Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Table of Contents
WHAT ARE POLICIES .............................................................................................................................................2 NEED FOR POLICY.................................................................................................................................................4 COMMON POLICY CHARACTERISTICS.........................................................................................................................4 COMMON POLICY COMPONENTS...............................................................................................................................5 DATA CLASSIFICATION...........................................................................................................................................6 RISK PROFILING....................................................................................................................................................7 POLICY REVIEW....................................................................................................................................................8 POLICY AREAS......................................................................................................................................................9 Introduction..........................................................................................................................................................9 Change Management............................................................................................................................................9 Privacy................................................................................................................................................................10 Network Access...................................................................................................................................................10 Server Hardening................................................................................................................................................11 Account Management.........................................................................................................................................11 Administrative and Special Access.....................................................................................................................12 Physical Security................................................................................................................................................13 Security Training................................................................................................................................................13 Portable Computing...........................................................................................................................................13 Password.............................................................................................................................................................14 Acceptable Use...................................................................................................................................................15 Virus Protection..................................................................................................................................................16 Incident Management.........................................................................................................................................17 Vendor Access.....................................................................................................................................................18 Network Configuration.......................................................................................................................................18 Backup/Disaster Recovery..................................................................................................................................19 Security Monitoring............................................................................................................................................19 Intrusion Detection.............................................................................................................................................20 Software Licensing..............................................................................................................................................20 System Development...........................................................................................................................................21 CONCLUSION.......................................................................................................................................................22

Revised 6/7/02

1 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

What Are Policies

Policies are management instructions indicating a course of action, a guiding principle, or an appropriate procedure that is expedient, prudent, or advantageous. Policies are high-level statements that provide guidance to workers who must make present and future decisions. It would also be correct to say that policies are generalized requirements that must be written down and communicated to certain groups of people inside, and in some cases, outside the organization. Although information security policies vary considerably by organization, they typically include general statements of goals, objectives, beliefs, ethics, controls, and worker responsibilities. Policies are higher-level requirement statements than standards, although both types of management instructions require compliance. Policies provide general instructions, while standards provide specific technical requirements. Standards cover details such as systems design concepts, implementation steps, software interface mechanisms, software algorithms, and other specifics. Standards provide a measure for comparison in quantitative or qualitative terms. Standards would, for example, define the number of secret key bits required in an encryption algorithm. Policies, on the other hand, would simply define the need to use an approved encryption process when sensitive information is sent over public networks such as the Internet. Standards will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly. This is in contrast to policies, which are intended to last for many years. Policies are generally aimed at a wider audience than standards. For example, a policy requiring the use of computer virus packages would apply to all personal computer users, but a standard requiring the use of public key digital certificates could be directed only at staff that conducts organizational business over the Internet. Policies are distinct from, and at a considerably higher-level than procedures, sometimes called standard operating procedures (SOP). Procedures are specific operational steps or methods that workers must employ to achieve a certain goal. A policy statement describes only the general means for addressing a specific problem. Policies should not become detailed or lengthy, otherwise, it becomes a procedure or can become too intermingled with procedures. For instance, in many information technology departments there are specific procedures for performing back-ups of server hard drives. In this example, a policy could describe the need for back-ups, for storage off-site, and for safeguarding the back-up media (using encryption, physical security, etc.). A standard could define the software to be used to perform back-ups and how to configure this software. A procedure could describe how to use the back-up software, the timing for making back-ups, and other ways that humans interact with the back-up system (how to get approvals by management, how to transfer the storage media to a transportation company, etc.).

