Security Policies COEN 250
Dec 25, 2015
Security Policies
COEN 250
Elements of Information Protection
Supports business objectives / mission of organization
Integral part of due careDecision makers have
Duty of Loyalty (decisions made in interest of org) Duty of Care (protect assets of business)
Cost-effectivePresupposes risk analysis
Elements of Information Protection
Makes protection responsibilities and accountabilities explicit Policy should identify roles and responsibilities of all
employees
Extends beyond the boundary of one’s organization E.g. access to information is given to outsiders Protection of others’ assets
Elements of Information Protection
Requires a comprehensive and integrated approachNeeds to be part of the system development
life cycleNeeds to extend to all groups in an
organization
Elements of Information Protection
Needs to be periodically reassessed Constrained by the culture of organization.
Information Protection
Is more than just computer securityData is stored in a variety of ways.
Guidelines, Standards, Policies
Title III of E-Government Act (FISMA) tasks NIST with developingStandards to be used by all federal agenciesGuidelines recommending Minimum Security Requirements (FIPS 200)
Policies Procedures
Information Security PoliciesHigh level plans that describe the goals of
proceduresProcedures are implementation details
Purpose of Policies
Regulatory compliance Assumption is that existence of policies increases security of
assets Liability Mitigation
Policies should reflect best practices, but are understood by the judicial system
Auditing Insurance companies need to assess risks of monetary damage
due to break-ins Assigns roles and responsibilities in a systematic manner
Policies, Guidelines, Standards
Policy written at a broad level requires supporting standards, procedures, guidelines
Standards and guidelines specify technologies and methodologies to be used on secure
systems Standards
mandatory activities, actions, rules, or regulations Guidelines
more general statements designed to achieve the policy objective Procedures are the detailed steps required to
accomplish a particular task or process
In Class Exercise
Develop for a parish organization regarding access control to human resource files and donor databasesA policy statementA standardA guidelineA procedure
Determination of Policy Needs
Policy Development
Determine goal of policies Determine range of assets that need to be
protected Can be developed as a collection of
documents
Policy Development
Preliminary risk assessment / analysis Distinguish technical risk and process risk
Use outsiders: Select based on
up-to-date knowledge of security information knowledge of industry best practices relevant guidelines / standards
Insiders are too much stakeholders
Identification of Information Assets
Map hardware / software to organization’s mission or business process.
Inventorize assets Includes also non-computer resources
Documentation about business processes Pre-printed forms, …
Can be used to impersonate organization personnel
Inventorize human resources
Identification of Information Assets
Identify threats and risksAuthorized / unauthorized access to
resources / informationUnintended / unauthorized disclosure of
informationBugs / user errors
Excurse: Survivable Network Analysis Method Networks are becoming an integral part of
business processes Networks are no longer under control of
individual organizations
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method Survivability = Capability of system to fulfill its mission Properties
Resistance to attacks Strategies for repelling attacks Authentication
Access controls Encryption Message filtering Survivability wrappers System diversification Functional isolation
Recognition of attacks and damage Strategies for detecting attacks and evaluating damage
Intrusion detection Integrity checking
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method Properties of survivable systems (cont.)
Recovery of essential and full services after attack Strategies for limiting damage, restoring compromised information
or functionality, maintaining or restoring essential services within mission time constraints, restoring full services
Redundant components Data replication System backup and restoration Contingency planning
Adaptation and evolution to reduce effectiveness of future attacks
Strategies for improving system survivability based on knowledge gained from intrusions
New intrusion recognition patterns
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method Need to add Survivability as an additional
primary motivation / driver
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method Life Cycle Activities
Mission Definition Analysis of mission criticality and consequences of failure
Estimation of cost impact of denial of service attacks Concept of Operations
Definition of system capabilities in adverse environments Enumeration of critical mission functions that must withstand attacks
Project Planning Integration of survivability into life-cycle activities
Identification of defensive coding techniques for implementation Requirements Definition
Definition of survivability requirements from mission perspective Definition of access requirements for critical system assets during attacks
System Specification Specification of essential service and intrusion scenarios
Definition of steps that compose critical system transactions
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method Life Cycle Activities
System Architecture Integration of survivability strategies into architecture definition
Creation of network facilities for replication of critical data assets System Design
Development and verification of survivability strategies Correctness verification of data encryption algorithms
System Implementation Application of survivability coding and implementation techniques
Definition of methods to avoid buffer overflow vulnerabilities System Testing
