Basic Security


Chapter 8

Basic Security Policy 67

Basic Security Policy

SANS Security Essentials II:
Defense in-Depth

Security Essentials – Defense in-Depth – © 2003 SANS

SANS Institute

“The Roadmap. let alone how to write or evaluate it. We also cover contingency planning. whether you focus on an entire organization or on your individual job. SANS Institute . we equip you to write and evaluate security policies. We need the ideas and criticisms from the information security community in order to make this. Thank you! Stephen Northcutt Security Essentials – Defense in-Depth – © 2003 SANS Basic Security Policy In this chapter. That is why we undertook this research and education project on basic security policy. Consensus is a powerful tool.fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy.68 Book 2 – Defense in-Depth Preface It never ceases to amaze me . and we equip you with fill-in-the-blank templates for policies on some specific security issues. We hope you will find this module useful and that you will participate in its evolution. We show you step-by-step instructions for how to develop policy.” but nobody ever explains what the policy is.” a usable and effective policy. We give real-world examples of some dire personal consequences that can result if you act outside of policy or if your policies are inadequate. such as for when your organization faces a disaster.

For instance. What.the legal document that most large organizations use when disclosing proprietary information. As you learn more about policies. and How for the case in which an organization has sensitive information that it discloses to someone else. In fact. management. it doesn’t take long to see that the purpose is to protect information. Get a copy and take a look at it. Think about the non-disclosure agreement (NDA) . It defines and authorizes the consequences of violation. an organization might have a SANS Institute . It sets the rules for expected behaviors by users. you will find that many aspects of a policy can be found in a document like this. It authorizes security personnel to monitor. Your organization might even have their standard NDA in pre-printed form. Basic Security Policy 69 Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy • Contingency Planning within your Policy Security Essentials – Defense in-Depth – © 2003 SANS How Does Security Policy Fit Into the Big Picture? Security policy is the foundation and measuring stick for all other security matters in your organization. It carefully spells out the procedures . A well-written policy contains a sufficient definition of what to do so that the how can be identified and measured or evaluated. Where. system administrators. A sample NDA. probe. and security personnel. A security policy establishes what must be done to protect information stored on computers. and investigate in ways that might be indistinguishable from a hacker were it not for the policy. based on what GIAC uses.the Who. an organization’s policy might reference a document like this. Security policy protects both people and information. When. is included as an appendix for your reference. Despite the lawyer language of such documents.

70 Book 2 – Defense in-Depth policy that says. "Sensitive information will only be released to individuals who have signed a non-disclosure agreement that is on file with the corporate legal office." SANS Institute .

or at least reduces. do you have appropriate permission to do so? Is it in writing? Next we answer the questions: “What exactly is a security policy. SANS Institute . Let’s begin. He tells about how his network scanning of a Navy lab took down an entire network (see Sinking a Warship). in your organization? If your job requires you to investigate incidents. Anyone who makes decisions or takes action in a situation in which information is at risk incurs personal risk as well. Security policy compels the safeguarding of information.” this case. crack passwords. Basic Security Policy 71 Documentation is Critical • If it is not in writing it never happened. monitor traffic. How about you. • You must clearly document: – What is expected of users – What you plan on doing – How you plan on doing it – What other people are required to do Security Essentials – Defense in-Depth – © 2003 SANS An effective security policy also protects people. A security policy allows people to take necessary actions without fear of reprisal. or to take down compromised systems. probe for vulnerabilities.” “What do they look like. personal liability for employees. it eliminates. Stephen Northcutt. “What goes into them?” We define “security policy” and explain different types of policies and the typical content in a policy. Let’s consider an example of a policy that protected an individual .

" "It" was a mock-up of a real Navy warship. someone asked whether this could happen in real life. my network scan made these people angry enough that my job would have been in jeopardy if I’d not had my ducks in a row. fixing problems as I found them. “Shouldn’t we get it fixed?” The point is. I had received written permission to run the scan prior to doing so. it died. Its FDDI ring came to a complete stop. The people in this little lab were furious with me. we think you killed it.72 Book 2 – Defense in-Depth Sinking a Warship I was scanning our entire Navy lab. the net is down. I could see by the grim looks around the table that this was not going to be pleasant. The sparks flew. All of the communications on the model were the same as the one on the real ship. I was running the scanner on low power when I hit a network and received a phone call from a friend: "Stephen.” The next question was. The answer was. They formed an investigative panel and called me in. So should you! Stephen Northcutt SANS Institute . one subnet at a time (the recommended approach). one fellow in particular wanted to do me harm. When its networking hardware received a packet (from me) on a certain port. He continues to be angry with me to this day! Finally. “yes.

we see what a policy looks like in general. Anything that slows us down frustrates us. Security Essentials – Defense in-Depth – © 2003 SANS Defining Security Policy A policy is a guideline or directive that indicates a conscious decision to follow a path towards a specified objective. When the CEO of a large company wants to communicate something to her SANS Institute . Then. but there are certain things that must be done. what the organization is going to do. One of those things is documentation. or direct action by providing procedures or actions to be carried out. or the typical content within policies and common types of policies. In this section. defining the existing one. We recognize the difficulty in making time to document policy and processes. All of us are busy. this book will attempt to provide guidance towards the goal of developing a Basic Security Policy for an organization. It is also helpful to inform people of what is expected of them. The policy itself should be effective and realistic with achievable security goals. Basic Security Policy 73 Defining a Policy • Policies direct the accomplishment of objectives – Program Policy – Issue-specific Policy – System-specific Policy An effective and realistic Security Policy is the key to effective and achievable security. You can verbally tell someone something. and we do not have enough time in the day to get done what is needed. or even better. This chapter is really about documentation. empower resources. but that leaves the door open to misunderstanding or forgetfulness. Often a policy may institute. we focus on the content specific to a security policy. but others might have no clue. It’s critical to write down in a clear and concise manner what is expected of everyone in the organization when it comes to security. and what others in various roles within the organization are going to do. even though they take a little longer. It is also not appropriate for communicating with a large group of people. You might clearly know what is expected of people and yourself. With that in mind.

she might hold a meeting. • Issue-Specific Policy: These policies are intended to address specific needs within an organization. you can assume that it is a program policy unless otherwise indicated. however. • System-Specific Policy: For a given organization. and the National Institute of Standards and Technology (NIST). Let’s define these policy types before going any further: • Program Policy: This high-level policy sets the overall tone of an organization’s security approach. she will also follow up with a written e-mail. such as password procedures and Internet usage guidelines. and the use of one policy governing all of them might not be appropriate. guidance is provided with this policy to enact the other types of policies and define who is responsible. This is because people hear things in different ways.a system-specific policy. but if those things are written down. it is broader than system-specific policy. as well as with applicable law and government regulations. Typical issue-specific policies can also include anti-virus and backup policies. IEEE (Institute of Electrical and Electronic Engineers). there is less chance of a misunderstanding. This policy can provide direction for compliance with industry standards from organizations such as ISO (International Organization for Standardization). It might be necessary to develop a policy directed toward each system individually . several systems can perform different functions. We discuss these in detail in the “Issue- Specific Security Policy” section found later in this chapter. This is not as broad a policy category as program policy. we refer to three types of policies. and in most cases. the British Standards Institute (BSI).74 Book 2 – Defense in-Depth employees. We also talk about issue-specific and system-specific policies. When we discuss a policy. It is usually brief. Types of Policies Throughout this book. just long enough to establish direction. SANS Institute . Typically.

we are brief here. as there are many conflicting definitions. • Background: Provides amplifying information on the need for the policy. What does a policy look like. • Action: Specifies what actions are necessary and when they are to be accomplished. • Policy statement: Identifies the actual guiding principles or what is to be done. what kind of content does it have? Because later we go into this in much more detail as Step 1 of Evaluating Security Policy. A policy typically includes the following content: • Purpose: Explains the reason for the policy. • Related documents: Lists any documents (or other policy) that affect the contents of this policy. • Cancellation: Identifies any existing policy that is cancelled when this policy becomes effective. We need to understand what is meant by policy. Basic Security Policy 75 Defining a Policy (2) • What makes up a policy? – Purpose – Related documents – Cancellation – Background – Scope – Policy statement – Action – Responsibility Security Essentials – Defense in-Depth – © 2003 SANS Content of a Policy Just about every security-related class mentions the necessity of basing procedures on a good security policy. SANS Institute . • Scope: States the range of coverage for the policy (to whom or what does the policy apply).