What Are Policies,

Revised 6/7/02

One of the common problems observed in policy development and review

2 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

continued

involves the combination of policies, standards, and procedures in a single document. When it comes time to update the document, the process is needlessly time-consuming and confusing. This is because the three different types of documents all have different levels of detail and focus on different things. The combination of policies, standards, and procedures in a single document is also not recommended because it can make the location of relevant information much more difficult for the reader. This combination approach also is inefficient in terms of distribution because a lot of irrelevant information is sent to people who really dont need it. To simplify document maintenance, usage, and cross-referencing, be sure to use separate documents for policies, standards, and procedures. Policies are also different from controls (also known as countermeasures, security measures, and safeguards). A control is a device or a mechanism used to regulate or guide the operation of a machine, apparatus, or system. An example of a control would be encryption of sensitive data stored on floppy disks. In many cases, policies provide broad objectives that are met with controls. For instance, a policy prohibiting actual or apparent conflicts of interest could be partially met via a control requiring employees to sign a statement indicating they have read the code of conduct and agree to comply. Likewise, in many instances, control measures are dictated directly by policy. For example, a requirement to sign a statement of compliance with a code of conduct might itself be a policy. In general, policies state the areas on which management attention should focus. For example, a policy might dictate that all software be fully tested before being used for production processing. Management, in most instances, will need to make a number of decisions about controls in order to meet the requirements of a policy. For example, the control measures in support of this testing policy could include software change control systems, a standard development process methodology, documentation standards, and a set of standard testing procedures. The policy may be deliberately vague about the control measures to be used so that management retains the latitude to change controls as evolving technology and business conditions dictate.

Revised 6/7/02

3 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Need For Policy

The need for comprehensive security policies is manifold: Regulatory and legal requirements - One of the most compelling reasons for developing formal policy is because it is mandated. The funding of grants, the handling of sensitive or hazardous materials, financial management, government or related organizations, medical, legal, and other organizations are generally bound by common practices, many of which are required to be audited for compliance on a regular basis. Fairness - Policies ensure that the playing field is level; all users are treated fairly with respect to the level of access they may have. Consistency - Similar problems are treated in a similar fashion. Understanding - Policies ensure that all involved parties understand clearly what is expected. Conservation of time - By laying out rules ahead of time, the time required to assess how a situation is to be addressed is reduced. Policies can in some cases even prevent some problems from occurring at all. Professionalism - Because the development and enforcement of a security policy (and its attendant procedures) is a non-trivial task, the existence and use of these documents is testament to the commitment of an organization to professionalism. Creating a security policy for the sake of having a policy offers little benefit. The policy should meet certain criteria in order to be effective: Flexibility - Effective policy needs to be able to meet the current needs of the organization as well as the future needs by accommodating changes in technology and the organizations threat model. Pertinence - The policy must reflect the business goals of the organization. Applicability - The policy must reflect the realities of the environment. Implementation - The policy should be feasible to implement. Goals should be measurable and attainable. Timeliness - The policy should be current, reflecting recent developments in factors both external and internal to the organization. Cost-effectiveness - The policy should be cost-effective. Effort and materials expended should be in proportion to the value of the assets they are meant to safeguard. Enforceability - The policy should be enforceable. While policy is not intended to dictate the method of implementation, creating policy that is not possible to implement creates confusion and wastes effort. Integration - The policy should integrate well with the existing organizational policy.

Common Policy Characteristic s

Revised 6/7/02

4 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Common Policy Components

The statement of policy is the most important element of the document. It should be brief, clearly worded, and state what is expected. A Statement of Policy is most effective when it can, on its own, give the reader sufficient information to determine if the policy is applicable in a particular situation and to what or whom it applies. The second most important item in the policy document is the authority from which the policy is derived. Most frequently, this is an officer or senior executive of the company. It is important that the authorizing executive be aware. It should not be placed artificially with a highly positioned officer or it may be successfully challenged in the absence of a knowledgeable defender. Similarly, it should not be placed too many levels down in an organization lest higher-placed officials frequently override it. The name of the individual or group responsible for authorship of the document should be included. Questions of interpretation, changes, or clarifications can then be communicated to the source, reducing the need for formal amendment or replacement processes. Many times policies are related to other policies that currently exist or are in development. Because changes to referring policies may affect yet other policies, clear references to other relevant policies assist in the maintenance of the policy structure. Policy compliance and effectiveness is seldom best measured with a binary state. Expectations should be stated clearly both in terms of how they are measured and in the definition of the terminology used. The process for which exceptions can be requested is also important. If no exceptions are allowed, it should be so stated. It should be noted that the conditions under which exceptions are issued should not be described, only the process. Excessive explicitness in defining possible exceptions can result in an abundance of similarly worded requests for exceptions, many with only a marginal basis for acceptance. A policy that has no action upon violation should not be made into policy. Rather it should be included as part of a suggested procedure or advisory. A policy that is written to require compliance must show penalty if violated. All policies should have a date for which they are effective, and a date upon which they expire or are subject to review. It is important for old polices to be updated, obsolete policies purged, and new requirements included into a living document which is more likely to be upheld and respected by the intended audience.

Revised 6/7/02

5 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Data Classification

The information produced or processed by an organization must be categorized according to its sensitivity to loss or disclosure in order to develop effective information security policy. Most organizations use some set of information categories, such as Proprietary, For Internal Use Only, or Company Sensitive. The categories used in the information security policy should be consistent with any existing categories the organization already uses. For example, data may be broken into four sensitivity classifications with separate handling requirements: SENSITIVE, CONFIDENTIAL, PRIVATE, and PUBLIC. The standard data sensitivity classification system developed for an organization must be used throughout the organization. The designated owners of information are responsible for determining data classification levels, subject to executive management review. These classifications are defined as follows: SENSITIVE: This classification applies to information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion. It is information that requires a higher than normal assurance of accuracy and completeness. Sensitive information might include organization financial transactions and regulatory actions. CONFIDENTIAL: This classification applies to the most sensitive business information that is intended strictly for use within the organization. This information is exempt from disclosure under the provisions of the Freedom of Information Act or other applicable federal laws or regulations. Its unauthorized disclosure could seriously and adversely impact the organization, its stockholders, its business partners, and/or its customers. For example, health care related information should be considered at least CONFIDENTIAL. PRIVATE: This classification applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and/or its employees. PUBLIC: This classification applies to all other information that does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely the organization, its employees, and/or its customers.

Revised 6/7/02

6 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Risk Profiling

In todays environment of severely constrained staffing and financial resources, investments in security controls must show a positive return on investment. Information security can be looked at as an enabling investment, reducing operational costs or opening new revenue streams; or as a protective investment, preventing potential costs or negative business impacts. In either case, the cost of the security controls must be appropriate for the risk and reward environment faced by the organization. Security policy provides the baseline for implementing security controls to reduce vulnerabilities and reduce risk. In order to develop cost effective security policy, a risk analysis must be performed to determine the required rigor of the policy which will drive the cost of the security controls deployed to meet the requirements of the security policy. How rigorous this effort must be is a factor of the level of threat an organization faces, the visibility of the organization to the outside world, the sensitivity of the organization to the consequences of potential security incidents, and legal and regulatory issues that may dictate formal levels of risk analysis. More formal methods of risk assessment may be appropriate for organizations that are subject to regulatory oversight or that handle life-critical information.

Revised 6/7/02

7 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Review

A security policy is of little use if it is improperly or inadequately implemented. Threats, technologies, and business needs change over time. Reviewers should examine past security-relevant decisions and determine if the decisions were appropriate. Additionally, existing policy and procedures should be evaluated as to their effectiveness in helping to support the decision-making process. Many reviews, each with more changes to the policy document, are often necessary. Over and above the practical considerations of review, some environments require a periodic formal audit to satisfy internal or external legal obligations. For example, publicly traded companies are held to a good faith due diligence standard. Often it is best for these reviews to be conducted by an independent third party. The final step in any policy review process should include the signature of the General Manager, President, Chief Executive Officer, or Chairman of the Board. The signature of executive management (and ideally a brief message about expected compliance) is critical to widespread adoption, showing that policy is the concern of the entire organization, and not the sole mandate of the Information Security Department. Although security audits and audit trail analysis play an important role in ensuring the ongoing success of a security policy and controls, there are other tasks that will need to be accomplished: Maintaining a qualified technical staff to assist in implementation and evaluation. Ensuring that staff has sufficient resources to perform their work User awareness training so that employees, users, and support staff are aware of security policies and procedures.