Treatment of intruders as users in testing and certification Addition of intrusion usage to usage models for statistical testing
System Evolution Improvement of survivability to prevent degradation over time
Redefinition of architecture in response to changing threat environment
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method Survivable Network Analysis Method
Step 1: System Definition Step 2: Essential Capability Definition Step 3: Compromisable Capability Definition
Set of representative intrusions is selected Intrusion scenarios are defined and traced through the
architecture to identify compromisable components that intrusions could
damage
Step 4: Survivability Analysis
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis Method Key Points
Two types of network usage scenario NUS Normal Usage Scenario IUS Intrusion Usage Scenario
http://www.cert.org/archive/pdf/00tr013.pdf
Data Security Considerations
Information systems are about the flow and usage of data.Data handling
Policies: how data is handled and how to maintain integrity and confidentiality of data
Existence of third party data Personal data Personnel data
Privacy protection
Data Security Considerations
Information systems are about the flow and usage of data. Data handling
Policies: how data is handled and how to maintain integrity and confidentiality of data
Existence of third party data Personal data Personnel data
Privacy protection COTS (Commercial Off-The-Shelf) software licensing
Data Security Considerations
Information systems are about the flow and usage of data.Backups, Archival Storage, Disposal of Data
Backups Which data to back up Frequency of backups Revision of backup procedures On-site vs. Off-site storage of data
Data Security Considerations
Information systems are about the flow and usage of data. Backups, Archival Storage, Disposal of Data
Archival Storage of Backups Retention period Readability assurance Media life time < retention period
Disposal of Data Dumpster diving Analysis of old hard drives
Data Security Considerations
Information systems are about the flow and usage of data. Intellectual Property Rights and Policies
Who owns the rights to IP Interaction with documents under IP control Labeling for IP enforcement
Otherwise dissemination might destroy IP
Incident Response and Forensics Single point of contact = Assignment of responsibilities Procedures
Information SecurityMission Statement
Why a Mission Statement
Mission statements establish scope of responsibility for each department Explain function of Information Assurance within the
organization Pressures that push towards information assurance
regulations and laws fear of litigation risks and costs
ISO 17799 Section 4 Organization Security
Business Goals vs. Security Goals
Information Security is never a fundamental goal of any organization
Business objectives are obtained from Agencies
Law, constitution Business
Report to stockholders Organizational charts Strategic planning information Annual corporate budget proposals Interviews with staff members
Computer Security Objectives
Before writing mission statement, explore elements of a comprehensive information security program Ensure accuracy and integrity of data Protect classified data Protect against unauthorized access, modification, destruction,
or disclosure of data Ensure ability to survive the loss of computing capacity Ensure management support for development and
implementation of security policies Protect management from charges of imprudence in the event of
a compromise Protect against errors and omissions in data
Format
Brief paragraph: Overall goals of CompuSec program
List of responsibilities
ISO 17999-4.1.3
Responsibilities for carrying out specific security processes shall be clearly defined.
Might establish role of information security manager.
Typically, responsibility for implementing controls remains with individual managers Common practice:
Appoint an owner for each information asset
NIST SP 800-55 Chapter 2
Specifies responsibilities forAgency headChief Information Officer (CIO)Senior Agency Information Security OfficerProgram Manager / Information System
Owner Information System Security Officer (ISSO)
Sample Mission Statement
ExampleTo provide the Corporation with the highest level of
visibility and support for the philosophy of protection and to provide the organization with a focal point for solving information protection problems.
Information Protection Group Responsibilities:
1. Keep information protection policies and practices current.
2. Prepare, publish, and maintain ISO guidelines and standards for information protection
3. Answer all inquiries on compliance and interpretation of corporate policies and ISO practices
4. Develop, implement, and maintain the Corporate Information Protection Awareness Program
Example5. Assist the Corporate Organization Information
Protection Coordinators (OIPCs) to develop, implement, and maintain their local information protection programs.
6. Develop, implement, and maintain standard risk assessment tools for use in determining critical corporate resources.
7. Ensure the criteria for determining sensitive information and critical applications and systems are current and appropriate to the needs of the Corporation.
8. Coordinate the development, testing, and maintenance of a data center Business Continuity Plan (BCP).
9. Assist OIPCs in the development of their organization BCPs.
Example10. Review new system access and information protection
products and make recommendations on these products to ensure they meet minimum corporate requirements.
11.Provide account administration across all platforms.
12.Provide consulting support for all application development projects.
13.Act as a audit liaison for all information and computer security related matters.
14.Assist in the investigation and reporting of computer thefts, intrusions, viruses, and breaches of information protection controls.
15.Assist in the development of effective monitoring programs to ensure that corporate information is protected as required.
