2 - 1 Information Assurance Foundations - SANS ©2001 1 Basic Security Policy Security Essentials The SANS Institute CONTRIBUTING AUTHORS: Doug Austin Dyncorp Information Systems, LLC Alexander Bryce Alexander, Ltd. Rob Dinehart IBJ Whitelhall Financial Group Brian M. Estep Adelphia Stephen Joyce bitLab, LLC Carol Kramer SANS Institute Randy Marchany Virginia Tech Computing Center Stephen Northcutt Global Incident Analysis Center John Ritter Intecs International, Inc. Matt Scarborough IC Arrigo Triulzi Albourne Parners, Ltd. Eric Cole SANS Institute 2 - 2 Basic Security Policy - SANS ©2001 2 Preface I never cease to be amazed by the fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy”, but nobody ever explains what the policy is, let alone how to write or evaluate it. That is why we undertook this research and education project into basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, The Roadmap, a usable, and effective policy. Thank you! Stephen Northcutt I never cease to be amazed by the fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy”, but nobody ever explains what the policy is, let alone how to write or evaluate it. That is why we undertook this research and education project into basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, The Roadmap, a usable and effective policy. Thank you! Stephen Northcutt 2 - 3 Basic Security Policy - SANS ©2001 3 Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy This page intentionally left blank. 2 - 4 Basic Security Policy - SANS ©2001 4 Defining a Policy • Policies direct the accomplishment of objectives –Program Policy – Issue-specific Policy – System-specific Policy An effective and realistic Security Policy is the key to effective and achievable security. A policy is a guideline or directive which indicates a conscious decision to follow a path towards an objective defined in the policy. Often a policy may institute, empower resources, or direct action by providing procedures or actions to be carried out. With that in mind, this course will attempt to provide guidance towards the goal of developing a Basic Security Policy for an organization, or better defining the existing one. The policy itself should be both effective and realistic with achievable security goals. Without a security policy, any organization can be left exposed to the world. In order to determine your policy needs, a risk assessment must first be conducted. This may require an organization to define levels of sensitivity with regard to information, processes, procedures, and systems. During this presentation three references to policy types will be made. It may be inferred that the policy being described when not specified is that of a program policy. Issue-specific polices will also be covered, as well as system-specific policies. Let’s define these policy types before we get started. Program Policy: This high-level policy sets the overall tone of an organization’s security approach. Typically guidance is provided with this policy to enact the other types of policies and specify who is responsible. This policy may provide direction for compliance with industry standards such as ISO, QS, BS, AS, etc. Issue-specific Policy: These policies are intended to address specific needs within an organization. This may include password procedures, Internet usage guidelines, etc. This is not as broad a policy category as the program policy; however, it is broader than the system-specific policy. System-specific Policy: For a given organization there may be several systems that perform various functions, where the use of one policy governing all of them may not be appropriate. It may be necessary to develop a policy directed toward each system individually. This is a system-specific policy. 2 - 5 Basic Security Policy - SANS ©2001 5 Defining a Policy (2) • What makes up a policy? –Purpose – Related documents – Cancellation – Background –Scope – Policy statement –Action – Responsibility Most organizations have a guide which dictates the makeup of all company policies. This guide likely contains some or all of the following: Purpose - the reason for the policy. Related documents - lists any documents (or other policies) that affect the contents of this policy. Cancellation - identifies any existing policy that is cancelled when this policy becomes effective. Background - provides amplifying information on the need for the policy. Scope - states the range of coverage for the policy (to whom or what does the policy apply). Policy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be prudent, expedient, and/or advantageous to the organization. Action - specifies what actions are necessary and when they are to be accomplished. Responsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be reviewed and updated. 2 - 6 Basic Security Policy - SANS ©2001 6 Defining a Policy (3) • Who can sign the policy? • What process is used to: – draft a policy – approve a policy – implement a policy In addition, some organizations further define: Who can sign the policy. If you are part of a Department of Defense organization, the authority may be reserved for the senior military officer. In other cases, it may be a senior vice president or a CIO or other manager. In any case, the policy must be signed by someone with sufficient authority and credibility that it is accepted by members of the organization to which it applies. The process used to get policy drafted, signed, and implemented. Once you’ve identified what should be in the policy and who will sign it, you need to identify the folks who will help develop and review the policy before you submit it for signature. Typical participants (in addition to the security staff) can include members of the legal and human resources staff, as well as a representative from one or more collective bargaining units. 2 - 7 Basic Security Policy - SANS ©2001 7 Security Policy Protects Information Safeguarding information is challenging when records are created and stored on computers. We live in a world where computers are globally linked and accessible, making digitized information especially vulnerable to theft, manipulation, and destruction. Security breaches are inevitable. Crucial decisions and defensive action must be prompt and precise. A security policy establishes what must be done to protect information stored on computers. A well- written policy contains sufficient definition of “what” to do so that the “how” can be identified and measured or evaluated. 2 - 8 Basic Security Policy - SANS ©2001 8 Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy This page intentionally left blank. 