Security polices

A security policy is the essential basis on

which an effective and comprehensive
security program can be developed. This
critical component of the overall security
architecture, however, is often overlooked.
A security policy is the primary way in
which management’s expectations for
security are translated into specific,
measurable, and testable goals and
objectives.
 Security polices
It is crucial to take a top down approach based on
a well-stated policy in order to develop an
effective security architecture. Conversely, if
there isn’t a security policy defining and
communicating those decisions, then they will be
made by the individuals building, installing, and
maintaining computer systems; and this will
result in a disparate and less than optimal
security architecture being implemented.
 Security polices
– The primary purpose of a security policy
is to inform users, staff, and managers
of those essential requirements for
protecting various assets including
people, hardware, and software
resources, and data assets. The policy
should specify the mechanisms through
which these requirements can be met.
Another purpose is to provide a baseline
from which to acquire, configure, and
audit computer systems and networks
for compliance with the policy.
 Security polices
This also allows for the subsequent
development of operational procedures,
the establishment of access control rules
and various application, system, network,
and physical controls and parameters.
 Security polices
• The goal of the security policy is to
translate, clarify and communicate
management’s position on security as
defined in high-level security principles.
The security policies act as a bridge
between these management objectives
and specific security requirements.
 Security polices
A security policy is a formal statement of
the rules through which people are given
access to an organization’s technology,
system and information assets. The
security policy defines what business and
security goals and objectives
management desires, but not how these
solutions are engineered and
implemented.
 Security polices
A security policy should be economically
feasible, understandable, realistic,
consistent, procedurally tolerable, and
also provide reasonable protection relative
to the stated goals and objectives of
management. Security policies define the
overall security and risk control objectives
that an organization endorses
 Security polices
The characteristics of good security policies
are:
• They must be implementable through
system administration procedures,
publishing of acceptable use guidelines, or
other appropriate methods.
• They must be enforceable with security
tools, where appropriate, and with
sanctions, where actual prevention is not
technically feasible.
 Security polices
They must clearly define the areas of
responsibility for the users,
administrators,and management.
They must be documented, distributed,
and communicated.
 Security polices
• A successful security policy must be
flexible. In order for a security policy to be
feasible for the long term, a security policy
should be independent of specific
hardware and software decisions, as
specific systems choices change rapidly.
• In addition, the mechanisms for updating
the policy should be clearly spelled out.
 Security polices
This includes the process, the people
involved, and the people who must sign-
off on the changes.
Security Policy Structure
The basic structure of a security policy
should contain the following components:
• A statement of the issue that policy
addresses.
• A statement about your position on the
policy.
 Security polices
• How the policy applies in the
environment.
• The roles and responsibilities of those
affected by the policy.
• What level of compliance to the policy is
necessary.
 Security polices
Once you have determined the value of your
data, you need to develop a set of policies
to help protect it. These policies are called
security policies and may apply to users,
the IT department, and the organization in
general. When writing your policies,
consider:
What data may a user take home?
 Security polices
• If a user works from home or remote
offices and uses the internet to transmit
data, how secure must the data be when
in transmission across the internet?
• What policies, network structure, and
levels of defenses are required to secure
your data depending on its importance,
value and the cost of defending it?
 Security polices
The first items that should be defined are the
policies related to the use and and handling of
your data. This will help you determine defensive
measures and procedures. We have categorized
policies into three different areas listed below:
User Policies - Define what users can do when
using your network or data and also define
security settings that affect users such as
password policies
 Security polices
• IT Policies - Define the policies of the IT
department used to govern the network for
maximum security and stability.
• General Policies - High level policies
defining who is responsible for the policies
along with business continuity planning
and policies.
 Security polices
• User Policies
Define what users can and must do to use
your network and organization's computer
equipment. It defines what limitations are
put on users to keep the network secure
such as whether they can install programs
on their workstations, types of programs
they can use, and how they can access
data. Some policies include
 Security polices
Password Policies - This policy is to help keep
user accounts secure. It defines how often users
must change their passwords, how long they
must be, complexity rules (types of characters
used such as lower case letters, upper case
letters, numbers, and special characters), and
other items .
Proprietary Information Use - Acceptable use of
any proprietary information owned by the
company.
 Security polices
Defines where it can be stored and where it may
be taken, how and where it can be transmitted.
• Internet Usage - Use of internet mail, Use of
programs with passwords or unencrypted data
sent over the internet.
• System Use - Program installation, No Instant
Messaging, No file sharing such as Kazaa,
Morpheus. Restrictions on use of your account
or password (not to be given away).