Although non-management personnel may perform these ongoing activities, management personnel should be aware of and should support the work necessary to keep the organizations security infrastructure current and functional.

Revised 6/7/02

8 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas
Introduction
The policy templates provided as part of this documentation project are in generic form. They should not be used without customization to a specific organizations information systems security environment. A specialist in information security must be involved in the process for such customization to be properly performed. This person should possess a broad understanding of the risks faced by the organization; the controls used to handle these risks; and a good understanding of existing organizational informationsecurity-related policies, guidelines, procedures, standards, and related material. Certain background work will need to be performed by the organization seeking to customize these policy templates. For example, a risk assessment such as a scenario analysis, a quantitative risk analysis, or a standard-ofdue-care controls review will help an organization understand and quantify the risks in its particular environment and deploy resources appropriately. Similarly, a series of interviews with involved parties will facilitate discovering not only what the existing policies mean, but also how wellknown the policies are, how well workers have complied with the existing policies, and the costs and benefits the existing policies have engendered. The Information Security Office of the Department of Information Resources is available to assist organizations with the customization of the security policy templates.

Change Management

A formal change control process will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner. This will in turn, in most instances, increase the percentage of time the system is available for processing business transactions. Such change control processes are also a useful way to force the preparation of documentation which will be important for problem resolution and contingency planning purposes. An explicit definition of "production processing" may be an important supplement to this policy. The change control policy should mandate the existence of change control procedures, outline what elements those procedures should contain, require that those procedures be followed, and describe actions to be taken should violations occur. For example, in some working environments, it may be desirable for network infrastructure management to immediately disable or remove from operation systems that are not in compliance with the organizations change control policy. This policy is relevant to voice communications systems such as voice mail and PBXs, as well as data communications systems like intranets.

Revised 6/7/02

9 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Privacy
The privacy policy for information resource usage should be consistent with other privacy policies. Just because it is (technically) easy to monitor employees does not mean it is always a good idea. Employee morale is a significant factor to security, as well as productivity. Employees should be made aware that network records are subject to release for conditions outside the organizations control, such as a subpoena or, for Government agencies, a Freedom of Information Act request. The policy must state clearly: what information is being collected; the use of that information; possible third-party distribution of that information; the choices available to an individual regarding collection, use and distribution of the collected information; a statement of the organizations commitment to data security; and what steps the organization takes to ensure data quality and access. In addition, the policy should disclose the consequences, if any, of an individuals refusal to provide information. The policy should also include a clear statement of what accountability mechanism the organization uses, including how to contact the organization.

Network Access

The organizations network infrastructure is provided as a central utility for all information resource users. It is important that the infrastructure, which includes cabling and the associated 'active equipment', continues to develop with sufficient flexibility to meet organizational demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services. The purpose of the Network Access policy is to establish the rules for the access and use of the network infrastructure. This includes issues of documentation and change control, as well as those of connectivity to other networks such as the Internet and extranets. Issues of allowed (or denied) access to Web browsing, remote terminal access to the system, file transfers, and e-mail.

Revised 6/7/02

10 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Server Hardening
This policy is intended to ensure that new systems put into production and existing systems that are upgraded have had necessary preventative maintenance performed before the systems are put into production. This includes such issues as removing default passwords, adding vendor patches, and removal of application software that may be included in a default installation, but is not necessary or wanted as part of the systems operational capacity. It is often necessary that system software or hardware components be upgraded with the necessary modules to assure optimal performance. System administrators should be aware of any hardware or software bugs, especially those pertaining to security issues, as well as upgrades that may be issued by the vendor. If an upgrade of any sort is necessary, certain precautions must be taken to continue to maintain a high level of operational security. The intention of this policy is to ensure that information systems equipment continues to operate as it should, thus supporting the organization in achieving its mission. Equipment downtime can be a serious problem bringing many information systems activities to a halt (especially if it is a mainframe, telephone switch, or some other large multi-user system).

