiting damage, restoring compromised information

or functionality, maintaining or restoring essential services within mission time constraints, restoring full services

Redundant components Data replication System backup and restoration Contingency planning

Adaptation and evolution to reduce effectiveness of future attacks

Strategies for improving system survivability based on knowledge gained from intrusions

New intrusion recognition patterns


Survivable Network Analysis Method


Survivable Network Analysis Method Need to add Survivability as an additional

primary motivation / driver


Survivable Network Analysis Method Life Cycle Activities

Mission Definition Analysis of mission criticality and consequences of failure

Estimation of cost impact of denial of service attacks Concept of Operations

Definition of system capabilities in adverse environments Enumeration of critical mission functions that must withstand attacks

Project Planning Integration of survivability into life-cycle activities

Identification of defensive coding techniques for implementation Requirements Definition

Definition of survivability requirements from mission perspective Definition of access requirements for critical system assets during attacks

System Specification Specification of essential service and intrusion scenarios

Definition of steps that compose critical system transactions


Survivable Network Analysis Method Life Cycle Activities

System Architecture Integration of survivability strategies into architecture definition

Creation of network facilities for replication of critical data assets System Design

Development and verification of survivability strategies Correctness verification of data encryption algorithms

System Implementation Application of survivability coding and implementation techniques

Definition of methods to avoid buffer overflow vulnerabilities System Testing

Treatment of intruders as users in testing and certification Addition of intrusion usage to usage models for statistical testing

System Evolution Improvement of survivability to prevent degradation over time

Redefinition of architecture in response to changing threat environment


Survivable Network Analysis Method Survivable Network Analysis Method

Step 1: System Definition Step 2: Essential Capability Definition Step 3: Compromisable Capability Definition

Set of representative intrusions is selected Intrusion scenarios are defined and traced through the

architecture to identify compromisable components that intrusions could

damage

Step 4: Survivability Analysis


Survivable Network Analysis Method


Survivable Network Analysis Method Key Points

Two types of network usage scenario NUS Normal Usage Scenario IUS Intrusion Usage Scenario


Data Security Considerations

Information systems are about the flow and usage of data.Data handling

Policies: how data is handled and how to maintain integrity and confidentiality of data

Existence of third party data Personal data Personnel data

Privacy protection


Information systems are about the flow and usage of data. Data handling

Policies: how data is handled and how to maintain integrity and confidentiality of data

Existence of third party data Personal data Personnel data

Privacy protection COTS (Commercial Off-The-Shelf) software licensing


Information systems are about the flow and usage of data.Backups, Archival Storage, Disposal of Data

Backups Which data to back up Frequency of backups Revision of backup procedures On-site vs. Off-site storage of data


Information systems are about the flow and usage of data. Backups, Archival Storage, Disposal of Data

Archival Storage of Backups Retention period Readability assurance Media life time < retention period

Disposal of Data Dumpster diving Analysis of old hard drives


Information systems are about the flow and usage of data. Intellectual Property Rights and Policies

Who owns the rights to IP Interaction with documents under IP control Labeling for IP enforcement

Otherwise dissemination might destroy IP

Incident Response and Forensics Single point of contact = Assignment of responsibilities Procedures

Information SecurityMission Statement

Why a Mission Statement

Mission statements establish scope of responsibility for each department Explain function of Information Assurance within the

organization Pressures that push towards information assurance

regulations and laws fear of litigation risks and costs

ISO 17799 Section 4 Organization Security

Business Goals vs. Security Goals

Information Security is never a fundamental goal of any organization

Business objectives are obtained from Agencies

Law, constitution Business

Report to stockholders Organizational charts Strategic planning information Annual corporate budget proposals Interviews with staff members

Computer Security Objectives

Before writing mission statement, explore elements of a comprehensive information security program Ensure accuracy and integrity of data Protect classified data Protect against unauthorized access, modification, destruction,

or disclosure of data Ensure ability to survive the loss of computing capacity Ensure management support for development and

implementation of security policies Protect management from charges of imprudence in the event of

a compromise Protect against errors and omissions in data

Format

Brief paragraph: Overall goals of CompuSec program

List of responsibilities

ISO 17999-4.1.3

Responsibilities for carrying out specific security processes shall be clearly defined.

