Transcript Policies

Security Policies
COEN 250
Elements of Information Protection
Supports business objectives / mission of
organization
 Integral part of due care

 Decision
makers have
Duty of Loyalty (decisions made in interest of org)
 Duty of Care (protect assets of business)


Cost-effective
 Presupposes
risk analysis
Elements of Information Protection

Makes protection responsibilities and
accountabilities explicit
 Policy
should identify roles and responsibilities of all
employees

Extends beyond the boundary of one’s
organization
 E.g.
access to information is given to outsiders
 Protection of others’ assets
Elements of Information Protection

Requires a comprehensive and integrated
approach
 Needs
to be part of the system development
life cycle
 Needs to extend to all groups in an
organization
Elements of Information Protection
Needs to be periodically reassessed
 Constrained by the culture of organization.

Information Protection

Is more than just computer security
 Data
is stored in a variety of ways.
Guidelines, Standards, Policies

Title III of E-Government Act (FISMA)
tasks NIST with developing
 Standards
to be used by all federal agencies
 Guidelines recommending
 Minimum Security Requirements (FIPS 200)
Policies  Procedures

Information Security Policies
 High
level plans that describe the goals of
procedures
 Procedures are implementation details
Purpose of Policies

Regulatory compliance


Liability Mitigation


Policies should reflect best practices, but are understood by the
judicial system
Auditing


Assumption is that existence of policies increases security of
assets
Insurance companies need to assess risks of monetary damage
due to break-ins
Assigns roles and responsibilities in a systematic
manner
Policies, Guidelines, Standards

Policy



written at a broad level
requires supporting standards, procedures, guidelines
Standards and guidelines


specify technologies and methodologies to be used on secure
systems
Standards


Guidelines


mandatory activities, actions, rules, or regulations
more general statements designed to achieve the policy objective
Procedures are the detailed steps required to
accomplish a particular task or process
In Class Exercise

Develop for a parish organization
regarding access control to human
resource files and donor databases
 A policy
statement
 A standard
 A guideline
 A procedure
Determination of
Policy Needs
Policy Development
Determine goal of policies
 Determine range of assets that need to be
protected
 Can be developed as a collection of
documents

Policy Development

Preliminary risk assessment / analysis
 Distinguish
 Use

technical risk and process risk
outsiders:
Select based on
up-to-date knowledge of security information
 knowledge of industry best practices
 relevant guidelines / standards


Insiders are too much stakeholders
Identification of Information Assets
Map hardware / software to organization’s
mission or business process.
 Inventorize assets

 Includes
also non-computer resources
Documentation about business processes
 Pre-printed forms, …



Can be used to impersonate organization personnel
Inventorize human resources
Identification of Information Assets

Identify threats and risks
 Authorized
/ unauthorized access to
resources / information
 Unintended / unauthorized disclosure of
information
 Bugs / user errors
Excurse: Survivable Network
Analysis Method
Networks are becoming an integral part of
business processes
 Networks are no longer under control of
individual organizations

http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method


Survivability = Capability of system to fulfill its mission
Properties

Resistance to attacks

Strategies for repelling attacks Authentication







Access controls
Encryption
Message filtering
Survivability wrappers
System diversification
Functional isolation
Recognition of attacks and damage

Strategies for detecting attacks and evaluating damage


Intrusion detection
Integrity checking
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method

Properties of survivable systems (cont.)

Recovery of essential and full services after attack

Strategies for limiting damage, restoring compromised information
or functionality, maintaining or restoring essential services within
mission time constraints, restoring full services





Redundant components
Data replication
System backup and restoration
Contingency planning
Adaptation and evolution to reduce effectiveness of future
attacks

Strategies for improving system survivability based on knowledge
gained from intrusions

New intrusion recognition patterns
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method

Need to add Survivability as an additional
primary motivation / driver
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method

Life Cycle Activities

Mission Definition

Analysis of mission criticality and consequences of failure


Concept of Operations

Definition of system capabilities in adverse environments


Integration of survivability into life-cycle activities

Identification of defensive coding techniques for implementation
Requirements Definition

Definition of survivability requirements from mission perspective


Enumeration of critical mission functions that must withstand attacks
Project Planning


Estimation of cost impact of denial of service attacks
Definition of access requirements for critical system assets during attacks
System Specification

Specification of essential service and intrusion scenarios

Definition of steps that compose critical system transactions
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method

Life Cycle Activities

System Architecture

Integration of survivability strategies into architecture definition


System Design

Development and verification of survivability strategies


Application of survivability coding and implementation techniques

Definition of methods to avoid buffer overflow vulnerabilities
System Testing

Treatment of intruders as users in testing and certification


Correctness verification of data encryption algorithms
System Implementation


Creation of network facilities for replication of critical data assets
Addition of intrusion usage to usage models for statistical testing
System Evolution

Improvement of survivability to prevent degradation over time

Redefinition of architecture in response to changing threat environment
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method

Survivable Network Analysis Method

Step 1: System Definition
 Step 2: Essential Capability Definition
 Step 3: Compromisable Capability Definition


Set of representative intrusions is selected
Intrusion scenarios are defined and traced through the
architecture

 Step
to identify compromisable components that intrusions could
damage
4: Survivability Analysis
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method
http://www.cert.org/archive/pdf/00tr013.pdf
Survivable Network Analysis
Method

Key Points
 Two
types of network usage scenario
NUS Normal Usage Scenario
 IUS Intrusion Usage Scenario

http://www.cert.org/archive/pdf/00tr013.pdf
Data Security Considerations

Information systems are about the flow
and usage of data.
 Data
handling
Policies: how data is handled and how to maintain
integrity and confidentiality of data
 Existence of third party data
 Personal data
 Personnel data


Privacy protection
Data Security Considerations

Information systems are about the flow and
usage of data.
 Data




handling
Policies: how data is handled and how to maintain integrity
and confidentiality of data
Existence of third party data
Personal data
Personnel data


Privacy protection
COTS (Commercial Off-The-Shelf) software licensing
Data Security Considerations

Information systems are about the flow
and usage of data.
 Backups, Archival

Storage, Disposal of Data
Backups
Which data to back up
 Frequency of backups
 Revision of backup procedures
 On-site vs. Off-site storage of data

Data Security Considerations

Information systems are about the flow and
usage of data.
 Backups, Archival Storage,
 Archival Storage of Backups



Disposal of Data
Retention period
Readability assurance
Media life time < retention period
 Disposal of Data
 Dumpster diving
 Analysis of old hard drives
Data Security Considerations

Information systems are about the flow and
usage of data.
 Intellectual Property Rights and Policies
 Who owns the rights to IP
 Interaction with documents under IP control
 Labeling for IP enforcement

Otherwise dissemination might destroy IP
 Incident Response and Forensics
 Single point of contact = Assignment of responsibilities
 Procedures
Information Security
Mission Statement
Why a Mission Statement

Mission statements establish scope of
responsibility for each department
 Explain
function of Information Assurance within the
organization
 Pressures that push towards information assurance



regulations and laws
fear of litigation
risks and costs

ISO 17799 Section 4 Organization Security
Business Goals vs. Security Goals


Information Security is never a fundamental goal
of any organization
Business objectives are obtained from
 Agencies
 Law, constitution
 Business
 Report to stockholders
 Organizational charts
 Strategic planning information
 Annual corporate budget proposals
 Interviews with staff members
Computer Security Objectives

Before writing mission statement, explore elements of a
comprehensive information security program







Ensure accuracy and integrity of data
Protect classified data
Protect against unauthorized access, modification, destruction,
or disclosure of data
Ensure ability to survive the loss of computing capacity
Ensure management support for development and
implementation of security policies
Protect management from charges of imprudence in the event of
a compromise
Protect against errors and omissions in data
Format
Brief paragraph: Overall goals of
CompuSec program
 List of responsibilities

ISO 17999-4.1.3



Responsibilities for carrying out specific security
processes shall be clearly defined.
Might establish role of information security
manager.
Typically, responsibility for implementing controls
remains with individual managers
 Common

practice:
Appoint an owner for each information asset
NIST SP 800-55 Chapter 2

Specifies responsibilities for
 Agency
head
 Chief Information Officer (CIO)
 Senior Agency Information Security Officer
 Program Manager / Information System
Owner
 Information System Security Officer (ISSO)
Sample
Mission
Statement
Example
To provide the Corporation with the highest level of
visibility and support for the philosophy of protection
and to provide the organization with a focal point for
solving information protection problems.
Information Protection Group Responsibilities:
1. Keep information protection policies and practices
current.
2. Prepare, publish, and maintain ISO guidelines and
standards for information protection
3. Answer all inquiries on compliance and interpretation of
corporate policies and ISO practices
4. Develop, implement, and maintain the Corporate
Information Protection Awareness Program
Example
5. Assist the Corporate Organization Information
Protection Coordinators (OIPCs) to develop,
implement, and maintain their local information
protection programs.
6. Develop, implement, and maintain standard risk
assessment tools for use in determining critical
corporate resources.
7. Ensure the criteria for determining sensitive information
and critical applications and systems are current and
appropriate to the needs of the Corporation.
8. Coordinate the development, testing, and maintenance
of a data center Business Continuity Plan (BCP).
9. Assist OIPCs in the development of their organization
BCPs.
Example
Peltier: Information Security Policies,
Procedures, and Standards, Auerbach, 2002
10. Review new system access and information protection
products and make recommendations on these
products to ensure they meet minimum corporate
requirements.
11. Provide account administration across all platforms.
12. Provide consulting support for all application
development projects.
13. Act as a audit liaison for all information and computer
security related matters.
14. Assist in the investigation and reporting of computer
thefts, intrusions, viruses, and breaches of information
protection controls.
15. Assist in the development of effective monitoring
programs to ensure that corporate information is
protected as required.
Support for Mission Statement

Needs approval by
 head
of agency
 Chairman of the Board
 CEO, CFO, CIO
Creating Standards
Success Criteria for Standards
There must be a commitment to the
standard
 Standards must be

 Reasonable
 Flexible
 Current

Reviewed regularly
Standard Commitment
Commitment must start with senior
management
 Pass down to line management

Policies, Standards, Procedures

Policy
 States

a goal in general terms
Standards
 Define
what is to be accomplished in specific
terms

Procedures
 How
to meet the standards
What belongs into a standard

Sources and Examples



Standards require compliance



Not following self-set standards can have legal consequences
Do not over-specify standards
Standards need to be up-to-date, but changing
standards is costly


ISO 17799 – BS 7799
NIST SP and FIPS
Should be used judiciously
Standards need to be substantial enough
Writing Procedures
Procedure Contents
Level of Specificity varies from
organization to organization
 How to:

 Establish
need for procedure
 Identify target audience
 Describe task that procedure will cover
 Make the intent known to users
 Describe procedure
Procedure Checklist
Title
Intent
Scope
Responsibilities
Sequence of events
Approvals
Prerequisites
Definitions
Equipment required
Warnings
Precautions
Procedure body
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.

This lists the actual steps to be performed in the execution of the
procedure
Involving Local Experts


Local experts – employees who will handle procedure
Possibilities:

Let local experts write procedure



Conduct interviews with local experts and use documentation
expert


Typically, will be delayed since it adds to the workload
Typically, procedure not well written and over-technical
Needs to be verified by local experts
Create review panel

Ascertain that procedures described are in place (or almost in
place)
Procedure Styles

Headline Styles
 Title

lines placed above text
Captions
 Words




appear in left margin of text
Matrix
Narrative
Flowchart
Playscript
Examples
Physical Security
Problems

Sometimes, security depends on physical
security
 Access
 Access

to logs
to consoles
Computer equipment needs to be protected
against mishaps
 Server
room in basement subject to flooding when
water main breaks
 Pollution even less tolerated by computers

Air vent for emergency generators next to air conditioning
intake for computer room
Physical Security
Faculty requirements
 Locks and barriers
 Access Control
 Environmental support

