1 GIAC Basic Security Policy Version 1.4 February 27, 2001 I keep six honest serving men (They taught me all I knew); Their names are What and Why and When And How and Where and Who. Rudyard Kipling CONTRIBUTING AUTHORS: Doug Austin Dyncorp Information Systems, LLC Alexander Bryce Alexander, Ltd. Rob Dinehart IBJ Whitelhall Financial Group Stephen Joyce bitLab, LLC Carol Kramer SANS Institute Randy Marchany Virginia Tech Computing Center Stephen Northcutt Global Incident Analysis Center John Ritter Intecs International, Inc. Matt Scarborough IC Arrigo Triulzi Albourne Parners, Ltd. EDITED BY: Carol Kramer, Stephen Northcutt, Fred Kerby If you have corrections or additions or would like to be involved in enhancing this project, please send email to: giactc@sans.org 2 A note from the director of GIAC Training and Certification: I have never ceased to be amazed by the fact that you can’t take a class in information security without being told to do this or the other thing in accordance with “your security policy”. But nobody ever explains what policy is, or how to write or evaluate it. This is why we have begun this research and educational project into security policy. We hope you find this booklet useful, and even more, that you will get involved and help. Consensus is a powerful tool and we need the ideas and criticisms of the information security community to make this the roadmap for usable, effective policy. Thank you! Stephen Northcutt CONTENTS 1. PREFACE 2. USING SECURITY POLICY TO MANAGE RISK 3. DEFINING SECURITY POLICY 4. IDENTIFYING SECURITY POLICY 5. SECURITY POLICY WORKSHEET 6. EVALUATING SECURITY POLICY 7. ISSUE-SPECIFIC SECURITY POLICY 7.1 Anti-Virus 7.2 Password Assessment 7.3 Backups 7.4 Incident Handling 7.5 Proprietary Information 8. WRITING A PERSONAL SECURITY POLICY 9. EXERCISES APPENDIX A - Policy Templates APPENDIX B - Sample Non-Disclosure Agreement 3 1. PREFACE S ecurity policy protects both people and information. Safeguarding information is challenging when records are created and stored on computers. We live in a world where computers are globally linked and accessible, making digitized information especially vulnerable to theft, manipulation, and destruction. Security breaches are inevitable. Crucial decisions and defensive action must be prompt and precise. A security policy establishes what must be done to protect information stored on computers. A well-written policy contains sufficient definition of “what” to do so that the “how” can be identified and measured or evaluated. An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where information is at risk incurs personal risk as well. A security policy allows people to take necessary actions without fear of reprisal. Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for employees. Please take a minute and turn to the back of this book and examine the non-disclosure agreement in Appendix A. This is one of two examples in the book that is not written in plain English. This legal document is based on the actual non-disclosure agreement that GIAC uses when disclosing proprietary information. Despite the lawyer language of the document, it doesn’t take long to see that the purpose of this is to protect information. It carefully spells out the procedures, the who, what, where, when and how for the case where an organization has sensitive information that it is going to disclose to an individual. As we learn more about policies, we will find that many aspects of a policy can be found in a document like this. In fact, an organization’s policy might reference a document like this. For instance, an organization may have a policy that says, "sensitive information shall only be released to individuals who have signed a non-disclosure agreement that is on file with the corporate legal office". Now that we have an example of a policy that protects information, I would like to show an example of a policy that protected an individual - in this case, me. Sinking a Warship I was scanning our entire Navy lab, one subnet at a time (the recommended approach), fixing problems as I found them. I was running the scanner on low power when I hit a network and received a phone call from a friend. "Stephen, the net is down, we think you killed it". 4 "It" was a mock up of a real Navy warship. All of the communications on the model were the same as the one on the real ship. When its networking hardware received a packet (from me) on a certain port, it died. Its FDDI ring came to a complete stop. The people in this little lab were furious with me. They formed an investigative panel and called me in. I could see by the grim looks all around the table that this was not going to be pleasant. The sparks flew; one fellow in particular wanted to do me harm. He continues to be angry with me to this day! Finally someone asked whether could happen in real life. The answer was “yes”. The next question was, “then shouldn’t we get it fixed”? The point is, my network scan made these people angry enough that my job would have been in jeopardy if I’d not had my ducks in a row. I’d received permission to run the scan prior to doing so. So should you! Stephen Northcutt 5 2. USING SECURITY POLICY TO MANAGE RISK PROBLEM: The only secure computer is one that is not connected to a network and is powered off. Use of computers to process information has associated risks. You need a methodology to validate that the organization is responsible and accountable for managing that risk. ACTION: Learn how to manage risks related to your job. Step 1: Identify risks. Determine how your organization uses computers and networks in the conduct of business, both routinely and under emergency circumstances. This will provide insight into the risks that you face. Examples of some things that can pose risks include: using the Internet, not using anti-virus software on desktop computers, permitting customers/suppliers/partners to bypass the protection afforded by your firewall, permitting personal use of corporate computers and networks. Step 2: Communicate your findings. Identifying risks is necessary, but not sufficient. Decision-makers need to know what the risks are, as well as options for managing those risks. Be sure you