Might establish role of information security manager.

Typically, responsibility for implementing controls remains with individual managers Common practice:

Appoint an owner for each information asset

NIST SP 800-55 Chapter 2

Specifies responsibilities forAgency headChief Information Officer (CIO)Senior Agency Information Security OfficerProgram Manager / Information System

Owner Information System Security Officer (ISSO)

Sample Mission Statement

ExampleTo provide the Corporation with the highest level of

visibility and support for the philosophy of protection and to provide the organization with a focal point for solving information protection problems.

Information Protection Group Responsibilities:

1. Keep information protection policies and practices current.

2. Prepare, publish, and maintain ISO guidelines and standards for information protection

3. Answer all inquiries on compliance and interpretation of corporate policies and ISO practices

4. Develop, implement, and maintain the Corporate Information Protection Awareness Program

Example5. Assist the Corporate Organization Information

Protection Coordinators (OIPCs) to develop, implement, and maintain their local information protection programs.

6. Develop, implement, and maintain standard risk assessment tools for use in determining critical corporate resources.

7. Ensure the criteria for determining sensitive information and critical applications and systems are current and appropriate to the needs of the Corporation.

8. Coordinate the development, testing, and maintenance of a data center Business Continuity Plan (BCP).

9. Assist OIPCs in the development of their organization BCPs.

Example10. Review new system access and information protection

products and make recommendations on these products to ensure they meet minimum corporate requirements.

11.Provide account administration across all platforms.

12.Provide consulting support for all application development projects.

13.Act as a audit liaison for all information and computer security related matters.

14.Assist in the investigation and reporting of computer thefts, intrusions, viruses, and breaches of information protection controls.

15.Assist in the development of effective monitoring programs to ensure that corporate information is protected as required.

Peltier: Information Security Policies, Procedures, and Standards, Auerbach, 2002

Support for Mission Statement

Needs approval by head of agencyChairman of the BoardCEO, CFO, CIO

Creating Standards

Success Criteria for Standards

There must be a commitment to the standard

Standards must beReasonableFlexibleCurrent

Reviewed regularly

Standard Commitment

Commitment must start with senior management

Pass down to line management

Policies, Standards, Procedures

PolicyStates a goal in general terms

StandardsDefine what is to be accomplished in specific

terms Procedures

How to meet the standards

What belongs into a standard

Sources and Examples ISO 17799 – BS 7799 NIST SP and FIPS

Standards require compliance Not following self-set standards can have legal consequences Do not over-specify standards

Standards need to be up-to-date, but changing standards is costly Should be used judiciously

Standards need to be substantial enough

Writing Procedures

Procedure Contents

Level of Specificity varies from organization to organization

How to:Establish need for procedure Identify target audienceDescribe task that procedure will coverMake the intent known to usersDescribe procedure

Procedure Checklist

1. Title2. Intent3. Scope4. Responsibilities5. Sequence of events6. Approvals7. Prerequisites8. Definitions9. Equipment required10. Warnings11. Precautions12. Procedure body

This lists the actual steps to be performed in the execution of the procedure

Involving Local Experts

Local experts – employees who will handle procedure Possibilities:

Let local experts write procedure Typically, will be delayed since it adds to the workload Typically, procedure not well written and over-technical

Conduct interviews with local experts and use documentation expert

Needs to be verified by local experts

Create review panel Ascertain that procedures described are in place (or almost in

place)

Procedure Styles

Headline Styles Title lines placed above text

Captions Words appear in left margin of text

Matrix Narrative Flowchart Playscript

Examples

Physical Security

Problems

Sometimes, security depends on physical security Access to logs Access to consoles

Computer equipment needs to be protected against mishaps Server room in basement subject to flooding when

water main breaks Pollution even less tolerated by computers

Air vent for emergency generators next to air conditioning intake for computer room

Physical Security

Faculty requirements Locks and barriers Access Control Environmental support

Air conditioningPowerHumidity

Example Policy

Computing facilities shall be off sufficient size and not be located on the ground floor, with multiple entry doors and more than one fire exit.