SANS Institute . as well as defines who may change the policy.76 Book 2 – Defense in-Depth • Responsibility: States who is responsible for what. • Ownership: Identifies who sponsored the policy and from whom it derives its authority.

and when to benefit from any “lessons learned” • What schedule should be followed to complete any actions needed to bring closure These considerations protect both the organization’s assets (by defining which changes are acceptable and which are not) and those people responsible (by defining the responsible parties and empowering them to make decisions and take action within the scope of the policy). They should define: • What types of exceptions can be made. SANS Institute . and for what duration of time • Who has the authority to make them • What review process should be followed to evaluate emergency exceptions • What follow-up must occur. Basic Security Policy 77 Defining a Policy (3) • Who can sign the policy? • What process is used to: – draft a policy – approve a policy – implement a policy Security Essentials – Defense in-Depth – © 2003 SANS Policies are intended to provide guidance on subjects such as this.

There are problems getting through the firewall. If they do act. on a Saturday morning. Your team is trying to finish a time-critical project . If they don’t sending a file. they risk the consequences of violating a written security policy. but this is prohibited by the security policy. The obvious solution is to modify the firewall. they will not meet the deadline. Consider this situation: It’s 2:00 a. What do they do? What risks are involved in their actions? SANS Institute . The team faces a dilemma.m.78 Book 2 – Defense in-Depth Risk Assessment • What do you do? – The “important bid” story – When is it okay to violate or change policy? – Who has the authority to do it? – What are the risks involved? Security Essentials – Defense in-Depth – © 2003 SANS Policy should also take into account any possible exceptions to the important bid .

This was published in December 1. “access” pertains to performance and ease of use. the policy will fail at the risk of exposing the organization. SANS Institute . A good security policy will take into account risks and vulnerabilities. whereas “security” focuses on integrity. Policy definition in the realm of security for the Internet Age has gained importance on the world stage. BS 7799. Various security standards have been developed over the years (C2. These concepts do not apply just to the computer or network itself. The United Kingdom took a lead in the development of recognized security standards. which might be applicable to a given organization. and through the British Standards Institute sponsored the creation of the British Standard Code of Practice for Information Security Management (BS 7799). Basic Security Policy 79 Managing Risks in Your Job • Identify risks • Communicate your findings • Update (create) policy as needed • Develop metrics to measure compliance Security Essentials – Defense in-Depth – © 2003 SANS Security-Specific Policies The security policy should seek a balance between “access” and “security. Security policy should always commensurate with actual measured risks. 2000. and safety. The intention was to provide a means for ensuring customers that businesses were providing secure services and that information was handled in a secure manner. if a policy does not directly relate to an organization’s realistic needs and requirements. but to the organization as a whole. availability. and ISO 17799). as an international standard (ISO/IEC 17799)." Of these two points. Although standards can provide an excellent basis for defining your organization’s policy. and provide comprehensive coverage of an organization’s infrastructure. as if the policy didn't exist.

ISO/IEC 17799 provides security controls for computers and networks. Doing so helps an organization appropriately manage its risk. ISO/IEC 17799 is a defining standard of security controls that should be investigated and reviewed thoroughly before incorporation into a business plan or operating procedure. as well as guidance on security policies. staff security awareness. In all. auditing teams and assessments are required to determine eligibility for registration. As with any standard recognition. What is the security policy within your organization. business continuity planning.80 Book 2 – Defense in-Depth ISO/IEC 17799 provides over 125 security guidelines that are divided into 10 major headings. and legal requirements. nearly 500 controls and elements of best practice are presented in ISO/IEC 17799. SANS Institute . and what can you do about it? We focus specifically on your own organization next. which enable identification of security controls in a manner that will be appropriate for a given organization.

processes. Without a security policy. Organizations typically have policies on a variety of subjects. if one exists.a Policy Development Guide. approved. Otherwise. What policies does your organization have that specifically relate to security? Identify what your organization does or does not have. you need to identify the folks who will help develop and review the policy before you submit it for signature. Typical participants (in addition to the security staff) can include members of the legal and human resources staff. and try to make it better. In addition to identifying what should be in the policy and who will sign it. a risk assessment must first be conducted. This may require an organization to define levels of sensitivity with regard to information. as well as a representative from one or more collective bargaining units. How does your organization define policy? Does it have a “policy about policies” or a written guide documenting how to develop a policy? What components does your organization include in its policies? What is the process for getting them drafted or modified. SANS Institute . procedures. Basic Security Policy 81 Identifying Security Policy • Who does the procedure? • What is the procedure? • When is the procedure done? • Where is the procedure done? • Why is the procedure done? Security Essentials – Defense in-Depth – © 2003 SANS Policy in Your Organization Each organization can have its own concepts of what policies are and how they are developed. any organization can be left exposed to the world. Get a copy of this. and promulgated? Many organizations have a guide that dictates the makeup of its policies . you might be able to deduce expected content and to some extent the process for approval by looking at existing policies and their approvals and participants. In order to determine your policy needs. Your actions may include lobbying to create or expand current policy. and systems.

82 Book 2 – Defense in-Depth Later we talk about evaluating security policies. SANS Institute . You will be able to identify weaknesses and omissions in existing policy within your organization and opportunities for improvement.

this is usually more a matter of “tribal knowledge” and not documented. Basic Security Policy 83 Roles and Responsibilities • Formal organizational structure – Who has the title – Who is listed at the top of the organizational chart • Informal organizational structure – Who gets things done – Who really makes decisions Security Essentials – Defense in-Depth – © 2003 SANS Roles and Responsibilities Policy is created. remember that policy is created. when implementing policy. Most organizations have a formal organizational structure. and enforced by people functioning in particular roles. Often there is also an informal organizational structure concerning who gets things done and who really makes decisions.” The policy is merely a document until people exercising their responsibilities in their various roles make conscious decisions to follow the desired path. Just because someone has the title of CIO does not mean that she really is the one with the technical knowledge to make the decisions. and enforced by people functioning in particular roles. Effecting policies in the context of your organization requires awareness of various roles and responsibilities and possibly different levels (as we see next) that exist. followed. SANS Institute . Key components of policy within your particular organization are the specific roles and responsibilities within your organization .the management of which is the purpose of the policy . We said earlier that a “policy is a guideline or directive that indicates a conscious decision to follow a path toward a specified objective. Also. usually displayed in an org chart showing titles and relationships among people. To reiterate. it is critical to obtain buy-in from key is important to understand the roles and responsibilities of individuals within the organization. followed.formally and informally. Except perhaps for snippets in process documentation. When dealing with risk in any organization .

84 Book 2 – Defense in-Depth Levels of Policy • Recognize that policies can exist on different levels – Enterprise-wide/corporate policy – Division-wide policy – Local policy – Issue-specific policy – Procedures and checklists Security Essentials – Defense in-Depth – © 2003 SANS Policies at Different Levels A policy can exist on different levels within an organization. aligned with and perhaps derived from security policy. typically. for example. A common hierarchy for policy in an organization looks like this: • Enterprise-wide or Corporate Policy: Consists of documents from the highest level (perhaps national or world-wide) within the organization that provide a general direction to be implemented at lower levels in the enterprise. • Division-wide Policy: Consists. it is likely that there is a part of the organization above your level that issues policy you are expected to implement. • Security Procedures and Checklists: Consists of local Standard Operating Procedures (SOPs). • Issue-specific Policy: Contains information related to specific issues. of an amplification of enterprise-wide policy as well as implementation guidance. SANS Institute . Unless you are at the top of the organizational hierarchy. • Local Policy: Contains information specific to the local organization or corporate element. firewall or anti-virus policy. This level might apply to a particular region of a national or multi-national organization.

If so. you may find procedures (perhaps issue-specific) that do not appear to be the result of any specific policy. you can collect policy documents available at several levels in the organization. Basic Security Policy 85 Security policy might exist on some levels and not on others. In a typical organization. Putting the policy in writing prevents misunderstandings and promotes proper actions.S. Assemble existing procedures for inclusion in a policy review. Encourage your management to articulate security policy in writing. Now that you understand the policy hierarchy. One way to identify unwritten policy is to observe processes in action. SANS Institute . “What instruction requires that we do it that way (or at all)?" Often just pointing to a written and dated policy signed by upper management can be an effective approach to obtain compliance or correct the policy. Here are some examples to prime your thinking: • When is someone’s approval sought before proceeding? • What information is scrutinized and how does it impact the process? • What behavior is not tolerated? When you find instances of unwritten policy. could a reasonable person be expected to make the same decision? It is amazing to hear people who have been practicing computer security for more than a decade ask. such as U. In the process of collecting policy documents. Security policy must always be in accordance with local. note them for inclusion in the policy review. A security policy usually exists (and is enforced to some extent) even if it is not written down. Documents interact and support one another and generally contain many of the same elements. export regulations. note them as areas for improvement. and federal computer crime laws as well as other applicable government statutes. “Where is it Written?” The decisions we make must stand the test of reasonableness: Given a situation. state. policy written to implement higher-level directives may not waive any of the requirements or conditions stipulated at a higher level.

and when. where. apply the update. and why. then you can derive the parent policy - even if it hasn’t yet been written and signed. If you can characterize the procedures you follow (and you should be able to do that easily). Where. Login scripts download deploying anti-virus updates. Machine names are flagged in an exception list for manual intervention. and Why. Automating the files.A Sample Policy Worksheet Step 1: Who does the procedure? Why? The network administrator rolls out anti.86 Book 2 – Defense in-Depth Checkpoint: Procedure Guidance • Policies address the who.1 . By walking through the Who. Security Essentials – Defense in-Depth – © 2003 SANS Policy Worksheet What do you do when some work doesn’t seem to be covered by an organization's policy? Procedures are derived from policies. the parent policy is derived from an understanding of the procedure. Certain administrative rights are needed virus updates to local desktops. Table 8. What. When.1 illustrates these using five simple steps to produce a sample policy. Step 2: What is the procedure? Why? Definitions are unpacked and placed in a To protect against virus infections by shared directory. and reboot the the process is more efficient and produces machines. the database as having been updated SANS Institute . what. • Procedures address the how. to configure the push to users’ local drives. Table 8.

our vendor rolls out new definitions every Thursday. Step 5: Looking at the notes from both “To ensure all desktops running Windows columns. You will be able to derive any missing policies based on these notes. the policy becomes clear. SANS Institute . The 9x are protected from viruses with the description identifies the threat (virus most recent updates.” In your organization. running Windows 9x. Step 4: Where is the procedure done? Why? The procedure is done from any No special location is required to apply administrative workstation. Although the process can be automated. The the procedure. What. To keep up-to-date with the latest virus attacks. what procedures can you list for which you need to document the policy? Make notes on the Who. All desktops need to have procedure is applied to all desktops the most current updates. Where. When. the latest virus definition updates weekly. Basic Security Policy 87 Step 3: When is the procedure done? Why? The procedure is done weekly. the network infection) and provides for safeguards(see administrator at each location will apply the Sample Policy to the right). and Why of your procedures. checks must be put in place to ensure the updates have been applied successfully.

What do you do? You identify policy attributes that need improvement and prepare draft revisions. If your search for a Policy Development Guide was successful. difficult to follow.88 Book 2 – Defense in-Depth Evaluating Security Policy • What if your existing policy is confusing and hard to read? • What if it doesn’t cover all the bases? • Use a checklist to evaluate your policy. everyone in the organization needs to know if they are expected to comply with a particular policy. Use common sense. you followed the recommendations discussed previously to collect policy documents from various levels within your organization. use the previous template and check with other folks who have been successful in getting other policies signed and implemented. Some elements need to be explicitly or implicitly present for there to be sufficient guidance to the organization. Certainly not all sections are required. Security Essentials – Defense in-Depth – © 2003 SANS Evaluating Security Policy Hopefully. For example. and note what is missing. or doesn’t address one or more significant risk areas. If there is no written guide. is the policy sufficiently complete that members of the organization know who is to do what? SANS Institute . it must define who has responsibility to take action. For a policy to result in action. this is typically part of scope. However. Other organizations are likely to have different content and names to describe certain content within their policies. Here’s a good sequence: Step 1: Verify that the security policies contain the most common elements. consult it to determine required sections. you discover that the written security policy within your organization is confusing. Look for the following elements.

Very often. Basic Security Policy 89 Evaluating Security Policy (2) • Use a checklist: – Does it contain the expected elements? – Is it clear? – Is it concise? – Is it realistic? – Does it provide sufficient guidance? Security Essentials – Defense in-Depth – © 2003 SANS Step 2: Examine the security policy to see if it is clear. This can easily happen when a policy goes beyond establishing guidelines and direction and starts prescribing implementation details. It should describe what is desired. anti-virus signature updates) shouldn’t exceed two pages. Many organizations limit them to one page. Remember. One simple way to test for clarity is to interview one of the individuals identified in the policy as being responsible for some action and determine whether she understands and agrees with her role as described in the policy. the policy statement within the policy document will be one sentence. about a single specific subject. this is a policy document. Step 3: Examine the security policy to see if it is concise. not a work instruction. A specific policy topic (for example. Security policy shouldn’t require people to try to implement things that cannot be implemented or should not be implemented. Step 4: Examine the policy to see if it is realistic. SANS Institute . not how it is to be accomplished.

Title 40. They spend taxpayers' money contracting for huge notebooks of overly long. poorly written. Procedures specify how things are done and how policy ultimately gets implemented. Policies address what is to be done and why. the provisions of those applicable standards made compulsory and binding by the Secretary of Commerce. SANS Institute . with thousands of hours of practice. The policy documents are so large that they cannot be updated without generating a massive review cycle. …. Chapter 25. Writing guidelines or checklists is work. it’s important enough to have and follow a checklist. or when it has been months since they’ve touched the systems? If it’s important that it be done right. if you have an Internet connection policy. Airline pilots.90 Book 2 – Defense in-Depth Government Policy The United States government creates some of the worst security policy in the world. firewalls. if such standards contain. Deak Parsons used a checklist to assemble the first production atomic bomb. They often claim to be "too busy" to develop written procedures. For example. are you still trying? Step 5: Examine the policy to see if it provides sufficient guidance for a specific procedure to be developed from it. non-specific prose. Many organizations have one or two employees proficient in configuring systems. you should be able to create procedures that allow you to configure your firewall from it. still use checklists. Here is an example from US Code. and people often do not wish to be bothered documenting procedures. at a minimum. Procedures are also the basis for written checklists.” How many times did you have to read this example of government policy before you understood what it said? Or. But what happens when the employees aren’t available. and routers. They often require people to implement things that are not possible to implement. Section 1441 (even the citation is a bit lengthy): “The head of a Federal agency may employ standards for the cost effective security and privacy of sensitive information in a Federal computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce.

He put it together in the bomb bay of the B- 29 airplane that dropped the first atomic bomb. He put the first production atomic bomb together. He was assigned to the Manhattan Project during World War II. The procedure was very stressful and risky. but not in a lab or armory. If you don’t have a policy (or checklist). He assembled it at 29. Parsons had one assistant who read to him a seven-step checklist. Basic Security Policy 91 The Bomb Deak Parsons was a Captain in the Navy and an Ordnance specialist. just like the checklist did. Good policy will reduce both stress and risk. you’ve got a time bomb on your hands waiting to go BOOM! SANS Institute . but it was something he could almost do blindfolded because of the checklist. The checklist was a kind of policy on how to do the job.000 feet over the Pacific Ocean on the way to Japan.

For example. note them. It should not be hardware-. and perhaps not even to current organizations or processes. should be relatively stable.92 Book 2 – Defense in-Depth Evaluating Security Policy (3) • Checklist. and not to particular individuals. Security policy should be reviewed regularly. and federal computer crime laws as well as applicable government regulations. state. or technology-specific. SANS Institute . policy responsibilities should be tied to organizational roles. All policy. as you will need to resolve them for the policy to be meaningful. If you discover any discrepancies between the policy you are reviewing and higher-level policy. Revisions in implementation should reflect lessons learned from recent incidents and new threats to the organization’s security. note any contradictions you discover so you can get the policy corrected. requiring only infrequent changes. Again. Step 8: Examine the policy for provisions to keep it current. continued… – Is it consistent? – Is it forward-looking? – Are there means to keep it current? – Is the policy readily available to those who need it? Security Essentials – Defense in-Depth – © 2003 SANS Step 6: Examine the policy to see if it is consistent with higher-level policy and guidance. Security policy must also be in accordance with local. such as Information Security Officer. software-. Security policy should not be tied to current technology or people. This is a consequence of intentionally being forward-looking. including security policy. Step 7: Examine the policy to see if it is forward looking.

those affected by it must be aware of it. SANS Institute . They should also commit to adhering to it. Procedures are also the basis for written checklists. and those in your organization in particular. who is to do it. when. There are four key tests in evaluating any policy: • Is it consistent with higher-level policy and guidance? • Is it forward-looking (and thus immune to the need for frequent change)? • Does it have a review schedule. It should be required reading as part of the new employee orientation process. Ready availability is measurable. To have compliance with a policy. and is it currently valid? • Is it readily available? By now. if you cannot measure compliance (conformance). and why. As stated previously. It cannot be stressed enough: Policies address what is to be done. Step 9: Check to see if the security policy is readily available. and ultimately how the policy gets implemented. you should be very comfortable with the concept of policies and procedures in general. The Policy Development Guide may provide information regarding responsibility for publishing and making available specific policy documents.where. Basic Security Policy 93 Procedures derived from policy are particularly prone to change. Security policy should be incorporated in employee handbooks and posted for reference. as technology and the security landscape change rapidly. understand it. Procedures specify how things are done . Next we’ll look at how to approach policies concerning specific security issues. and know how to deal with questions they might have about it. the policy is unenforceable.

