Ebook: Basic Security Policy

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:34

0
66
lượt xem
13
download

Ebook: Basic Security Policy

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

I never cease to be amazed by the fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy”, but nobody ever explains what the policy is, let alone how to write or evaluate it.

Chủ đề:
Lưu

Nội dung Text: Ebook: Basic Security Policy

  1. Basic Security Policy Security Essentials The SANS Institute Information Assurance Foundations - SANS ©2001 1 CONTRIBUTING AUTHORS: Doug Austin Dyncorp Information Systems, LLC Alexander Bryce Alexander, Ltd. Rob Dinehart IBJ Whitelhall Financial Group Brian M. Estep Adelphia Stephen Joyce bitLab, LLC Carol Kramer SANS Institute Randy Marchany Virginia Tech Computing Center Stephen Northcutt Global Incident Analysis Center John Ritter Intecs International, Inc. Matt Scarborough IC Arrigo Triulzi Albourne Parners, Ltd. Eric Cole SANS Institute 2-1
  2. Preface I never cease to be amazed by the fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy”, but nobody ever explains what the policy is, let alone how to write or evaluate it. That is why we undertook this research and education project into basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, The Roadmap, a usable, and effective policy. Thank you! Stephen Northcutt Basic Security Policy - SANS ©2001 2 I never cease to be amazed by the fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy”, but nobody ever explains what the policy is, let alone how to write or evaluate it. That is why we undertook this research and education project into basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, The Roadmap, a usable and effective policy. Thank you! Stephen Northcutt 2-2
  3. Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001 3 This page intentionally left blank. 2-3
  4. Defining a Policy • Policies direct the accomplishment of objectives – Program Policy – Issue-specific Policy – System-specific Policy An effective and realistic Security Policy is the key to effective and achievable security. Basic Security Policy - SANS ©2001 4 A policy is a guideline or directive which indicates a conscious decision to follow a path towards an objective defined in the policy. Often a policy may institute, empower resources, or direct action by providing procedures or actions to be carried out. With that in mind, this course will attempt to provide guidance towards the goal of developing a Basic Security Policy for an organization, or better defining the existing one. The policy itself should be both effective and realistic with achievable security goals. Without a security policy, any organization can be left exposed to the world. In order to determine your policy needs, a risk assessment must first be conducted. This may require an organization to define levels of sensitivity with regard to information, processes, procedures, and systems. During this presentation three references to policy types will be made. It may be inferred that the policy being described when not specified is that of a program policy. Issue-specific polices will also be covered, as well as system-specific policies. Let’s define these policy types before we get started. Program Policy: This high-level policy sets the overall tone of an organization’s security approach. Typically guidance is provided with this policy to enact the other types of policies and specify who is responsible. This policy may provide direction for compliance with industry standards such as ISO, QS, BS, AS, etc. Issue-specific Policy: These policies are intended to address specific needs within an organization. This may include password procedures, Internet usage guidelines, etc. This is not as broad a policy category as the program policy; however, it is broader than the system-specific policy. System-specific Policy: For a given organization there may be several systems that perform various functions, where the use of one policy governing all of them may not be appropriate. It may be necessary to develop a policy directed toward each system individually. This is a system-specific policy. 2-4
  5. Defining a Policy (2) • What makes up a policy? – Purpose – Related documents – Cancellation – Background – Scope – Policy statement – Action – Responsibility Basic Security Policy - SANS ©2001 5 Most organizations have a guide which dictates the makeup of all company policies. This guide likely contains some or all of the following: Purpose - the reason for the policy. Related documents - lists any documents (or other policies) that affect the contents of this policy. Cancellation - identifies any existing policy that is cancelled when this policy becomes effective. Background - provides amplifying information on the need for the policy. Scope - states the range of coverage for the policy (to whom or what does the policy apply). Policy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be prudent, expedient, and/or advantageous to the organization. Action - specifies what actions are necessary and when they are to be accomplished. Responsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be reviewed and updated. 2-5
  6. Defining a Policy (3) • Who can sign the policy? • What process is used to: – draft a policy – approve a policy – implement a policy Basic Security Policy - SANS ©2001 6 In addition, some organizations further define: Who can sign the policy. If you are part of a Department of Defense organization, the authority may be reserved for the senior military officer. In other cases, it may be a senior vice president or a CIO or other manager. In any case, the policy must be signed by someone with sufficient authority and credibility that it is accepted by members of the organization to which it applies. The process used to get policy drafted, signed, and implemented. Once you’ve identified what should be in the policy and who will sign it, you need to identify the folks who will help develop and review the policy before you submit it for signature. Typical participants (in addition to the security staff) can include members of the legal and human resources staff, as well as a representative from one or more collective bargaining units. 2-6
  7. Security Policy Protects Information Safeguarding information is challenging when records are created and stored on computers. Basic Security Policy - SANS ©2001 7 We live in a world where computers are globally linked and accessible, making digitized information especially vulnerable to theft, manipulation, and destruction. Security breaches are inevitable. Crucial decisions and defensive action must be prompt and precise. A security policy establishes what must be done to protect information stored on computers. A well- written policy contains sufficient definition of “what” to do so that the “how” can be identified and measured or evaluated. 2-7
  8. Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001 8 This page intentionally left blank. 2-8
  9. Managing Risks in Your Job • Identify risks • Communicate your findings • Update (create) policy as needed • Develop metrics to measure compliance Basic Security Policy - SANS ©2001 9 PROBLEM: The only secure computer is one that is not connected to a network and is powered off. Use of computers to process information has associated risks. You need a methodology to validate that the organization is responsible and accountable for managing that risk. ACTION: Learn how to manage risks related to your job. Step 1: Identify risks. Determine how your organization uses computers and networks in the conduct of business, both routinely and under emergency circumstances. This will provide insight into the risks that you face. Examples of some things that can pose risks include: using the Internet, not using anti-virus software on desktop computers, permitting customers/suppliers/partners to bypass the protection afforded by your firewall, and permitting personal use of corporate computers and networks. Step 2: Communicate your findings. Identifying risks is necessary, but not sufficient. Decision-makers need to know what the risks are, as well as options for managing those risks. Be sure you have adequately communicated the situation in writing to folks who can make a difference. Step 3: Update (create) policy as needed. If there is no written policy in place, write it and get it signed by upper level management. A well- written policy, signed by top executives, will identify the corporation’s values and demonstrate that senior management supports the information security activities required by the policy. Step 4: Develop metrics to measure compliance. If you cannot measure compliance (conformance), the policy is unenforceable. 2-9
  10. Risk Assessment • What do you do? – The “important bid” story – When is it okay to violate or change policy? – Who has the authority to do it? – What are the risks involved? Basic Security Policy - SANS ©2001 10 It’s 2:00 a.m. on a Saturday morning. Your team is trying to finish a time-critical project - an important bid - by sending a file. There are problems getting through the firewall. The obvious solution is to modify the firewall, but this is prohibited by the security policy. The team faces a dilemma. If they don’t act, they will not meet the deadline. If they do act, they risk the consequences of violating a written security policy. What do they do? What policy may provide guidance on this subject? What risks are involved in doing this? Policy should also take into account any possible exceptions to the policy, and define: • what types of exceptions can be made • who has the authority to make them • what review process should be followed to evaluate “emergency” exceptions These considerations protect both the organization’s assets (by defining which changes are acceptable and which are not) and those people responsible (by defining the responsible parties and empowering them to make decisions and take action within the scope of the policy). 2 - 10
  11. Checkpoint: Policy In Action Finding Policy Wins The Game! Basic Security Policy - SANS ©2001 11 Think of a football game. Picture the coach at practice sessions, in the locker room before the game. What is the coach doing? He is presenting, refining, and reworking a plan for winning the game, a plan that’s practiced over and over until it’s perfect! We can see team captains and players referring to the plan before each play. What does a game plan have to do with a computer security policy? The game plan is actually a policy on how to win the game. The team that identifies its capabilities and limitations, along with the capabilities and limitations of its opponents, will devise the best plan and the best chance of winning if they follow it. Risks have been identified and policy has been defined in broad terms. Next we look at concrete policies. 2 - 11
  12. Levels of Policy • Recognize that policies can exist on different levels – Enterprise-wide/corporate policy – Division-wide policy – Local policy – Issue-specific policy – Procedures and checklists Basic Security Policy - SANS ©2001 12 Unless you are at the top of the organizational hierarchy, there is likely to be a part of the organization above your level that issues policy that you are expected to implement. A common hierarchy for policy in an organization might look like this: Enterprise-wide or Corporate Policy: the highest level (perhaps national); consists of high-level documents that provide a direction or thrust to be implemented at lower levels in the enterprise. Division-wide Policy: typically consists of an amplification of enterprise-wide policy as well as implementation guidance. This level might apply to a particular region of a national corporation. Local Policy: contains information specific to the local organization or corporate element. Issue-specific Policy: policy related to specific issues, e.g. firewall or anti-virus policy. Security Procedures and Checklists: local Standard Operating Procedures (SOPs); derived from the security policy. Security policy may exist on some levels and not on others. Documents interact and support one another, and generally contain many of the same elements. In a typical organization, policy written to implement higher-level directives may not relieve (waive) any of the requirements or conditions stipulated at a higher level. Security policy must always be in accordance with local, state, and federal computer crime laws. 2 - 12
  13. Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001 13 This page intentionally left blank. 2 - 13