Account Management

Access to information resources must be restricted based on the need-toknow. This means that privileges must not be extended unless a legitimate business-oriented need for such privileges exists. For this reason, consistent procedures must be created, maintained, and audited to ensure that such access is granted only when a demonstrated need exists. If the site has more than one classification of user, this policy should define them. Any time a policy should apply to some users and not others, a different user classification exists. The intended use of accounts, how users apply for accounts, and how accounts are created, expired, deactivated, and revoked should be covered.

Revised 6/7/02

11 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Administrati ve and Special Access
This policy establishes a group of system privileges beyond what authorized users will be given for basic business needs (that is, those required so that they may communicate with other users and get their jobs done). These privilege requests are generally handled with special forms, which are increasingly handled electronically. The idea behind this policy can be extended to include the establishment of default privileges by job title (such as those for all "consultants") as well as default privileges by department (such as those for the "Accounting Department"). This concept is commonly referred to as Role Based Security. By segmenting the work of systems administrators, this policy supports the notion that no more privileges are used than is necessary to accomplish a specific business objective. Without a policy like this systems administrators may employ their privileged user-IDs to perform activities that they would otherwise be prevented from performing, had they been restricted to the privileges of a normal user. Systems administrators may not notice this distinction unless two or more user-IDs are actually employed. Security of a site is crucial to the business activity of an organization. It is therefore required that system administrators have a sound understanding of network concepts and implementation relevant to the resources they manage. For instance, since most firewalls are TCP/IP based, a thorough understanding of this protocol is compulsory. This policy is an extension/elaboration of the Account Management policy, above. It deals specifically with defining the scope of system administrators functions and duties, as well as special handling needs for administrative accounts.

Revised 6/7/02

12 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Physical Security
Physical access to critical network infrastructure and information resources must be tightly controlled to preclude any authorized changes to configuration or operational status, and to eliminate any potential for the monitoring, interception, or alteration of business activities. In addition, precautions should be taken to assure that proper environment alarms and backup systems are available to assure the availability of information resources. Requirements for power, heating, cooling, fire, and other facilities issues, as well as controls on equipment being brought into and out of facilities are appropriate areas of coverage for this policy. Other questions should be addressed, such as are all systems physically protected from outsiders? Are important machines adequately secured from insiders?

Security Training

This policy communicates from top management to lower level management requirements for training and documentation. The specific material to be delivered to workers will vary based on the nature of the jobs that these workers perform. This policy relies on the local manager to decide what constitutes sufficient information security training; some organizations may prefer to say that the Information Security Department will determine what constitutes sufficient training. In any case, training, whether internal, or externally provided by a third party, constitutes an important part of a comprehensive security plan. Consider providing a security training session or orientation as a requirement for new users to help them become familiar with computing facilities, as well as with the organizations policies, standards, and procedures.

Portable Computing

Portable computing devices are becoming increasing powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. The portability offered by these devices however, may increase the security exposure to group using the devices. It is important that this policy address issues that the user is expected to be aware of while using portable devices to access the organizations information resources. What, if any, additional precautions are users expected to take while traveling with data, such as using secure e-mail or encrypting a laptop hard drive? Are dial-up connections allowed? Are wireless connections allowed? How are they authenticated? Is wire-tapping considered a threat? If so, how is it addressed? What level of access to the internal network do dial-in connections provide? How does that compare to the access they should provide?