have adequately communicated the situation in writing to folks who can make a difference. Step 3: Update the security policy as needed. If there is no written policy in place, write it and get it signed by upper level management. A well-written policy, signed by top executives, will identify the corporation’s values and demonstrate that senior management supports the information security activities required by the policy . Step 4: Develop and refine methods to measure compliance with the policy. If you cannot measure compliance (conformance), the policy is unenforceable. Where is it written…? The decisions we make must stand the test of reasonableness: given the situation, could a reasonable person be expected to make the same decision? It’s amazing to hear people who have been practicing computer security for more than a decade, ask, “What instruction requires that we do it that way? (or at all)". Having a written and dated policy signed by upper management can help move these folks to where they need to be. 6 3. DEFINING SECURITY POLICY PROBLEM: All security and technical classes talk about the necessity of basing procedures on a good security policy. We need to understand what is meant by policy; there are many conflicting definitions. ACTION: Identify how your organization defines policy. Step 1: Get a copy of your organization’s Policy Development Guide. Ideally, the guide will describe what topics to include in the policy document. Typical sections can include: Purpose - the reason for the policy. Related documents – lists any documents (or other policy) that affect the contents of this policy. Cancellation - identifies any existing policy that is cancelled when this policy becomes effective. Background - provides amplifying information on the need for the policy. Scope - states the range of coverage for the policy (to whom or what does the policy apply?). Policy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be prudent, expedient, and/or advantageous to the organization. Action - specifies what actions are necessary and when they are to be accomplished. Responsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be reviewed and updated. Step 2: Determine who can sign the policy. If you are part of a Department of Defense organization, the authority may be reserved for the senior military officer. In other cases, it may be a senior vice president or a CIO or other manager. In any case, the policy must be signed by someone with sufficient authority and credibility that it is accepted by members of the organization to which it applies. Step 3: Identify the process used to get policy drafted, signed, and implemented in your organization. Once you’ve identified what should be in the policy and who will sign it, you need to identify the folks who will help develop and review the policy before you submit it for signature. Typical participants (in addition to the security staff) can include members of the legal and human resources staff, as well as a representative from one or more collective bargaining units. 7 Coaching Football Think of a football game. Picture the coach at practice sessions, in the locker room before the game. What is the coach doing? He is presenting, refining and reworking a plan for winning the game, a plan that’s practiced over and over until it’s perfect! We can see team captains and players referring to the plan before each play. What does a game plan have to do with a computer security policy? The game plan is actually a policy on how to win the game. The team that identifies its capabilities and limitations, along with the capabilities and limitations of its opponents, will devise the best plan and the best chance of winning if they follow it. 8 4. IDENTIFYING SECURITY POLICY PROBLEM: My organization doesn’t seem to have a security policy. ACTION: Identify what your organization does have, and try to make it better. Your actions may include lobbying to create or expand current policy. Step 1: Recognize that policy exists on different levels. Unless you are at the top of the organizational hierarchy, there is likely to be a part of the organization above your level that issues policy that you are expected to implement. A common hierarchy for policy in an organization might look like this: Enterprise-wide or Corporate Policy: the highest level (perhaps national); consists of high-level documents that provide a direction or thrust to be implemented at lower levels in the enterprise. Division-wide Policy: typically consists of an amplification of enterprise-wide policy as well as implementation guidance. This level might apply to a particular region of a national corporation. Local Policy: contains information specific to the local organization or corporate element. Issue-Specific Policy: policy related to specific issues, e.g. firewall or anti-virus policy. Security Procedures and Checklists: local Standard Operating Procedures (SOPs); derived from security policy. Security policy may exist on some levels and not on others. Documents interact and support one another, and generally contain many of the same elements. In a typical organization, policy written to implement higher-level directives may not relieve (waive) any of the requirements or conditions stipulated at a higher level. Security policy must always be in accordance with local, state, and federal computer crime laws. Step 2: Collect and organize the applicable written, dated, and signed policy documents. Now that you understand the policy hierarchy, you can collect policy documents available at several levels in the organization. A security policy usually exists (and is enforced to some extent) even if it is not written down. When you find instances of unwritten policy, note them as areas for improvement. Putting the policy in writing prevents misunderstandings and promotes right actions. Encourage your management to articulate security policy in writing. Step 3: Assemble existing procedures for inclusion in the policy review. In the process of collecting policy documents, you may find procedures (perhaps issue 9 specific) that do not appear to be the result of any specific policy. If so, note them for inclusion in the policy review (discussed next). 