  14. Identifying Security Policy • Who does the procedure? • What is the procedure? • When is the procedure done? • Where is the procedure done? • Why is the procedure done? Basic Security Policy - SANS ©2001 14 Given specifics of the anti-virus rollout, how can we construct a policy? Step 1: Who does the procedure? The network administrator rolls out anti-virus updates to local desktops. Why? To protect against virus infections. Certain administrative rights are needed to configure the push to users’ local drives. Step 2: What is the procedure? Definitions are unpacked, and placed in a shared directory. Login scripts download the files, apply the update, and reboot the machines. Machine names are flagged in the database as having been updated. Why? Automate the process; create an exception list. Step 3: When is the procedure done? The procedure is done weekly. Why? To keep up-to-date with the latest virus attacks. Our vendor rolls out new definitions every Thursday. Step 4: Where is the procedure done? The procedure is done from any administrative workstation. The procedure is applied to all desktops running Windows 9x at any location. Why? No special location is required to apply the procedure. All desktops need to have the most current updates. Step 5: Sample policy derived from procedures outlined in the example above. To ensure all desktops running Windows 9x are protected from viruses with the most recent updates, the network administrator at each location will apply the latest virus definition updates biweekly. Although the process can be automated, checks must be put in place to ensure the updates have been applied successfully. We’ve just taken a known and accepted procedure and created a policy for it. This policy may not have been written and approved, but certainly it was implied and understood before it was written. 2 - 14
  15. Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001 15 This page intentionally left blank. 2 - 15
  16. Evaluating Security Policy • What if your existing policy is confusing and hard to read? • What if it doesn’t cover all the bases? • Use a checklist to evaluate your policy. Basic Security Policy - SANS ©2001 16 Your organization may have a written policy, but it may be confusing and hard to read. It may also contain ‘gaps’ where some key issues are addressed, but others are not. You can sort through your policy by using a checklist to identify policy attributes that need improvement and prepare draft revisions. 2 - 16
  17. Evaluating Security Policy (2) • Use a checklist: – Does it contain the expected elements? – Is it clear? – Is it concise? – Is it realistic? – Does it provide sufficient guidance? Basic Security Policy - SANS ©2001 17 Verify that the security policies contain the most common elements. Look for the following elements (discussed earlier), and note what is missing: Purpose, Related documents, Cancellation, Background, Scope, Policy statement, Responsibility, and Action. (Note: Not all sections are required. If your search for a Policy Development Guide was successful, consult it to determine required sections. If there is no written guide, use the above template and check with other folks who have been successful in getting other policies signed and implemented.) Examine the security policy to see if it is clear. One simple way to test for clarity is to have one of the individuals identified as being responsible determine whether he or she understands the responsibility. Examine the security policy to see if it is concise. A specific policy topic (e.g. anti-virus signature updates) shouldn’t exceed two pages. Many organizations limit them to one page. Examine the policy to see if it is realistic. Security policy shouldn’t require people to try to implement things that can’t be implemented. Examine the policy to see if it provides sufficient guidance so that a specific procedure can be developed from it. Policies address what is to be done and why. Procedures specify how things are done and are how policy ultimately gets implemented. For example, if you have an Internet connection policy, you should be able to use that policy to create step-by-step procedures that allow you to configure your firewall. Procedures are also the basis for written checklists. 2 - 17
  18. Evaluating Security Policy (3) • Checklist, continued… – Is it consistent? – Is it forward-looking? – Are there means to keep it current? – Is the policy readily available to those who need it? Basic Security Policy - SANS ©2001 18 Examine the policy to see if it is consistent with higher-level policy and guidance. If you discover any discrepancies between the policy you are reviewing and higher-level policy, note them, as you will need to resolve them for the policy to be meaningful. Security policy must also be in accordance with local, state, and federal computer crime laws. Examine the policy to see if it is forward looking. Security policy should be open to change based on new risks and vulnerabilities, especially following an incident. It should not be hardware or software-specific. Examine the policy for provisions to keep it current. Security policy should be reviewed regularly. Revisions in implementation should reflect lessons learned from recent incidents and new threats to the organization’s security. Check to see if the security policy is readily available. The Policy Development Guide may provide information regarding responsibility for publishing and making available specific policy documents. Security policy should be incorporated in employee handbooks and posted for reference. It must be required reading as part of the new employee orientation process. 2 - 18
  19. Bad Policy “The head of a Federal agency may employ standards for the cost effective security and privacy of sensitive information in a Federal computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Secretary of Commerce.” Basic Security Policy - SANS ©2001 19 What does this policy statement actually say? Is it concise? Could it provide various interpretations? 2 - 19
  20. Checkpoint: Procedure Guidance • Policies address the who, what, and why. • Procedures address the how, where, and when. Basic Security Policy - SANS ©2001 20 It cannot be stressed enough: policies address what is to be done, who is to do it, and why. Procedures specify how things are done, where, when, and ultimately how the policy gets implemented. Procedures are also the basis for written checklists. There are four key tests of any policy. They are: • Is it consistent with higher-level policy and guidance? • Is it forward looking, able to change if needed? • Does it have a review schedule? • Is it readily available? Next we look at policies directed at specific situations. We have termed these Issue-specific Policies. 2 - 20
Đồng bộ tài khoản