The area reserved for servers should have sufficient environmental controls for temperature and humidity.

Each server facility shall have an automated access control that includes procedures to add and remove the access rights of people. The procedures should be auditable. Furthermore, access to server facilities should be logged.

Visitors shall be required to provide identification before entering any server facility and shall be escorted during their presence on the premises.

Physical Security

Policy does not (yet) address Contingency planning

Disaster recovery Intrusion recovery

System MaintenanceAuditsStaffing

Authentication and Network Setup

Networking Layout Concerns

DHCP DNS Addressing

Expanding networks, creating subnets Non-routable addressing

Plan ahead for merging networks Use addresses not likely to be duplicated after merger E.g. Use 10.29.100.X instead of 10.0.0.X

Address assignation Static Dynamic Mixed

Network Access Policy Topics

GatewaysDial – In / Dial – Out accessWireless access points Internet connections

Virtual Private Networks


Login Security Login Requirements and Procedures Account Creation and Management

Guest accounts Dormant accounts Employee termination procedures

Login banners Login controls Login reporting


Session Restrictions Users accessing sensitive information should use

additional cautions

Special Privileges Some uses require special privileges

Root access to computers Running dangerous applications

Sniffers, Intrusion Detection, Absence of anti-virus tools

Password Policies

Password Strength Password Storage Default Passwords

Telecommuting / Remote Access

Employee EquipmentWhat can be used?How is it protected?

Employee Responsibilities

Internet Connection Policy(Firewalls etc.)

Firewall Policies

Policies for incoming traffic out-going traffic Establishment of a DMZ

Services located in DMZ Protection of services in DMZ

Resulting policies for users No usenet postings

Because usenet postings allow network recognizance …

HTTP – WWW – Policies

Web Browser SettingsRunning and Downloading Mobile Code

Active X Javascript

Cross Scripting Attacks

Java

Content FilteringPrivacy Expectations

E-mail Related Policies

Email

Establish right to monitor email Handling, scanning, archiving email Use of email for confidential data Digital Signing Email

Virus Protection

Virus Protection Policies

All users shall have anti-virus protection software installed before or when connecting the system to the network.

Users shall participate in keeping the anti-virus protection software updated and shall not disable its facilities.

When software installation requires the disabling of the anti-virus tool, users shall scan the system immediately after installation.

System Integrity Checking

Give criteria when system shall be “trip-wired”

Software Updates and Installations

Rules for handling third party software

Encryption

Legal Issues

Use of encryption can be restricted by law (Export Controls)

Some countries forbid the use of encryption in communication without giving keys to a government agency.

Warrants affecting encrypted dataKey recovery

Crypto-Issues

Key generation Key management

DisclosureStorageTransmission

Acceptable Use Policy

Acceptable Use Policy (AUP)

Summarizes overall policy for usersLays out requirements and duties of users.Needs to be short.Will be signed by user when hired / given

access.

Compliance & Enforcement

Effectiveness of Policies

Establish User Training Guidelines Establish measures of compliance

Records of security violationsRecords of exceptions made

Responsibility for publishing policy changes

Effectiveness of Policies

Monitoring, Controls, Remedies, Sanctions Establish administrator responsibilities Establish right to log

Incident Response

Incidence Response

Assign responder responsibility Plan for interaction with law enforcement

Policy Review

Policy Review Process

Review triggered by IncidentsNumber of exceptions to established policiesRecognition of new threats

Security Policies COEN 250. Elements of Information Protection Supports business objectives / mission of organization Integral part of due care Decision.

Documents

assets slide

organization slide

process slide

procedure slide

stakeholders slide

risk analysis slide

standards policy

systematic manner slide