Planning for Security

Introduction

 Creation of information security program

begins with policies

2
Definition

 Policy
 a plan or course of action used by organization
to convey instructions from management to
those who perform duties

3
Trust

 Initial step is to determine who gets access

 How much should you trust resources or
people?
 Possible trust models
 Trust everyone all of the time
 Trust no one at no time
 Trust some people some of the time

4
Policy (Cont’d)

 Objectives:
 Reduced risk
 Assurance of operation continuity, information
integrity, and confidentiality
 Compliance with laws and regulations
 Least expensive means of control
 Often overlooked and difficult to implenent
 legal

5
Scenario

 Assume you are the manager of xyz software

company, the network administrator reports
to you that employee y was caught visiting
porn sites during work time. What would you
do about it?

6
Case Study

In a recent court case, an employee won a

$175,000 settlement because she accidentally
viewed what she considered to be a
pornographic Web site while on the job. How
did she get away with holding her employer
accountable? Was the questionable site
located on a company owned Web server?

7
Case Study (cont’d)

The company had a corporate policy stating

that “pornographic sites will be blocked, and
they cannot be accessed from the corporate
network.” The company was filtering out
access to sites that contained what is
considered to be questionable subject matter.

8
Case Study (cont’d)
The court ruled that the company was liable for
breach of contract because it did not block all
so-called questionable sites. By instituting a
policy stating that it would filter out these
sites, the company was “accepting
responsibility for the successful execution of
this activity”- and was therefore accountable.
The damage award, as well as reimbursement
for the employee’s “distress,” was based on
this finding.

9
Basic Policy Requirements
 Policies must
 be implementable and enforceable
 be concise and easy to understand
 balance protection with productivity
 Policies should
 state reasons why policy is needed
 describe what is covered by the policies
 define contacts and responsibilities
 discuss how violations will be handled
 flexible

10
Policy Communication

 For policies to be effective, they must be

 Properly disseminated
 Read
 Understood
 Agreed-to

11
Policy Management

 Policies must be managed as they constantly change

 To remain viable, security policies must have:

 Individual responsible for reviews

 A schedule of reviews

 Method for making recommendations for reviews

 Specific policy issuance and revision date

12
Relationship with Standards, Practices,
Procedures, and Guidelines

Policies

Standards

Practices Procedures Guidelines

13
Types of Policies
 Policy can be senior management's directives
to create an information security program,
establish its goals, and assign responsibilities.
 The term policy is also used to refer to the
specific security rules for particular systems.
 Additionally, policy may refer to entirely
different matters, such as the specific
managerial decisions setting an organization's
e-mail privacy policy or fax security policy.

14
Enterprise Information Security Policy (EISP)

 Sets strategic direction, scope, and tone for

all security efforts within the organization
 Executive-level document
 usually drafted by or with CIO of the
organization

 Also known as Security Program Policy

(SPP), general security policy

15
EISP Elements

 EISP documents should provide :

 An overview of corporate philosophy on security
 Information about information security
organization and information security roles
 Responsibilities for security shared by all members
of the organization
 Responsibilities for security unique to each role
within the organization

16
Components of the EISP

 Statement of Purpose: What the policy is for

 Information Technology Security Elements: Defines
information security
 Need for Information Technology Security: justifies
importance of information security in the
organization
 Information Technology Security Responsibilities
and Roles: Defines organizational structure
 References Information Technology standards and
guidelines

17
Issue-Specific Security Policy (ISSP)

 The ISSP:
 Addresses specific areas of technology
 Requires frequent updates
 Contains statement on organization’s position on
specific issue
 Three approaches when creating and managing ISSPs:
 Create a number of independent ISSP documents
 Create a single comprehensive ISSP document
 Create a modular ISSP document

18
Issue-Specific Security Policy (ISSP)

 ISSP topics could include:

 E-mail
 use of Internet and World Wide Web
 specific minimum configurations of computers to
defend against worms and viruses
 prohibitions against hacking or testing
organization security controls
 home use of company-owned computer equipment
 use of personal equipment on company networks
 use of telecommunications technologies
 use of photocopy equipment
19
Components of the ISSP
 Statement of Purpose
 Scope and Applicability
 Definition of Technology Addressed
 Responsibilities
 Authorized Access and Usage of Equipment
 User Access
 Fair and Responsible Use
 Protection of Privacy
 Prohibited Usage of Equipment
 Disruptive Use or Misuse
 Criminal Use
 Offensive or Harassing Materials
 Copyrighted, Licensed or other Intellectual Property
 Other Restrictions

20
Components of the ISSP (Continued)
 Systems Management
 Management of Stored Materials
 Employer Monitoring
 Virus Protection
 Physical Security
 Encryption
 Violations of Policy
 Procedures for Reporting Violations
 Penalties for Violations
 Policy Review and Modification
 Scheduled Review of Policy and Procedures for Modification
 Limitations of Liability
 Statements of Liability or Disclaimers

21
Systems-Specific Policy (SysSP)

 System administrators directions on implementing

managerial policy

 Each type of equipment has its own type of policies

 Two general methods of implementing such

technical controls:
 Access control lists

 Configuration rules

22
23
Access Control Lists
 Include user access lists, matrices, and capability tables that
govern rights and privileges
 Can control access to
 file storage systems
 object brokers or other network communications devices
 Capability Table: user profiles
 Specifications are frequently complex matrices
 Level of detail and specificity (often called granularity) may
vary from system to system
 ACLs enable administrations to restrict access according to
user, computer, time, duration, or even a particular file

24
ACLs
 In general ACLs regulate:
 Who can use the system
 What authorized users can access
 When authorized users can access the system
 Where authorized users can access the system from
 How authorized users can access the system
 Restricting what users can access, e.g. printers, files,
communications, and applications

25
ACLs (Continued)
 Administrators set user privileges, such as:
 Read
 Write
 Create
 Modify
 Delete
 Compare
 Copy

26
Configuration Rules

 Configuration rules are specific configuration codes

entered into security systems to guide execution of
system when information is passing through it
 Rule policies are more specific to system operation
 Many security systems require specific configuration
scripts telling systems what actions to perform on
each set of information processed
 IDS, firewalls, proxy servers

27
Policy Levels

 Enterprise Wide/Corporate Policy

 Division Wide Policy
 Local Policy
 Issue-Specific Policy
 Security Procedures And Checklists

28
Policies are classified!

29