In this section we have step-by- step sequences showing the example thought process for developing policies for five specific issues.94 Book 2 – Defense in-Depth Issue-Specific Security Policy • Anti-Virus • Password Assessment • Backups • Proprietary Information • Personal Security Policy Security Essentials – Defense in-Depth – © 2003 SANS Issue-Specific Security Policy Issue-specific policies are often brief and to the point. They contain information and ideas you may find valuable for your organization. We focus on the following specific issues: • Anti-Virus • Password Assessment • Backups • Proprietary Information • Personal Security Policy SANS Institute .

These practices allow the introduction of viruses. this is nearly every system in the network. including every workstation and server. It should include outbound as well as inbound protection. in a different sense. Step 1: Select the scope of the policy. what to do when a virus is detected. Anti-virus software. exchange of information via the Internet. An anti-virus policy serves as an authorizing document for a set of procedures. Scope. this is a policy not a procedure. and taking work home at the end of the day or bringing it back in the morning. the policy might address how to select software products and ensure their comprehensive deployment. Remember. at a minimum. In most environments. and how to deploy the software to ensure desktop coverage. SANS Institute . The following are example steps that could be used to develop an anti-virus policy for your organization. how to limit the possible entry paths. includes processes associated with anti-virus protection. how to contain the damage to infected systems. At a very high level. should be deployed on any system that could be exposed to a virus. installing new software. Basic Security Policy 95 Anti-virus Policy • Define the problem – Various practices risk the introduction of viruses into systems and networks • Develop a solution – Define the scope – Layer the defense strategy – Identify responsibilities – Measure the effectiveness Security Essentials – Defense in-Depth – © 2003 SANS Issue-Specific Policy: Anti-Virus Normal day-to-day work encompasses e-mail.

ciac.f-secure. people should be encouraged to report information about possible viruses only to a central clearing house rather than spreading what often are • www. this measurement includes reporting the occurrences of viruses. Step 4: Measure the effectiveness. Make sure that persons responsible for keeping the signatures updated understand their responsibility.96 Book 2 – Defense in-Depth Step 2: Layer your defenses. it is blocked at the next system. Hoaxes about non-existing viruses and other malicious software can become epidemic because they typically exhort the reader to spread the warning to everyone she knows.html SANS Institute . An example could be a virus introduced into a desktop where the anti-virus software has not been kept up to date or has been disabled by a user. Anti-virus protection should be layered (defense in-depth) so that if one system fails to contain a For an anti-virus Partners should clearly understand the expectations your organization places on them regarding anti-virus protection. Step 3: Identify responsibilities. Users should be trained to not disrupt or bypass the proper functioning of the anti-virus software on their systems. As stated previously. properly functional anti-virus protection on home or other remote systems so that problems are prevented before ever reaching your organization. this includes outbound as well as inbound information flow.htm • www. Catalogs of hoaxes are readily available on the Internet. responsibility for anti-virus protection should be assigned to system administrators rather than individual users. this will reduce the burden on personnel and probably improve the completeness of the data as part of the anti-virus products. as much as practical. Following are examples: • hoaxbusters. reporting will be Nonetheless. Every anti-virus policy (along with every policy and process) should include a means of measuring compliance. Your organization might wish to support workers and partners in having current.asp • www. Preferably.

Once intruders have the password file. Consider how many Windows NT systems have been compromised via the one-two punch of exploiting the null session and password guessing. Step 1: Identify the risk. To make the acquisition and cracking of password files more difficult for attackers. The following are example steps that could be used to develop a policy for your organization specifically concerning password assessment. be warned to never engage in this activity except where explicitly authorized by your policy and management. The early history of hacking was mostly an exercise in password guessing and remains a popular technique. the security policy should specify standards for formulating SANS Institute . but may appear illegal if carried out without proper authority/safeguards • Develop a solution – Identify the risks – Enumerate the countermeasures – Enable administrators to legally assess passwords – Escrow passwords for use during incidents Security Essentials – Defense in-Depth – © 2003 SANS Issue-Specific Policy: Password Assessment Password assessment involves authorized organizational personnel intercepting or recovering users’ passwords and assessing their compliance with password policy. Therefore. People have been prosecuted for assessing (cracking) passwords. they can launch an attack offline. but the activity might appear illegitimate because capturing passwords is a serious violation of policy and it is possibly criminal. an explicit exception needs to be identified within policy. This activity is necessary to maintain the protection of information. authorizing this important activity with specific constraints. There are a variety of techniques to acquire the password file for both Unix and Windows systems. Security personnel. Basic Security Policy 97 Password Assessment Policy • Define the problem – Password assessment is a necessary part of security. Even better than guessing is cracking the password. when they claimed they were just doing their job.

98 Book 2 – Defense in-Depth

passwords, such as a minimum password length of eight characters and the use of at least
one non-alphanumeric character in the string. The policy should also discuss maintaining
the security of password files.

Step 2: Enumerate the countermeasures.

The policy should employ procedures for configuring systems to make it more difficult
for the attacker to access the password file in the first place. These configurations should
include using shadow passwords for Unix and disabling null sessions for Windows NT.

Step 3: Enable administrators to legally assess password strength.

The policy should enforce password protection by providing authorized personnel the
right to use tools that filter passwords and tools that crack them - the same cracking tools
that attackers use. Password filtering is proactive, and highly desirable. It refers to
filtering that occurs between when a user specifies a new password and when the system
accepts it. For example, if the user specifies “password” as her new password, the system
would filter out or reject that change and demand that a different password be selected.
Password filters can be used to enforce compliance with password policy. It could also be
used in some environments to record accepted new passwords.

Password cracking occurs later in the sequence. It refers to decrypting (by brute force or
by guessing and comparing hash values) existing passwords for the purpose of recovering
the password values. Identify conditions under which password assessment is permitted
and encouraged. Again, if you plan to use password cracking yourself, be sure you have
written authorization - either unequivocal policy or a separate authorization from top
management. Personnel cracking passwords without authorization will be terminated!

Step 4: Escrow passwords for use during incidents.

Incident handlers and system administrators might need to access privileged passwords
under emergency conditions when privileged personnel are not available. The policy
should provide for a procedure to store critical passwords in a sealed envelope in a secure

SANS Institute

Basic Security Policy 99

Randall Schwartz
Randall L. Schwartz is a security consultant who is well-known in Perl programming
circles. For years he has participated in Perl newsgroups and produced two books on
the subject.

In July 1995, Schwartz was convicted by a jury of three felony counts under Oregon’s
Computer Crime Law, and the conviction was upheld upon appeal:

• Count 1: Altering a computer and a computer network without authorization
• Count 2: Using a computer and computer network for the purpose of
committing a theft
• Count 3: Committing theft of individual passwords

This cost Schwartz dearly: $170,000+ in legal bills, $68,000 in “restitution” to Intel
(dropped by the appellate court), 480 hours of community service, five years of
probation, and 90 days of deferred jail time (which a judge later suspended before it
was served).

What did he do to deserve such severe consequences? It appears as if the Intel
Corporation hired him as a consultant in their Beaverton, Oregon organization. He had
previously done work at a different Intel division. While consulting in Beaverton,
Schwartz assessed about 40 passwords (by cracking them) at the other Intel division,
even though this was not authorized by policy or his consulting contract. Mark
Morrissey, who performed the forensics analysis, reported that he saw no evidence
that Schwartz ever actually used the cracked passwords (or did not use them) and that
he “didn't see any clear indication of a violation of the law.”