2 - 9 Basic Security Policy - SANS ©2001 9 Managing Risks in Your Job • Identify risks • Communicate your findings • Update (create) policy as needed • Develop metrics to measure compliance PROBLEM: The only secure computer is one that is not connected to a network and is powered off. Use of computers to process information has associated risks. You need a methodology to validate that the organization is responsible and accountable for managing that risk. ACTION: Learn how to manage risks related to your job. Step 1: Identify risks. Determine how your organization uses computers and networks in the conduct of business, both routinely and under emergency circumstances. This will provide insight into the risks that you face. Examples of some things that can pose risks include: using the Internet, not using anti-virus software on desktop computers, permitting customers/suppliers/partners to bypass the protection afforded by your firewall, and permitting personal use of corporate computers and networks. Step 2: Communicate your findings. Identifying risks is necessary, but not sufficient. Decision-makers need to know what the risks are, as well as options for managing those risks. Be sure you have adequately communicated the situation in writing to folks who can make a difference. Step 3: Update (create) policy as needed. If there is no written policy in place, write it and get it signed by upper level management. A well- written policy, signed by top executives, will identify the corporation’s values and demonstrate that senior management supports the information security activities required by the policy. Step 4: Develop metrics to measure compliance. If you cannot measure compliance (conformance), the policy is unenforceable. 2 - 10 Basic Security Policy - SANS ©2001 10 Risk Assessment • What do you do? – The “important bid” story – When is it okay to violate or change policy? – Who has the authority to do it? – What are the risks involved? It’s 2:00 a.m. on a Saturday morning. Your team is trying to finish a time-critical project - an important bid - by sending a file. There are problems getting through the firewall. The obvious solution is to modify the firewall, but this is prohibited by the security policy. The team faces a dilemma. If they don’t act, they will not meet the deadline. If they do act, they risk the consequences of violating a written security policy. What do they do? What policy may provide guidance on this subject? What risks are involved in doing this? Policy should also take into account any possible exceptions to the policy, and define: • what types of exceptions can be made • who has the authority to make them • what review process should be followed to evaluate “emergency” exceptions These considerations protect both the organization’s assets (by defining which changes are acceptable and which are not) and those people responsible (by defining the responsible parties and empowering them to make decisions and take action within the scope of the policy). [...]... conditions stipulated at a higher level Security policy must always be in accordance with local, state, and federal computer crime laws 2 - 12 Objectives • • • • • • Defining Security Policy Using Security Policy to Manage Risk Identifying Security Policy Evaluating Security Policy Issue-specific Security Policy Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001 This page intentionally... procedure and created a policy for it This policy may not have been written and approved, but certainly it was implied and understood before it was written 2 - 14 Objectives • • • • • • Defining Security Policy Using Security Policy to Manage Risk Identifying Security Policy Evaluating Security Policy Issue-specific Security Policy Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001... jail time 2 - 27 Objectives • • • • • • Defining Security Policy Using Security Policy to Manage Risk Identifying Security Policy Evaluating Security Policy Issue-specific Security Policy Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001 This page intentionally left blank 2 - 28 28 Exercise: Writing a Personal Security Policy • Define the problem – Your work is not specifically... Issue-specific Policies 2 - 20 Objectives • • • • • • Defining Security Policy Using Security Policy to Manage Risk Identifying Security Policy Evaluating Security Policy Issue-specific Security Policy Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001 This page intentionally left blank 2 - 21 21 Anti-virus Policy • Define the problem – Various practices risk the introduction... following concepts: •Defining Security Policy •Using Security Policy to Manage Risk •Identifying Security Policy •Evaluating Security Policy •Issue-specific Security Policy •Exercise: Writing a Personal Security Policy Never stop questioning policies and never be afraid to point out issues or problems 2 - 32 32 References • See list of references below Basic Security Policy - SANS ©2001 33 Few organizations... organization’s written security policy • Develop a solution – Write a personal security policy for yourself Basic Security Policy - SANS ©2001 29 PROBLEM: The work that you do is not specifically covered in your organization’s written security policy ACTION: Write a personal security policy for yourself We’ll go through this step by step in the following slides 2 - 29 Personal Security Policy (2) • Step... element Issue-specific Policy: policy related to specific issues, e.g firewall or anti-virus policy Security Procedures and Checklists: local Standard Operating Procedures (SOPs); derived from the security policy Security policy may exist on some levels and not on others Documents interact and support one another, and generally contain many of the same elements In a typical organization, policy written to... Evaluating Security Policy • What if your existing policy is confusing and hard to read? • What if it doesn’t cover all the bases? • Use a checklist to evaluate your policy Basic Security Policy - SANS ©2001 16 Your organization may have a written policy, but it may be confusing and hard to read It may also contain ‘gaps’ where some key issues are addressed, but others are not You can sort through your policy. .. consistent with higher-level policy and guidance If you discover any discrepancies between the policy you are reviewing and higher-level policy, note them, as you will need to resolve them for the policy to be meaningful Security policy must also be in accordance with local, state, and federal computer crime laws Examine the policy to see if it is forward looking Security policy should be open to change... slides 2 - 29 Personal Security Policy (2) • Step by step: – Describe each job function – Make your policy meaningful – Include common elements of a security policy – Follow the guidelines for good policy Basic Security Policy - SANS ©2001 30 Describe each job function with a tailored policy Your personal policy should cover a single job function, so if you are a system administrator and also a member . Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy. Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy