This learning guide is developed to provide you the
necessary information regarding the following content coverage and topics. Security Policy. Test and verify Security access levels base on security policy. monitored and evaluated Capability and reliability of security systems. Changes the system protection against Known and potential threats. Introduction information security policies can be used as an active part of an organization's efforts to protect its valuable information assets. Policies allow organizations to set practices and procedures in place that will reduce the likelihood of an attack or an incident and will minimize the damage caused that such an incident can cause, should one occur. policies should be the basis of acomprehensive Information Security strategy, and how policies can be an effective, practical part of your digital defense systems. What is a Policy? "A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters" In practical security terms, I define a policy as a published document (or set of documents) in which the organization's philosophy, strategy, policies and practices with regard to confidentiality, integrity and availability of information and information systems are laid out. Thus, a policy is a set of mechanisms by means of which your information security objectives can be defined and attained. Basic information security objectives: 1 Confidentiality is about ensuring that only the people who are authorized to have access to information are able to do so. It's about keeping valuable information only in the hands ofthose people who are intended to see it. 2 Integrity is about maintaining the value and the state of information, which means that it is protected from unauthorized modification. A major objective of information security to ensure that informationis not modified or destroyed or subverted in any way. 3 Availability is about ensuring that information and information systems are available and operational when they are needed. the mechanisms through which these objectives can be achieved, namely: 1 Philosophy This is the organization's approach towards information security, the framework, the guiding principles of the information security strategy. It will explain to future generations why you did,what you did. 2 Strategy The strategy is the plan or the project plan of the security philosophy. A measurable plan detailing how the organization intends to achieve the objectives that are laid out, either implicitly or explicitly, within the framework of the philosophy. 3 PoliciesPolicies are simply rules. They're the dos and the don'ts of information security, again, within the framework of the philosophy. What Benefits Do Policies Offer?
Here are some of the things policies will do for you
that you'll struggle to achieve with technology. A The Boss Can Do It Most technological controls are the responsibility of the IS manager, the network administrator. B They Provide a Paper Trail in Cases of Due Diligence In some industries your company may have legal obligations with respect to the integrity andconfidentiality of certain information. In many cases the only way you can prove due diligence in this regard is by referring to your published policies. C They Exemplify an Organization's Commitment to Security • Because a policy is typically published, and because it represents executive decision, a policy may be just what is needed to convince that potential client / merger partner / investor exactly how clever you really are. D They help ensure consistency A well-implemented policy helps to ensure consistency in your security systems by giving a directive and clearly assigning responsibility and, equally important, by stipulating the consequences of failing to fulfill those responsibilities. E They Serve as a Guide to Information Security • A well-designed policy can become an IT administrator's Bible. G They Give Security Staff the Backing of Management • Armed with a policy your security administrators can do their jobs without having to continuously justify themselves. Introduction to Security Policies, Part Two:Creating a Supportive Environment policies in themselves are ineffective; their effectiveness is directly proportional to the support they receive from the organization. Thus it is crucial that the organization be aware of the importance of security policies and create an environment in which security is given a high priority. few of Supportive Environments that increase the efficacy of the policies. 1 Management support • One of the biggest challenges facing security people is to convince management of the importance of their involvement in the process. • Without the buy-in of management at a high level the policy 2 Organizational structure While the titles or acronyms may vary from organization to organization, the roles, duties and obligations should be fairly consistent throughout. security officer' or 'SO'. It is the responsibility of the security officer to oversee the creation, distribution, and implementation of security policies. In this sense, the SO plays the role of intermediary between management and the user base. In large organizations “SO” often Responsible for organizing and t creation of a security team or task force (STF) The functions of the STF include
• Defining security strategy
• Creating a mission statement and project plan;The investigation of a formal accreditation program (more on this later); • Defining the corporate security policy; • Defining system specific policies (more on this also); • A user awareness program; and, • The appoint of Security Auditors.The structure of the STF is depicted in the diagram below: 3 Financial Support The security process will always require an investment in time, human resources and finance.Without sufficient financial commitment any security effort is bound to fail. The same is true for the policy development process. Using a Classification System In developing the information security policies, security personnel will need to be able to distinguish between various groups of people, computers and information that have differing value and differing requirements in terms of security. This is a form of classifying information in terms of its accessability to people within the organization Formal Classification Systems Let's briefly explore two such systems, just by way of example: 1. The Military Model [1] In military circles, it is common for information to be classified into five levels: • top secret • secret • confidential • restricted • unclassified • Users arealso assigned a classification, and the following rule is applied: "To have access to a document, the user must have a classification at the same level as, or higher than, that of the document." 