Don’t let this happen to you! For further detail on Schwartz’s story and the issues we
have been discussing in this chapter, read:

SANS Institute

100 Book 2 – Defense in-Depth

Data Backup Policy

• Define the problem
– Backups are critical to protect information
and allow disaster recovery, but are often
performed sporadically
• Develop a solution
– Identify backups as critical
– Empower system administrators
– Provide for exceptions when necessary
– Make sure the policy is implemented
Security Essentials – Defense in-Depth – © 2003 SANS

Issue-Specific Policy: Backups
If you had a complete system failure tomorrow morning, how quickly could you restore

It is critically important to routinely and regularly make copies of ongoing work and
stored information to ensure business continuity in the event that data is lost - either to
disaster or human action. Following are example steps that could be used to develop a
policy for your organization specifically concerning backups.

Step 1: Identify backups as critical to the organization’s survival.

It costs a lot of money to create data and manage information. The policy should stress
the need for staying in business, which is dependent in part upon ensured availability of
this data. A well-written document will provide for backups of all data. If the information
was sufficiently important to gather in the first place, it must be backed up until a
conscious decision is made that the organization no longer needs the information.

Step 2: Empower system administrators to succeed.

Identify where the data is to be stored so that it is included in scheduled backups. Some
organizations specify that all data is to be stored on the servers. It sure makes doing a
backup much simpler rather than having the data located on multiple desktops. The

SANS Institute

It is not uncommon to see backup tapes sitting on computers. SANS Institute . Basic Security Policy 101 policy should specify how backups are created. stored. there may be cases where it is difficult to get personnel to do this. and tested. Some organizations are very casual with their media and don’t protect it. the employee is personally responsible for backing up the data. One organization addresses this by making backups part of performance assessments and by including a statement of responsibility in the employee’s annual performance plan. Step 3: Provide for exceptions to the norm. The policy could reference a procedure in which administrators look for recently modified data on a system and then ask to be shown where it is backed up. Loss of data without a backup results in the employee receiving no performance award for the year. If the employee does not keep the data on the server. Full backups include password files and other sensitive data and should be securely stored off site. The policy must make provisions for such exceptions. such as spot-checking. If the organization generally requires all employees to store their data on servers. Security policy should provide for compliance. Off site data storage can be as simple as keeping it in another building or as elaborate as storing backed-up data in another country. Step 4: Make sure the policy is implemented. administrators should test that data actually can be restored from backups. Set a minimum number of backup copies to be retained and how long to keep backups based on the tested reliability of your backup media and processes. Periodically.

Members of the support staff are responsible for ensuring that all proprietary information is protected from disclosure or modification. such as trade secrets and process differences. and so on. technologies. modification. Because members of the support staff will have full access to the systems and resources.102 Book 2 – Defense in-Depth Proprietary Information Policy • Define the problem – Proprietary or other sensitive information must be protected from unauthorized access. both organizations use the same tools. Following are example steps that can be used to develop a policy for your organization that specifically concerns proprietary information: SANS Institute . an organization’s competitive advantage can be lost. which ensures the secret data is more protected than other data. trade secrets have been protected only when they are subject to additional processes. In courts. Aside from marketing. This includes trade secrets. and suppliers. they potentially have access to proprietary information. product costs. what often makes the difference between them is the proprietary information. If these are revealed to the competition. export-controlled technical data. those that are above all other levels of information. If you think about it. or disclosure • Develop a solution – Identify measures to protect information – Identify boundaries for information access – Establish auditing procedures – Identify disclosure limits Security Essentials – Defense in-Depth – © 2003 SANS Issue-Specific Policy: Proprietary Information There is little difference between two competing organizations. that is. There is great potential for having proprietary information stored in our organizations' computers. customer lists.

Policy should provide for ways to copy or exchange proprietary information in an acceptable way as well as responsibility for auditing and enforcing compliance with this policy. Information that is proprietary or sensitive should not be disclosed to any third party. The system administrator of an e-mail system can probably read every message in the system since she has system privileges. This does not mean that such behavior is acceptable. such as the sample in the appendix of this book. the individual who discloses the information should ensure that the individual who receives the information is authorized and has signed a non-disclosure agreement. There is no point in having a policy or protecting information without physical and logical access control. for these are the primary technical methods for protecting information. SANS Institute . Policy should delineate the exact circumstances. If information must be disclosed. and auditing as discussed in the following sections. Step 4: Identify limits for information disclosure. These should be complemented by procedures. Basic Security Policy 103 Step 1: Ensure appropriate measures are in place for protecting proprietary information. training. decision criteria. it should not be copied or sent to a non-protected system or sent in the clear across a public network. If the sensitive information is kept in a protected system. Step 2: Identify boundaries. and approvals necessary for reading information belonging to another user under normal or emergency situations. personnel. stating what is acceptable and not acceptable about access to information. Step 3: Establish auditing procedures and rules about making copies of proprietary information.

This section explains how.104 Book 2 – Defense in-Depth Exercise: Writing a Personal Security Policy • Define the problem – Your work is not specifically covered in your organization’s written security policy • Develop a solution – Write a personal security policy for yourself Security Essentials – Defense in-Depth – © 2003 SANS Writing a Personal Security Policy What should you do if the work that you perform is not specifically covered in your organization’s written security policy? Write a personal security policy for yourself. SANS Institute .

Step 3: Follow the guidelines for writing good policy. The scope of your normal responsibilities should not take more than a paragraph. not just what tasks you perform. If you need to create policy for half a dozen or more functional roles. Reference specific procedures. If someone wants to evaluate your performance. Your personal policy should cover a single job function. and make sure the expectations are realistic. although it might be tempting to write much more. SANS Institute . you need two policies. Include the common elements of a general security policy in your personal policy. Use your job description as a resource. Step 2: Make it meaningful. Basic Security Policy 105 Exercise: Writing a Personal Security Policy (2) • Step by step: – Describe each job function – Make your policy meaningful – Include common elements of a security policy – Follow the guidelines for good policy Security Essentials – Defense in-Depth – © 2003 SANS Step 1: Describe each job function with a tailored policy. Keep it short and simple. you might want to review your staffing plan with your manager and agree on how the responsibilities should be shared. if you are a system administrator and also a member of your organization’s incident handling team. how could she do it? Think in terms of the potential impact you have on your organization. thus.

If you are required to make decisions that affect the profitability of your business. Negotiate if necessary. say so in your personal policy. Have your personal security policy signed by your boss.106 Book 2 – Defense in-Depth Exercise: Writing a Personal Security Policy (3) • Step by step. and you will be able to track how your job has changed over time. SANS Institute . Reflect on what kinds of incidents you have handled in the past year. your boss’ boss. Update your personal security policy at least twice a year. then the implication is that he or she agrees with the stand you’re taking.” Step 5: Have it countersigned (endorsed) by the proper authority. keep the old versions. For example. If your boss has signed the policy. Step 6: Make sure it is current. or better yet. you might include a statement in your policy that says. Tasks that are outside normal duties should be covered in your personal policy. “Computer staff do not support employees’ home computers for uses other than access to corporate resources and virus protection. include that in your policy statement. If your responsibilities affect system down time for mission-critical systems. When you update your policy." People are asked to do things that range from frivolous to illegal. continued: – Define appropriate limits – Have it signed and approved – Make sure it stays current – Keep management informed Security Essentials – Defense in-Depth – © 2003 SANS Step 4: Use the policy to define appropriate limits. A personal policy can be used as a basis for saying "no.

An advantage of having a signed personal security policy is that the manager two levels above you has a clear understanding of what you do and the challenges you face. Give copies of your personal policy to management. Step 8: Keep your work portfolio current. SANS Institute . Keep a copy of your personal policy and any procedures you develop in your professional portfolio. Basic Security Policy 107 Step 7: Keep your management informed.

In this section. Overview of Contingency Planning First. we dive into the process for developing a BCP and DRP.what it is and why you need it . we define what a Business Continuity Plan (BCP) and Disaster Recover Plan (DRP) are. and we explain why an organization needs them. we give you an overview of contingency planning . You will be equipped to create a contingency plan for your organization and to provide references for additional reading. Subsequently. SANS Institute .and then we walk you through the contingency planning lifecycle.108 Book 2 – Defense in-Depth Contingency Planning Within Your Policy Security Essentials – Defense in-Depth – © 2003 SANS Contingency Planning Within Your Policy A critical aspect of security policy for your organization is planning for contingencies.

backup operations. Other plans might include: • Disaster recovery plan • End-user recovery plan • Contingency plan • Emergency response plan • Crisis management plan • Other plans as required (for example. and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” National Computer Security Center The business continuity plan is an overarching plan that can also include a compilation or collection of other plans. Basic Security Policy 109 What is a Business Continuity Plan? • Business continuity planning (BCP) enables the quick and smooth restoration of business operations after a disaster or disruptive event occurs Security Essentials – Defense in-Depth – © 2003 SANS What is a Business Continuity Plan (BCP)? A Business Continuity Plan (BCP) is “A plan for emergency response. a server recovery plan or a phone system recovery plan) SANS Institute .