Revised 6/7/02

13 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Password
Identification and Authentication (I&A) is the process of recognizing and verifying valid users or processes. I&A information is generally then used to determine what system resources a user or process will be allowed to access. The determination of who can access what should be part of a data categorization effort. Authentication over a network, or the Internet, presents several problems. It is relatively easy to capture identification and authentication data (or any data) and replay it in order to impersonate a user. As with other remote I&A, and often with internal I&A, there can be a high level of user dissatisfaction and uncertainty which can make I&A data obtainable via social engineering. Having additional I&A, especially when implemented separately on a per-application basis, may also contribute to I&A data proliferation that is difficult for users to manage. Another problem is the ability to hijack a user session after I&A has been performed. This policy is intended to identify the measures that users are expected to take in ensuring the security of their account, and management the security of organizational information resources. It is important that the password policy remains a high-level policy document, rather than include standards or procedural elements. Common mistakes in drafting a password policy include adding specific parameters on length and composition of a password, such as requiring a minimum length of 9 characters and mixed-case. These sorts of elements are best left to standards documents, especially since there is a wide range of information resources access controls. Not all devices and applications may support a particular password standard. Similarly, procedures on how passwords can be generated, accounts created, or passwords changed should be reserved for procedural documents. The policy should reference the requirements for the existence and scope of both standards and procedures, rather than combine policy, standards, and procedures.

Revised 6/7/02

14 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Acceptable Use
The intent of this policy is to outline more specifically the limits of what usage is generally acceptable. While it is not possible to enumerate every possible infraction, it is important to be specific enough to give users enough information to make an informed decision. Web browsing and electronic mail are two significant areas of concern. Electronic mail (e-mail) is increasingly critical to the normal conduct of business. Organizations need policies for e-mail to help employees use electronic mail properly, to reduce the risk of intentional or inadvertent misuse, and to assure that official records transferred via electronic mail are properly handled. Similar to policies for appropriate use of the telephone, organizations need to define appropriate use of electronic mail. The Internet is a network of networks, providing the infrastructure for communication and sharing of information. It provides a number of services including e-mail, file transfer, login from remote systems, interactive conferences, news groups, and the World Wide Web. The World Wide Web is the universe of Internet-accessible information. The World Wide Web began as a networked information project at CERN, the European Laboratory for Particle Physics. The Web has a body of software, and a set of protocols and conventions, used to traverse and find information over the Internet. Through the use hypertext and multimedia techniques the web is easy for anyone to roam, browse, and contribute to. Web clients, also known as web browsers, provide a user interface to navigate through information by pointing and clicking. Web servers deliver HTML (Hyper Text Markup Language) and other media to browsers through the Hyper Text Transfer Protocol (HTTP). The browsers interpret, format and present the documents to users. The end result is a multimedia view of the Internet. Browsers also introduce vulnerabilities to an organization although generally less severe than the threat posed by servers. The following sections provide policy samples for the use of World Wide Web browsers, servers, and for publishing information on World Wide Web home pages. The acceptable use document is not intended to enumerate every possible avenue of acceptable or forbidden activity. Rather, it is intended to provide guidance to the average user so that they can intelligently judge the consequences of their actions. For example, if occasional non-business use is permitted, what constitutes business and personal use should be defined. The policy needs to be only as specific as it needs to be to allow disciplinary actions to be taken if necessary, without becoming overly specific and diluting the intent and impact of higher-level policy.

Policy Areas, continued

Revised 6/7/02

15 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Virus Protection

For organizations that allow downloading of software over the Internet (which can be via Internet email attachments) virus scanning at the firewall can be an appropriate choice - but it does not eliminate the need for client and server based virus scanning, as well. Viruses imported on floppy disks, or infected vendor media, will continue to be a threat. The security policy for viruses has three aspects: Prevention - policies that prevent the introduction of viruses into a computing environment Detection - determination that an executable, boot record, or data file is contaminated with a virus Removal - deletion of the virus from the infected computing system may require reinstallation of the OS from the ground up, deleting files, or deleting the virus from an infected file. There are various factors that are important in determining the level of security concern for virus infection of a computer. Viruses are most prevalent on DOS, Windows (3.x, 9x, ME), and NT operating systems. There are however, also some UNIX and even LINUX viruses. The frequency that new applications or files are loaded on to the computer is proportional to the susceptibility of that computer to viruses. Configuration changes resulting from exposure to the Internet, exposure to mail, or receipt of files from external sources, are more at risk for contamination. The greater the value of the computer, or data on the computer, the greater the concern should be for insuring that virus policy as well as implementation procedures are in place. The cost of removal of the virus from the computing environment must be considered within your organization as well as from customers you may have infected. Cost may not always be identified as monetary; company reputation and other considerations are just as important. It is important to note that viruses are normally introduced into a system by a voluntary act of a user (e.g., installation of an application, FTP of a file, reading mail, etc.) Prevention policies can therefore focus on limiting introduction of potentially infected software and files to a system. In a highrisk environment, virus scanning efforts should be focused on when new software or files are introduced to maximize protection. As with the password policy it is important that issues such as the type of controls used (such as the brand or version of the virus protection software), the interval on which such software might have its virus signatures updated, and how such changes will be handled across the enterprise, be relegated to standards and procedures that the policy requires.