 Air
conditioning
 Power
 Humidity
Example Policy




Computing facilities shall be off sufficient size and not be
located on the ground floor, with multiple entry doors and
more than one fire exit.
The area reserved for servers should have sufficient
environmental controls for temperature and humidity.
Each server facility shall have an automated access
control that includes procedures to add and remove the
access rights of people. The procedures should be
auditable. Furthermore, access to server facilities
should be logged.
Visitors shall be required to provide identification before
entering any server facility and shall be escorted during
their presence on the premises.
Physical Security

Policy does not (yet) address
 Contingency
planning
Disaster recovery
 Intrusion recovery

 System
 Audits
 Staffing
Maintenance
Authentication and Network Setup
Networking Layout Concerns



DHCP
DNS
Addressing
 Expanding
networks, creating subnets
 Non-routable addressing

Plan ahead for merging networks


Use addresses not likely to be duplicated after merger
E.g. Use 10.29.100.X instead of 10.0.0.X
 Address assignation
 Static
 Dynamic
 Mixed
Network Access Policy Topics

Gateways
– In / Dial – Out access
 Wireless access points
 Internet connections
 Dial

Virtual Private Networks
Network Access Policy Topics

Login Security
 Login
Requirements and Procedures
 Account Creation and Management



Guest accounts
Dormant accounts
Employee termination procedures
 Login
banners
 Login controls
 Login reporting
Network Access Policy Topics

Session Restrictions
 Users
accessing sensitive information should use
additional cautions

Special Privileges
 Some


Root access to computers
Running dangerous applications


uses require special privileges
Sniffers, Intrusion Detection,
Absence of anti-virus tools
Password Policies
Password Strength
 Password Storage
 Default Passwords

Telecommuting / Remote Access

Employee Equipment
 What
can be used?
 How is it protected?

Employee Responsibilities
Internet Connection Policy
(Firewalls etc.)
Firewall Policies

Policies for
 incoming traffic
 out-going traffic
 Establishment of a DMZ
 Services located in DMZ
 Protection of services in DMZ

Resulting policies for users
 No

…
usenet postings
Because usenet postings allow network recognizance
HTTP – WWW – Policies

Web Browser Settings
 Running
and Downloading Mobile Code
Active X
 Javascript



Cross Scripting Attacks
Java
 Content
Filtering
 Privacy Expectations
E-mail Related Policies
Email
Establish right to monitor email
 Handling, scanning, archiving email
 Use of email for confidential data
 Digital Signing Email

Virus Protection
Virus Protection Policies



All users shall have anti-virus protection
software installed before or when connecting the
system to the network.
Users shall participate in keeping the anti-virus
protection software updated and shall not
disable its facilities.
When software installation requires the disabling
of the anti-virus tool, users shall scan the system
immediately after installation.
System Integrity Checking

Give criteria when system shall be “tripwired”
Software Updates and Installations

Rules for handling third party software
Encryption
Legal Issues
Use of encryption can be restricted by law
(Export Controls)
 Some countries forbid the use of
encryption in communication without
giving keys to a government agency.
 Warrants affecting encrypted data

 Key
recovery
Crypto-Issues
Key generation
 Key management

 Disclosure
 Storage
 Transmission
Acceptable Use
Policy
Acceptable Use Policy (AUP)

Summarizes overall policy for users
 Lays
out requirements and duties of users.
 Needs to be short.
 Will be signed by user when hired / given
access.
Compliance &
Enforcement
Effectiveness of Policies
Establish User Training Guidelines
 Establish measures of compliance

 Records
of security violations
 Records of exceptions made

Responsibility for publishing policy
changes
Effectiveness of Policies
Monitoring, Controls, Remedies, Sanctions
 Establish administrator responsibilities
 Establish right to log

Incident Response
Incidence Response
Assign responder responsibility
 Plan for interaction with law enforcement

Policy Review
Policy Review Process

Review triggered by
 Incidents
 Number
of exceptions to established policies
 Recognition of new threats