SANS Institute .the Disaster Recovery Plan (DRP). Let’s look at a common and critical subcomponent .110 Book 2 – Defense in-Depth A BCP is a business’s last line of defence against risks that cannot be controlled or avoided by other risk management practices.

If a critical computer system is down.or the continued operation of a business process: organizational processes could operate without computers. in addition to the ability to return to normal operations within a reasonable amount of time. The two terms BCP and DRP are often used interchangeably. checks can be written by hand. even if they are not operating at 100 percent efficiency. Disaster recovery planning involves the following steps: 1. For example. For SANS Institute . the data center is one of the critical areas the DRP should address in terms of how to bring it back on line. Basic Security Policy 111 What is a Disaster Recovery Plan? • A disaster recovery plan (DRP) covers the recovery of IT systems in the event of a disruption or disaster Security Essentials – Defense in-Depth – © 2003 SANS What is a Disaster Recover Plan (DRP)? A disaster recovery plan (DRP) covers the recovery of IT systems in the event of a disruption or disaster. the company can reduce the impact a disaster could have on the normal business operation. whereas business continuity planning and disaster recovery planning are two distinct plans that tackle different areas of the recovery process. Because the DRP relates to the restoration of the information systems. This is sometimes referred to as user contingency planning. The recovery of the data center. 2. With the continuity plan. The recovery of business operations. It provides the capability to process essential organizational applications. The disaster recovery plan covers the restoration of the critical information systems that support the business processes. this part of the DRP deals with the alternative methods of continuing with the business operations. Business continuity planning deals with the restoration of the business processes .

4. networks. this section handles the recovery of all of the various business processes. 3.112 Book 2 – Defense in-Depth instance. SANS Institute . followed by backfilling what has been lost. if your main payroll system were inoperable. and data. this section deals with the steps required to recover the actual physical business location. so that the company can resume normal business operations. The whole purpose of the plan is not about computers. Also part of the business resumption plan. Often a disaster is partial. a contingency plan could be to issue the payroll checks manually. This is the paramount step. and recovery of the premises might consist first of patching together what is left. Part of the business resumption plan. The recovery of the business location. but about the timely continuity and restoration of business processes. The recovery of business processes.

Basic Security Policy 113 Why have a BCP/DRP? • Plan for the worst. restore operations quickly • Effect on customers or stakeholders Security Essentials – Defense in-Depth – © 2003 SANS Why have a BCP / DRP? Continuity planning might be likened to insurance. hope for the best. “Plan for the worst.” SANS Institute . Even if it does not. They purchase certain assurances as a key component of the organization’s risk management. You hope that nothing bad occurs. it’s an expense you consciously make to significantly reduce the impact of something bad that occurs. hope for the best • Maintain business operations – Or at least. As the slide says. the insurance premium and the expense of continuity planning are not wasted.

such as technology.” Organizations are often so reliant on key resources. For a well-written account of his life and times (especially as they relate to his valor in evacuating nearly all of the MSDW employees in WTC Buildings Two and Five). Business continuity and disaster recovery planning are not the place to have the attitude. During the September 11.lsit. employees are your most valuable asset. that they cannot operate without them. in essence. Morgan Stanley Dean Witter. he identified the World Trade Center as a target for terrorist attacks. was blessed with an individual who had the foresight to plan for the attack on the World Trade Center. terrorist attacks on the World Trade Center in New York. Rick Rescorla was a unique individual. SANS Institute . The most key resources of all are human. Consider the situation of the bond-trading company Cantor Fitzgerald. Rescorla is a prime example of what one person can do when committed to doing the right thing. Cantor Fitzgerald lost over 700 of their 1. Hundreds of people who were in those buildings on September 11 are alive today as a result of Rescorla's planning and because they practiced for such an attack. “Ignorance is bliss.html. take a few minutes to browse https://mail. The most important aspect of the BCP is to protect the lives of your employees. 2001. One organization. they would not have had the personnel to continue business. ucsb. People operate the organization’s processes including its recovery processes.000 employees. In 1985 and again in 1993. the name of the document is called a Business Continuity Plan. Yes. Even if they could have gotten their computer systems up and running. Security Essentials – Defense in-Depth – © 2003 SANS A BCP is a business’s last line of defence against risks that cannot be controlled or avoided by other risk management practices. unless you operate the company without people.114 Book 2 – Defense in-Depth Why have a BCP/DRP? (2) A BCP is a business’s last line of defense against risks that cannot be controlled or avoided by other risk management practices.

25% • Dishonest employees . Fires start. such as a terrorist attack. Natural disasters occur from flooding. causing direct and indirect (smoke) damage. People make mistakes and sometimes intentionally disrupt operations. resulting in loss of power.50% • Fire. water.10% SANS Institute . cooling. and ultimately to armed conflict. This covers a wide spectrum of threats from human error. intentionally or not. Perhaps. and humidity control. and structural damage. Remote users might depend upon the data center being up and the network connectivity between them being up. Utilities fail. Always analyze the dependencies when planning contingencies. In many organizations. Basic Security Policy 115 Sample Disasters • Utility failures • Fire/smoke • Natural disasters • Heat/humidity • EMI • Terrorist attacks Security Essentials – Defense in-Depth – © 2003 SANS Disruptions are caused by environmental problems and. electrical . by people. User access can be disrupted even when data center equipment is operational. surprisingly. a power failure takes down the desktop clients while leaving up the servers that are on uninterruptible power supplies (UPSs). Sometimes equipment simply fails. perhaps remote users (where power has remained up) can continue to work if the plan ensures that the network equipment is power protected as well. human errors and omissions account for half of the disasters that actually occur! A study conducted by Data Pro breaks down the numbers: • Errors & omissions . high winds. to malicious software or network intruders. Even if local users are down due to a local power outage.

SANS Institute . as you will see next.10% • Outsider threats .5% Contingency planning is an organization’s attempt to mitigate these threats.116 Book 2 – Defense in-Depth • Disgruntled employees .

Don’t forget to include the “intangible” losses. This is where you get management approval to get the project started.Risk Analysis. and what the company is going to do about them. It does not matter at that point what caused the problem . The faster the company is able to recover. Management is instrumental in ensuring you have access to the resources required to get the job done. if a major e-commerce shopping site is down for a long time. For instance.Updates Approve Approveand andImplement Implementthe thePlan Plan (Get (GetManagement ManagementSignoff Signoffand andTrain) Train) Security Essentials – Defense in-Depth – © 2003 SANS BCP-DRP Planning This slide shows the basic steps needed to develop a BC/DR plan. consumers will get frustrated and perhaps start shopping somewhere else. We start with Project Initiation. Then. such as customer satisfaction or loss of consumer confidence. SANS Institute . flood in the data center. not all losses are associated directly with loss of money (although it most likely will end up affecting the company financially in the long run). the company determines its vulnerabilities .Business Impact Analysis. Strategies. Basic Security Policy 117 BCP-DRP Planning Process Lifecycle Project ProjectInitiation Initiation (New (Newor orEnhanced EnhancedFunction(s)) Function(s)) Risk RiskAnalysis Analysis (Determine (DetermineVulnerabilities) Vulnerabilities) Business BusinessImpact ImpactAnalysis Analysis (Determine (DeterminePriorities Prioritiesfor forRecovery) Recovery) Build Buildthe thePlan Plan (Develop/Choose (Develop/ChooseStrategies. when new or enhanced function(s) are required. Realistically. companies prioritize the vulnerabilities based upon their likelihood and impact. Remember. the better. The fact is that the site was down. Conversely.earthquake. The next sequence of steps in the process concerns what vulnerabilities the company has. First. Updates) ) Improvements.Write Writethe thePlan) Plan) Test Testand andValidate Validatethe thePlan Plan (Exercises/After (Exercises/AfterAction ActionReviews) Reviews) Modify Modifyand andUpdate Updatethe thePlan Plan (Plan (PlanImprovements. or denial of service attack. professional handling of a disaster actually can improve an organization’s reputation with its customers and other stakeholders. Instead. what significance they are to the company. no organization has the resources to deal with every vulnerability. the company assesses the impact each of these vulnerabilities represent for the company .

there will be oversights and misunderstandings that if undetected and uncorrected would jeopardize recovery from a disaster. They must be able to imagine various scenarios and capture what the recovery personnel need to have and do. The plan can be improved and kept current. Finally. as shown by the arrows in the diagram. and creative. this isn’t the end. positions us to modify and update the plan. however. strategies are developed or chosen. It is critical that the planners be realistic. we are ready to approve and implement the plan by getting management approval and commencing training of personnel. For this reason. The BCP-DRP planning process lifecycle is one of feedback and continuous improvement. SANS Institute . We discuss the basic elements of a plan in the next section. imaginative.118 Book 2 – Defense in-Depth Based on this information. However. we must test and validate the plan. Invariably. Exercising the plan and identifying shortcomings in reviews. and the plan is written - build the plan.

Identify and triage all threats (BIA) • Evaluate .Plan for contingent operations • Mitigate . Writing a plan without understanding the goals is almost as bad as not having a plan at all.Take actions necessary to minimize the impact of risks that materialize • Recover . When you develop the plan. what would be the impact if we had a disaster and no plan on how to handle it? SANS Institute . you should ask: • Why is a business continuity plan important in my organization? That is.Identify actions that may eliminate risks in advance • Respond .Assess the likelihood and impact of each threat • Prepare . Basic Security Policy 119 Basic Elements of Continuity Planning • Include a statement of urgency • Include information on vital records • Define an emergency response procedure • Define emergency response guidelines Security Essentials – Defense in-Depth – © 2003 SANS Basic Elements of Continuity Planning The key components of a Business Continuity Plan are: • Assess . based upon the Business Impact Analysis (BIA). The Plan should provide a clearly defined set of priorities and a statement of urgency.Return to normal as soon as possible The Continuity Plan should define the goals of the plan and why the plan is important.

before you lose the ability to continue business operations? • Is the goal of the plan just to further prevent damage or actually stop and fix the problem? SANS Institute .120 Book 2 – Defense in-Depth • What are the most important business functions (and/or IT systems) that need to be recovered quickly.

Basic Security Policy 121 Basic Elements of Continuity Planning (2) • Define the goals of the plan • Define why the plan is important • Provide a set of priorities • Write a statement of organizational responsibilities Security Essentials – Defense in-Depth – © 2003 SANS The plan should clearly define organizational responsibilities. or delays in recovery. and emergency response guidelines. This is where imagination on the part of planners becomes evident. emergency response procedures. and the empowerment of certain personnel can be increased. Information about vital records needs to be included in the plan.including off-site back-ups and how to obtain them - vendors and how to contact them. and so on. information about emergency services. Often. software and data . All of this should be documented clearly to avoid any misunderstandings. inventories of equipment. these needs can be inventoried as well. media contacts. This is especially true because disasters are usually only partial SANS Institute . Time is too precious during disaster recovery for turf wars. Site-knowledgeable personnel are the most important component in recovery. We become very used to the information within our systems and take access to it for granted. what information that I normally rely on is no longer available?” Some needs might be different during recovery versus during normal operations. However. network diagrams. It is critical that roles and responsibilities be clearly and unambiguously defined. inadequate empowerment. or lack of clarity regarding who is in charge. It is expected that security controls can be altered during recovery. security violations. this is the bulk of the documentation and may include lists of people and how to contact them. Think about this question: “When I can’t use my system(s). electronic communications needs might change as a result of users or systems being relocated. For example. Definitions for when and under what circumstances such changes from the normal begin and end need to be clear.

shtml • University of Wales Swansea Y2K Business Continuity Plan http://www. Other sources include: • The MIT Business Continuity Plan http://web.htm • Compaq Business Continuity: Ensuring Survival This takes knowledgeable • State of Massachusetts Y2K Sample Business Continuity Plan http://www. Fortunately.cio-dpi. the first step in the BCP-DRP planning process lifecycle is Risk After project ter3.122 Book 2 – Defense in-Depth losses.personal.asp • University of Sydney Business Continuity Plan bconplan_e. DRII also administers a certification program for qualified business continuity/disaster recovery planners http://drii.htm • University of California Campus Business Continuity Planning and initial recovery consists of patching together what’s left including business processes.compaq.ucop.htm • Treasury Board of Canada BCP http://www.asp?IOID=4492 • Disaster Recovery Institute International[em]founded in 1988 to provide a base of common knowledge in contingency planning. SANS Institute .us/y2k/Archive/projplanning/busine extensive information on contingency planning is available.

more completely. For that purpose." Here. we focus on risk analysis as a component of contingency planning. risk analysis consists of: • Identifying your critical business systems and processes • Identifying the specific threats to your organization. as in ISO 1779 and many risk management methodologies: Risk(due to a threat) = Threat x Vulnerability(to that threat) x Impact SANS Institute . "Defense in Depth. especially to these critical systems and processes • Evaluating the vulnerability to an asset and probability of occurrence • Determining what you would do to protect your information resources • Weighing the loss of assets versus the cost of implementing mitigating controls As you saw in Chapter 7. risk can be expressed as: Risk(due to a threat) = Threat x Vulnerability(to that threat) Or. Basic Security Policy 123 Risk Analysis Questions • What are the specific threats to your organization? • What would you do to protect your information resources? • More importantly: what are your critical business systems and processes? Security Essentials – Defense in-Depth – © 2003 SANS Risk Analysis The risk that results from threats and vulnerabilities are covered more extensively in Chapter 7.

The threat is that someone can throw a brick to break the window. Of course. if the impact (sometimes termed asset value) is zero. then the risk is also zero. either the threat or the vulnerability must be equal to zero.124 Book 2 – Defense in-Depth Let’s use an example: Suppose I have a big glass window in the front of my house. I can reduce the vulnerability by changing the glass window to something more resistant. Which one is easier to fix. “How does the cost of the asset compare with the cost of protecting the asset?” By knowing these two costs. SANS Institute . Notice the multiplier in these equations. The vulnerability is that the glass is breakable. you can determine the return on investment (ROI) for protecting the asset and decide a course of action accordingly. If we want to eliminate the risk. Can we really eliminate the threat. the vulnerability or the threat? I can probably eliminate the vulnerability easier (read less expensive) than try to eliminate the threat. This would be less expensive than taking steps to prevent bricks from being thrown at the window (and therefore removing the threat). In our example. or the vulnerability? The question you need to ask yourself is.

" SANS Institute .This is when you apply the appropriate controls to mitigate the effects of the disaster. You intentionally or unintentionally retain or assume the responsibility for loss or the financial burden of loss within the organization.This is when you shift the responsibility or burden to someone else. Next. it is more economical to not protect the asset! Security Essentials – Defense in-Depth – © 2003 SANS Once you understand the risk.This is when you acknowledge and accept that the risk as something that could happen. • Risk transfer .This is when you decide not to become involved in the risk situation. An example would be to get insurance to cover the damage. reducing the risk. Basic Security Policy 125 Risk Analysis • You need to weigh the losses of assets versus the cost of implementing a mitigating control • Evaluate the vulnerability to an asset and probabilities of occurrence • Sometimes. we look at the impact component of business risk as we perform a Business Impact Analysis or “BIA. • Risk acceptance (also termed risk assumption or risk retention) . you can do four things: • Risk avoidance . • Risk reduction . therefore.

The process of developing the BIA typically involves interviewing the various key users of the various computer systems (for example. executive management. At that level. and has SANS Institute . management understands cost tradeoffs such as between mitigation and loss. Some of the key interview questions might include: • What would be the impact of an information technology failure on cash flow? • Would the disaster impact the level of service? • How long could the outage last before it began to affect your productivity? • Would there be irretrievable loss of data? • What are the key resources that are required to be kept operating? • At what point would those resources need to be in place? The answers should come from.126 Book 2 – Defense in-Depth Business Impact Analysis (BIA) • Determine what are the tolerable impact levels your system can have: – How long can your systems be compromised? • Evaluates the effect of a disaster over a period of time Security Essentials – Defense in-Depth – © 2003 SANS Business Impact Analysis (BIA) After Risk Analysis in the BCP-DRP planning process lifecycle comes Business Impact Analysis (BIA). payroll. This is where you determine what levels of impact on your system. are tolerable. and accounting) to get a better understanding of how a disaster could impact the ability to continue operations. or be concurred by. accounts payable. such as the duration of system outage.

SANS Institute . whereas upper management might prefer to accept certain risks and redirect mitigation resources elsewhere in the business. This is a common mistake in BCP/DRP planning. too expensive) risk avoidance. Lower management may err toward too much (i. Basic Security Policy 127 individual accountability either way.e.

The shorter the tolerance level to downtime. Warm: a warm site has network connectivity in place and may have some of the equipment in place as well but not all. cold • Reciprocal Agreements • Redundant site • Rolling Hot Site • Ensure alternate site is far enough Security Essentials – Defense in-Depth – © 2003 SANS One of the most common types of alternate site being used is through a company that offers alternate site services. it is probably the least reliable. If one company's infrastructure is damaged. This solution would be for a company that can afford a week or two of downtime. and it is not always obvious or possible to have another company in your work area for a long period of time. the more costly the solution will be. This type of agreement is hard to enforce when needed. It is mainly a shell that can be used to rebuild the environment. Cold: a cold site is a site that has not equipment at all. the company will move within the other company's facilities to continue business operations. Here are some of the common ones: Hot: a hot site is a site that has all of the equipment and communication links already in place.128 Book 2 – Defense in-Depth Alternate Sites • Alternate site services – Hot. warm. it is the most expensive alternate site. These companies usually have different level of service according to the Maximum Allowable Downtime a company can tolerate. Even though it is the cheapest of all solutions. SANS Institute . It is used for companies that can only tolerate a few hours of downtime. there is culture clash that might take place. Reciprocal Agreement: Reciprocal agreements are agreements between two companies. This solution is usually used by a company that can afford a couple days of downtime. Only the latest backup will have to be recovered to continue business operations.

Some large financial institutions have redundant site that are use to alternate processing on a regular basis. Basic Security Policy 129 Redundant site: is a full copy of the primary site where processing can take place if a disaster happen. For example: transactions could be processed form California for a month and the next month all transaction will move to New York on the east site of the country. NOTE: Always ensure that the alternate site is far enough from the primary site in order to avoid having both your primary and secondary site affected in case of disaster. Rolling hot site: this type of site is carried in a large trailer truck that has processing equipment already installed and than can quickly move to a site in order to resume processing. SANS Institute .

the goal is to find shortcoming before a real emergency happen in order to better the plan. systems. it is NOT to find someone who has not done his job properly. Processing will resume from both the primary and alternate location. or organization. Ensure that you clearly specify the goals of the test. A structure walk through test will gather representative of each departments and they will together determine if their business function are protected by the plan and it will also allow the detection of dependencies between business units. There should be no confidence in the plan until it has been tested. SANS Institute . copies of the plan are distributed to the different functional areas of the companies and manager will review them to ensure they cover the critical business function in their specific areas.130 Book 2 – Defense in-Depth Testing the plan • No trust in plan until tested • Different types of test – Checklist – Structure Walk Through – Simulation – Parallell – Full Interruption Security Essentials – Defense in-Depth – © 2003 SANS Testing the plan The plan should be tested at regular interval or at least once a year. A parallel test will implement the plan and the move to the alternate site will take place. In a checklist test. Test should be repeated if there are significant changes to the company structure. A test can clearly demonstrate that a company has the ability to recover if a disaster takes place. A simulation test will be based on a real life scenario and the plan will be implemented up to the point where a move to the alternate site would take place.

Such a test must be carefully plan in order to avoid creating it’s own disaster if the plan does not work as expected. SANS Institute . Basic Security Policy 131 A full interruption test will practice moving to an alternate location and all processing will be done from the alternate location.

” For less expensive testing more frequently than your organization can afford full fledged off-site tests.Many companies believe that just having the BCP is enough.132 Book 2 – Defense in-Depth Top BCP/DRP Planning Mistakes • Lack of BCP testing • Limit scope • Lack of prioritization • Lack of plan updates • Lack of plan ownership Security Essentials – Defense in-Depth – © 2003 SANS Top BCP/DRP Planning Mistakes A number of other mistakes are commonly . and their level of empowerment may need to be significantly higher than normal.An incomplete BCP will not address all of the organization’s needs for recovery. try simulating a disaster. • Lack of clear authority and process . as in a business simulation game.almost predictably . certain resources are no longer available. Pretend something has happened.In times of disaster. The time to discover these is in advance of a real disruption. SANS Institute . The document is just a lifeless draft without adequate updating and testing. These include: • Lack of BCP testing / over-reliance on BCP . as well as the replacement of key personnel if needed. Organizations that test their BCP consistently find areas needing improvement and often critical flaws. systems recovery. The organization needs to continue to function throughout a disruption and beyond. Definitions for when and under what circumstances changes in empowerment and processes begin and end need to be clear and unambiguous. “Practice makes perfect. The BCP plan needs to cover organizational processes and process dependencies.made in contingency planning. only partial staff may be available. • Too limited in scope . and have your personnel (who are assumed available) walk through the plan.

influence.There is a need to prioritize the key business processes. especially when there are significant system or business process or personnel changes. This is a time for thoughtful evaluation and decisions. • Lack of plan ownership . The risk is to prioritize less-than-critical processes instead of the ones crucial for business survival.The BCP should be updated periodically. This is true during planning. • Lack of plan updates .Someone with the power to lead. prioritize. and organize the BCP is instrumental to the success of the program. SANS Institute . Basic Security Policy 133 • Lack of prioritization . as well as during execution of the plan.

resulting in a greater risk of exposure. • Inadequate insurance . Remember the Tylenol tampering scare some years ago and how the strong PR from that company turned a disaster into a marketing opportunity? • Lack of Security Controls .During the recovery process. potentially: employees.There is a need for clear and precise communication with all affected stakeholders of the organization. sometimes security controls are disregarded. The plan may lack appropriate processes for capturing losses and recovery costs.) • Lack of Public Relations planning .134 Book 2 – Defense in-Depth Top BCP/DRP Planning Mistakes (2) • Lack of communication • Lack of security controls • Lack of public relations planning • Inadequate insurance • Inadequate evaluation of vendor suppliers Security Essentials – Defense in-Depth – © 2003 SANS • Lack of Communications .Organizations often fail to consider public and investor relations. During execution of the plan. business partners. contract employees. vendors. and fail to support the filing of insurance claims. (This relates to Public Relations planning next. customers and shareholders. without which the organization may realize a loss greater than otherwise necessary.Some organizations lack adequate insurance coverage. But. to limit the perceived disaster impact. there should be strict adherence to the security controls incorporated into the plan. This can literally make or break the organization. Security controls likely may need to be altered and loosened during recovery. SANS Institute . and these inadequacies result in delayed or reduced settlements. this should be a matter of conscious decision and empowerment that are built into the plan.

This often leads to a solution that may not adequately address a company's needs. and planning software).the documentation. cold site. relying on vendor- supplied information. Use these examples of common mistakes as a checklist to review your organization’s contingency planning . testing. You may wish to consider their services if it's appropriate for your company. and so on. Companies and consultants specialize in designing and implementing business continuity plans. SANS Institute . integration with organizational processes and personnel. Basic Security Policy 135 • Inadequate evaluation of vendor suppliers .Many companies poorly evaluate recovery products (hot site.

there is considerable information on the World Wide Web and from vendors on this subject if you would like further reading. ongoing process.136 Book 2 – Defense in-Depth BCP/DRP Summary • There are companies that specialize in designing and implementing business continuity plans • Check out the SANS Business Continuity/Disaster Recovery Step- by-Step Guide Security Essentials – Defense in-Depth – © 2003 SANS Final Thoughts on Contingency Planning Now you should understand how critical planning for contingencies is as an aspect of security policy for your organization and how you can go about doing it. SANS Institute . and then we walked you through the BCP/DRP planning process lifecycle . We identified components of Business Continuity Plans and Disaster Recovery Plans.

txt?number=2504 • ISO 17799 Service & Software Directory htm • RFC 2196: Site Security Handbook Even fewer have the capability to understand and qualify threats to their information assets in order to accurately assess • Security Guide Link http://csrc.html • Diffuse Project: Information Security Standards http://www.html SANS Institute . • SANS Model Security Policies • Sample Security Policy (Cisco) • SANS Reading Room – Papers on Security Policy Issues policies. This book and the following references should be useful for defining policy at your and variation of threats are overwhelming.ietf.nist. type. when considering risks to information infrastructures. the number.txt?number=2196 • RFC 2504: User’s Security Handbook http://www. Basic Security Policy 137 Basic Security Policy Summary Few organizations invest in proper risk assessments before implementing controls. Furthermore.