10 5. POLICY WORKSHEET Procedures are derived from policies. A procedure can be used to identify and define the parent policy, even if the policy is not written and signed. ACTION: List procedures for which you need to document the policy. Make notes on the who, what, when, and where. Sample worksheet: Step 1: Who does the procedure? Why? The network administrator rolls out anti- virus updates to local desktops. To protect against virus infections. Certain administrative rights are needed to configure the push to users’ local drives. Step 2: What is the procedure? Why? Definitions are unpacked, and placed in a shared directory. Login scripts download the files, apply the update, and reboot the machines. Machine names are flagged in the database as having been updated Automate the process; create an exception list. Step 3: When is the procedure done? Why? The procedure is done weekly. To keep up to date with the latest virus attacks. Our vendor rolls out new definitions every Thursday. Step 4: Where is the procedure done? Why? The procedure is done from any administrative workstation. The procedure is applied to all desktops running Windows 9x at location XXXX. No special location is required to apply the procedure. All desktops need to have the most current updates. Step 5: Looking at the notes from both columns, the policy becomes clear. The description identifies the threat (virus infection) and provides for safeguards. Sample policy derived from procedures outlined in the example above: To ensure all desktops running Windows 9x are protected from viruses with the most recent updates, the network administrator at each location will apply the latest virus definition updates biweekly. Although the process can be automated, checks must be put in place to ensure the updates have been applied successfully. [...]... discrepancies between the policy you are reviewing and higherlevel policy, note them, as you will need to resolve them for the policy to be meaningful Security policy must also be in accordance with local, state, and federal computer crime laws Again, note any contradictions you discover so you can get the policy corrected Step 7: Examine the policy to see if it is forward looking Security policy should be... page Step 4: Examine the policy to see if it is realistic Security policy shouldn’t require people to try to implement things that can’t be implemented Government Policy People in the United States government create some of the worst security policy in the world They spend taxpayer money contracting for huge notebooks of overly long, poorly written, nonspecific prose The policy documents are so large... publishing and making available specific policy documents Security policy should be 14 incorporated in employee handbooks and posted for reference It must be required reading as part of the new employee orientation process 15 7 ISSUE-SPECIFIC SECURITY POLICY Issue-specific policies may often be brief and to the point The following examples of issue-specific security policy steps contain information and... agreement, such as the sample in Appendix B of this book 21 8 WRITING A PERSONAL SECURITY POLICY PROBLEM: The work that you do is not specifically covered in your organization’s written security policy ACTION: Write a personal security policy for yourself Step 1: Describe each job function with a tailored policy Your personal policy should cover a single job function, so if you are a system administrator... EVALUATING SECURITY POLICY PROBLEM: Your organization has a written security policy, but it is confusing, difficult to follow, or doesn’t address one or more significant risk areas ACTION: revisions Identify policy attributes that need improvement and prepare draft Step 1: Verify that the security policies contain the most common elements Look for the following elements, and note what is missing Purpose Security. .. hardware- or software-specific Step 8: Examine the policy for provisions to keep it current Security policy should be reviewed regularly Revisions in implementation should reflect lessons learned from recent incidents and new threats to the organization’s security See “Action” above Step 9: Check to see if the security policy is readily available The Policy Development Guide may provide information regarding... who have been successful in getting other policy signed and implemented Step 2: Examine the security policy to see if it is clear One simple way to test for clarity is to have one of the individuals identified as being responsible determine whether he or she understands the responsibility Step 3: Examine the security policy to see if it is concise A specific policy topic (e.g., anti-virus signature... Step 4: Make sure the policy is implemented Security policy should provide for compliance, such as spot-checking The policy could reference a procedure in which administrators go into a system and look for recently modified data, then ask to be shown where it is backed up Issue-Specific Policy #7.4: INCIDENT HANDLING PROBLEM: Many well-written, specific, and realistically implemented security policies... what is missing Purpose Security policy usually contains a statement, often at the beginning, describing the reason the policy is being established, and any associated goals Related documents This is often entitled “References” and usually cites higher-level policy or implementation guidance Cancellation New or updated policy may supersede existing (perhaps outdated) policy This section identifies those... duties should be covered in your personal policy If your responsibilities affect system down time for mission-critical systems, include that in your policy statement If you are required to make decisions that affect the profitability of your business, say so in your personal policy Update your personal security policy at least twice a year When you update your policy, keep the old versions and you will . SECURITY POLICY TO MANAGE RISK 3. DEFINING SECURITY POLICY 4. IDENTIFYING SECURITY POLICY 5. SECURITY POLICY WORKSHEET 6. EVALUATING SECURITY POLICY. the policy. Related documents – lists any documents (or other policy) that affect the contents of this policy. Cancellation - identifies any existing policy