 Security polices
• VPN and remote user system use (remote
access) - Must be checked for
viruses/trojans/backdoors. Must have
firewall, must have AV.
• Acceptable use of hardware such as
modems - No use of modems to internet
without a personal firewall.
 Security polices
• IT Policies
These policies include general policies for the IT
department which are intended to keep the
network secure and stable.
• Virus incident and security incident - Intrusion
detection, containment, and removal.
1. prepare (policies, checklists/procedures)
2 identify (get evidence)
3 contain (pull off network, modify passwords)
 Security polices
4 eradicate (fix, determine cause, improve
defenses, test for vulnerablilties)
5 recover (validate the system, monitor for
re-infection)
6 lessons learned (make recommendations
to prevent a similar incident).
Backup policy - Define what to back up, who
backs it up, where it is stored
 Security polices
how long it is stored, how to test backups,
what program is used to do backups.
Client update policies - Update clients how
often and using what means or tools.
Firewall policies - What ports to block or
allow, how to interface to it or manage it,
who has access to the control console.
 Security polices
• General Policies
High level program policy - Defines who
owns other policies, who is responsible for
them, scope and purpose of policies, any
policy exceptions, related documents or
policies.
Business continuity plan - Includes the
following plans:
 Security polices
Crisis Management - What to do during the (any)
crisis which may threaten the organization.
• Disaster Recovery –Subfunctions:
Server recovery
Data recovery
End-user recovery
Phone system recovery
Emergency response plan
Workplace recovery
 Security polices
• Policy Levels
Policies can exist on many levels of the
organization from a group or team level, to
department level, plant level, or global
organizational level. some policies may
only be effective on a local level while
others may be enterprise wide throughout
the organization.
 Security polices
Security policies are an excellent way to
complement the hardware and software
security measures of your organization.
Security policies can determine the
method that both hardware and software
are used. The policies will enable
everyone in the organization to be on the
same track.
 Security polices
Every organization should have a stated
security policy. It should be carefully
written and checked by an attorney to be
sure it does not create unnecessary
liability.
 Security polices
• Requirements of the Policy
The policy must be consistant to be
effective. There must be similar levels of
security in multiple areas such as physical
security, remote access, internal password
policy policies, and other policies.
The policy statement should be assessable.
 Security polices
Issues should be clearly defined and when
they apply to the policy. Define services
affected such as email.
Clearly define goals of the policy.
Staff and management must find the policy
acceptable. This is why it is important to
justify each policy.
 Security polices
• Define roles of the staff with respect to
the policies and security issues.
• The policy must be enforceable from the
network and system controls. Policies
must be set on servers to be sure domain
passwords are reasonably complex, not
repeated, changed periodically, etc.
• Define consequences of security policy
violation.
 Security polices
• Define expected privacy for users.
• Provide contact information for those
interested in more information about the
policy.
 Security polices
User Security Issues :
• User Education
Use caution opening e-mails. Do not open mail
from unknown originators.
• Make users aware of ability for hackers to hide
executable files as text or other harmless file
types.
• Users must be educated not to use the same
passwords at work that they may use over
unsecured connections on the internet.
 Security polices
• Password Policies
Logon passwords must be changed at least
every 90 days (30-60 days
recommended).
Minimum password age policy - 5 days.
Passwords must be at least 8 characters
long and use at least two numbers.
 Security polices
• On Windows Domain networks in the "Domain
Security Policy" tool, select "Security Settings",
"Account Policies", and "Password Policy".
Enable the "passwords must meet complexity
requirements" rule. This means at least one
character from three of the following categories
must be included:
• lowercase
• uppercase
 Security polices
• numbers
• special characters such as !@#$%^&*(){}[]
• Passwords must be kept secret and not written
down.
• Passwords must be kept secret and not written
down.
• Don't let programs save passwords.
• Lock account after 3 failed logon attempts within
15 minutes.
• Account lockout should be reset by an
administrator.
 Security polices
• No clear text passwords that can allow access to
any sensitive information should be sent through
any unsecured network such as the internet.
• The use of clear text passwords that can allow
access to any sensitive information on a secure
network should be avoided. This means that the
use of FTP programs (unless over VPN) should
be avoided. Secure Shell (SSH) programs can
be used to perform the same function with
encrypted passwords.
• Passwords should not be stored using reversible
encryption.
 Security polices
Account Policy
• Remote users should be disconnected on NT
domains after 1-4 hours of inactivity. This keeps
users logged off after business hours so
attackers can't use an open account to launch
an attack from. Also any open files are closed
and the tape backup program can backup all
files. Open files are not backed up.
• Set the account policy "Users must log on in
order to change password".