2. The Bell-LaPadula model [1] Bell-LaPadula is essentially a simplified version of the Military model and is designed to be slightly more user- friendly and appropriate to the commercial organizational environment. rule states that information obtained from an object may only be passed to another object if the classification of the target object is at least as high as that of the source object. Your Own Classification System as “SO” As “SO”in charge of developing security policies should develop a classification system as well as a supporting rule set that will support the requirements and objectives of the organization. Clearance Finally, all users and potential users should be classified. A user's classification is called a Clearance Level and is used to determine what data and resources a user may have access to. In general, access is only allowed when the clearance is the same level or higher than the classification of the item being accessed (data, equipment or physical locations). Security Levels
We've already listed the levels typically used in the
military model. Another approach may be as follows: 1 Unclassified: Considered publicly accessible. There are no requirements for access control or confidentiality. 2 Shared: Resources that are shared within groups or with people outside of your organsiation. This can include mail servers that are accessible from the Internet, servers that are accessible from customers and routers that link you to your ISP. Data that is legitimately accessed by outside people or groups can be classified as shared 3 Company Only: Access to be restricted to your internal employees only. 4 Confidential: Access to be restricted to a specific list of people. For someone to have access to data or resources classified as 'Confidential' they must be cleared at this level and they must be included in the access list for this resource. • NB Not only data but also Users are clearedaccording to this system. Every user requiring access to your systems must receive clearance first. This includes employees, contractors, consultants etc. Rules for technology • The matrix above deals with user access to objects. To describe where equipment is connected to the network, there is a very simple rule: Security Policies, Structuring Security Policies the development of policies will still require a lot of work. It is essential that the policies be structured and packaged in such a way that they are as light as possible. By "light" I mean that they should be: • Light, not weighing. Not using too many trees. • Simple and practical. • Easy to manage and maintain. • Easy to access by people seeking specific information. To meet these requirements, I typically recommend that a policy be split into a number of smaller policies and that these be arranged in a hierarchical fashion. The Security Framework Document Although each position paper may be written by a different author - typically a specialist in that field - we still want all the papers to subscribe to some fundamental principles. These principles (what I call the security philosophy) The Security Framework document should cover at least the following important points: 1. The value of information and the organization's commitment to information security. 2. The classification system, which was discussed in the second article in this series. 3. The principle of accountability that states clearly that users and administrators will be held accountable for behavior that impacts the security of information. 4. The designation of authority to the Security Officer and security-related people in the organization as is appropriate. 5. The principle of individual responsibility of all system users for the security of information resources. 6. The organization's approach to security reviews; for example, how often they will take place, who will perform them, etc. The SO assumes ultimate responsibility for security in the organization. It is his or her job to guide, advise and review the organization's security policies and procedures. The Security Framework document thus usually falls under the SO's jurisdiction. Position Papers Position papers are written to address the a specific aspect of the security policy such as the security of some specific technology, or security in a particular situation. For example, one might have a position paper covering the secure configuration of Windows 2000 member servers that are connected to the Internet. as well one describing the process to be followed in the event of a breach of security measures (commonly known as a security incident.) What Topics should the Position Papers Cover? Here's a list of position papers that should exist for most organizations: • Physical Security • Network Security • Access Control • Authentication • Encryption • Key Management • Auditing and Review • Security Awareness • Incident Response & Disaster Contingency Plan • Acceptable Use Policy • Software Security Policy Owner The Policy Owner is the person responsible for the maintenance and integrity of a given policy document. No changes may be made to a document without the express permission of the Policy Owner. The name of the Policy Owner must be clearly displayed on the document and the document should always be dated and signed by the owner. Technical Guides Technical guides are another set of useful documents, although they are not actually policies. Technical guides outline the implementation, operation, configuration and administration of specific systems. Assessing Policies
Once an organization has a system of security policies in
place, it will be necessary to determine the efficacy of thepolicies within the context of the organization. The following is a list of simple questions security personnel can use to assess how effective the policy will be for their particular organization 1. Does the policy have a clearly defined scope? 2. Is the policy comprehensive in terms of the defined scope it means to address? Are all systems and issues sufficiently covered? 3. Does the policy clearly define responsibilities? Is it clear to the end-user, the line-manager and the various administrators exactly what his or her responsibilities are? 4. Is the policy enforceable? Can it be applied in a concrete manner so that the compliance is measurable? 5. Is the policy adaptable? Can it be easily changed to address new risks and new technologies? 6. Is the policy having its desired effects? 7. Is the policy universally known and understood within the organization? 8 Does the policy comply with law and with duties to third parties? Is the organization fulfilling its statutory obligations? END LO 3 AND LO 4