Peltier: Information Security Policies, Procedures, and Standards, Auerbach, 2002
Support for Mission Statement
Needs approval by head of agencyChairman of the BoardCEO, CFO, CIO
Creating Standards
Success Criteria for Standards
There must be a commitment to the standard
Standards must beReasonableFlexibleCurrent
Reviewed regularly
Standard Commitment
Commitment must start with senior management
Pass down to line management
Policies, Standards, Procedures
PolicyStates a goal in general terms
StandardsDefine what is to be accomplished in specific
terms Procedures
How to meet the standards
What belongs into a standard
Sources and Examples ISO 17799 – BS 7799 NIST SP and FIPS
Standards require compliance Not following self-set standards can have legal consequences Do not over-specify standards
Standards need to be up-to-date, but changing standards is costly Should be used judiciously
Standards need to be substantial enough
Writing Procedures
Procedure Contents
Level of Specificity varies from organization to organization
How to:Establish need for procedure Identify target audienceDescribe task that procedure will coverMake the intent known to usersDescribe procedure
Procedure Checklist
1. Title2. Intent3. Scope4. Responsibilities5. Sequence of events6. Approvals7. Prerequisites8. Definitions9. Equipment required10. Warnings11. Precautions12. Procedure body
This lists the actual steps to be performed in the execution of the procedure
Involving Local Experts
Local experts – employees who will handle procedure Possibilities:
Let local experts write procedure Typically, will be delayed since it adds to the workload Typically, procedure not well written and over-technical
Conduct interviews with local experts and use documentation expert
Needs to be verified by local experts
Create review panel Ascertain that procedures described are in place (or almost in
place)
Procedure Styles
Headline Styles Title lines placed above text
Captions Words appear in left margin of text
Matrix Narrative Flowchart Playscript
Examples
Physical Security
Problems
Sometimes, security depends on physical security Access to logs Access to consoles
Computer equipment needs to be protected against mishaps Server room in basement subject to flooding when
water main breaks Pollution even less tolerated by computers
Air vent for emergency generators next to air conditioning intake for computer room
Physical Security
Faculty requirements Locks and barriers Access Control Environmental support
Air conditioningPowerHumidity
Example Policy
Computing facilities shall be off sufficient size and not be located on the ground floor, with multiple entry doors and more than one fire exit.
The area reserved for servers should have sufficient environmental controls for temperature and humidity.
Each server facility shall have an automated access control that includes procedures to add and remove the access rights of people. The procedures should be auditable. Furthermore, access to server facilities should be logged.
Visitors shall be required to provide identification before entering any server facility and shall be escorted during their presence on the premises.
Physical Security
Policy does not (yet) address Contingency planning
Disaster recovery Intrusion recovery
System MaintenanceAuditsStaffing
Authentication and Network Setup
Networking Layout Concerns
DHCP DNS Addressing
Expanding networks, creating subnets Non-routable addressing
Plan ahead for merging networks Use addresses not likely to be duplicated after merger E.g. Use 10.29.100.X instead of 10.0.0.X
Address assignation Static Dynamic Mixed
Network Access Policy Topics
GatewaysDial – In / Dial – Out accessWireless access points Internet connections
Virtual Private Networks
Network Access Policy Topics
Login Security Login Requirements and Procedures Account Creation and Management
Guest accounts Dormant accounts Employee termination procedures
Login banners Login controls Login reporting
Network Access Policy Topics
Session Restrictions Users accessing sensitive information should use
additional cautions
Special Privileges Some uses require special privileges
Root access to computers Running dangerous applications
Sniffers, Intrusion Detection, Absence of anti-virus tools
Password Policies
Password Strength Password Storage Default Passwords
Telecommuting / Remote Access
Employee EquipmentWhat can be used?How is it protected?
Employee Responsibilities
Internet Connection Policy(Firewalls etc.)
Firewall Policies
Policies for incoming traffic out-going traffic Establishment of a DMZ
Services located in DMZ Protection of services in DMZ
Resulting policies for users No usenet postings
Because usenet postings allow network recognizance …
HTTP – WWW – Policies
Web Browser SettingsRunning and Downloading Mobile Code
Active X Javascript
Cross Scripting Attacks
Java
Content FilteringPrivacy Expectations
E-mail Related Policies
Establish right to monitor email Handling, scanning, archiving email Use of email for confidential data Digital Signing Email
Virus Protection
Virus Protection Policies
All users shall have anti-virus protection software installed before or when connecting the system to the network.
Users shall participate in keeping the anti-virus protection software updated and shall not disable its facilities.
When software installation requires the disabling of the anti-virus tool, users shall scan the system immediately after installation.
System Integrity Checking
Give criteria when system shall be “trip-wired”
Software Updates and Installations
Rules for handling third party software
Encryption
Legal Issues
Use of encryption can be restricted by law (Export Controls)
Some countries forbid the use of encryption in communication without giving keys to a government agency.
Warrants affecting encrypted dataKey recovery
Crypto-Issues
Key generation Key management
DisclosureStorageTransmission
Acceptable Use Policy
Acceptable Use Policy (AUP)
Summarizes overall policy for usersLays out requirements and duties of users.Needs to be short.Will be signed by user when hired / given
access.
Compliance & Enforcement
Effectiveness of Policies
Establish User Training Guidelines Establish measures of compliance
Records of security violationsRecords of exceptions made
Responsibility for publishing policy changes
Effectiveness of Policies
Monitoring, Controls, Remedies, Sanctions Establish administrator responsibilities Establish right to log
Incident Response
Incidence Response
Assign responder responsibility Plan for interaction with law enforcement
Policy Review
Policy Review Process
Review triggered by IncidentsNumber of exceptions to established policiesRecognition of new threats