Policy Areas, continued

Revised 6/7/02

16 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Incident Management

The purpose of this policy is to require that specific individuals be defined as responsible for handling such incidents and that these people know that they are responsible for developing and maintaining procedures for handling incidents. In addition to normal contingency plans, the procedures that these individuals develop can include ways to document an investigation, ways to determine how to prevent the problem's recurrence, ways to report the incident to management and third parties, and ways to protect logs and audit trails should they be needed for disciplinary or prosecution purposes. Security is normally enforced through a combination of technical and traditional management methods. Not all of these tools are used within all network environments, nor should they be. Instead, the tools that are appropriate within the context of asset valuation, risk assessment, cost justification, and resources available should be selected for each situation. A decision must be made on the role technology will play in enforcing or supporting the policy. The methods listed tend to be technology based, although significant consideration should be given to management tasks relative to these technologies. Documented incident handling procedures must be developed and in place. The intrusion detection systems and procedures are only one part of a comprehensive security program. While some limited utility may be derived from any one component of a security program (access control, intrusion detection, incident response, etc.) for best results, all components should be implemented in a unified approach based on a security policy developed for the specific site. For example, if server-based alarms are forwarded to the client/server support group, but the network support group handles firewall alarms, the extent of an intrusion may be underestimated or missed entirely.

Revised 6/7/02

17 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Vendor Access
Third party network connections, such as those to vendors and partnering companies, represent a new access point into the organizations information resources. They should be treated very carefully and on a case-by-case basis. Ideally, there would be a separate support organization that is responsible for implementing and maintaining third party network connections. This policy is a special case of the Network Access policy and also includes aspects of Physical Access and Acceptable Use. It is intended to cover issues of connectivity to networks outside of the organizations control. Establishing needs for control mechanisms, data classification, and separation for connections to external networks, should be addressed here. For example, what machines should be visible from the outside? What services on those machines should be visible? If there are machines outside the firewall ("bastion hosts") how well are they separated from the inside? Could a bastion host be leveraged for access to the inside? What information is allowed on bastion hosts? Are connections from the Internet to the internal network allowed? How are they authenticated? Are they encrypted?

Network Configuratio n

The purpose of the Network Configuration policy is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the integrity, availability, and confidentiality of all organizational information resources. It is important that the network infrastructure, which includes cabling and the associated active equipment such as routers and switches, continues to develop with sufficient flexibility to meet user demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services.

Revised 6/7/02

18 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Backup/Disa ster Recovery
Because disasters happen so rarely, technical management often ignores the disaster recovery planning process. A good contingency plan is becoming a matter of competitive advantage and business partners may insist on one. It is important to note that a disaster recovery plan in most instances is going to fail unless the associated business facilities (phones, desks, etc.) are also available. The main aspect of a disaster plan is an outline of what actions must be performed to keep critical business resources functioning after a disaster. The process can be divided up into the following phases: Onset of a disaster Response by on-site personnel Damage and impact assessment and analysis Transition to emergency operating mode Restoration of normal business operations Regardless of an organizations disaster plan, annual disaster drills should be conducted to test the effectiveness and thoroughness of the plan. Although it can be difficult to predict what will happen in a disaster, rehearsal of a plan to cope with such a disaster can help to identify the more obvious procedural errors. This policy assumes that a classification system exists and certain information resources have already been designated as "critical."

Security Monitoring

Security Monitoring is a method to ensure that Information Resource security controls are in place, are effective, and are not being bypassed. The monitoring is of the Information Resources security controls, not the individuals utilizing the IR. It is necessary to set privacy expectations of all users of an agencys IR through the Privacy Policy. A number of court cases in the United States have focused on employee expectations of privacy while using an employer's computer and communications systems, particularly electronic mail. Most organizations are adopting a policy such as the one shown here, although management can choose to provide employees with the same privacy rights that they would enjoy when using a common carrier such as the telephone company. Whatever position management chooses to follow, it is important that the privacy status of employee-generated data on organizational systems be clearly specified. Employee expectations must be clarified to avoid litigation, employee grievances, and morale problems.

Revised 6/7/02

19 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

Intrusion Detection
Intrusion detection plays an important role in implementing an organizational security policy. As information systems grow in complexity, effective security systems must evolve. Some mechanism is required for establishing and maintaining the level of network security for the enterprise. Intrusion detection systems can provide part of that assurance. Intrusion detection provides two important functions in protecting information system assets. The first function is that of a feedback mechanism which informs the security staff as to the effectiveness of other components of the security system. In this sense intrusion detection is benchmark for perimeter defense sub-systems such as firewalls and dial-up access control systems. The lack of detected intrusions can be an indication that the perimeter defenses are working if a robust and effective intrusion detection system is in place. The second function is to provide a trigger or gating mechanism that determines when to activate planned responses to an incident.

Software Licensing

The Internet has allowed many software companies to use new means of distributing software. Many organizations allow the downloading of trial versions of their products, sometimes limited versions ("crippleware") or versions that only operate for a limited period of time. Many organizations however, take a shareware approach, allowing fully functional copies of software to be downloaded for trial use and requiring the user to register and pay for the software when used for commercial purposes. When users forget, or decline to properly register software downloaded over the Internet, the organization can be in violation of software licenses. If such violations are discovered they put a organization at severe risk of penalties or loss of reputation. The Business Software Alliance and the Software Publishing Alliance actively audit corporate licensing and pursue violators. Internet security policy should detail corporate policy on downloading commercial software. The purpose of this policy is to ensure the agreements for all computer programs licensed from third parties are periodically reviewed for compliance. The policy should cover issues such as the copying, distribution, and use of software for business purposes, as well as when software should be installed, and by whom. Whether users are allowed to install their own software should likewise be covered.

Revised 6/7/02

20 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Policy Areas, continued

System Development
The purpose of controls on systems development are to ensure security is built into operational systems; to prevent loss, modification, or misuse of user data in application systems; to protect the confidentiality, authenticity and integrity of information; to ensure IT projects and support activities are conducted in a secure manner; and to maintain the security of application system software and data. To that end, rigorous processes should be created and maintained to attain each of those goals. The separation between production (operations) and systems development is one of the most important aspects of a secure computing environment. If developers, users, and other can make changes to production software then a wide variety of security exposures are introduced. An unauthorized user may exploit undocumented functions, such as an undocumented mechanism to let the original programmer circumvent access controls, if left in the production version of an application. The intention of this policy is to make sure that all functionality gets documented and approved, and also that management knows about, or can readily discover, information resource systems functions. The intent of this policy is to ensure that security concerns are addressed at all stages of the system development cycle. This can be accomplished my mandating the existence and adherence to a System Development Life Cycle (SDLC). A typical SDLC includes design, development, maintenance, quality assurance and acceptance testing.

Revised 6/7/02

21 of

22

Policy Guide

Section x

IS Security Policies Policy Guide

mm/dd/yy -Effective mm/dd/yy -Revised Information Services Author

Conclusion

The absence of a computer security policy leaves a large void in any organization's ability to operate effectively and maintain business continuity, and allows for ad-hoc decisions to be made by unauthorized personnel. On the other hand, a well-written and easily understandable security policy provides an effective basis for decision making and planning. It gives both providers and users of a resource a clear understanding of what is expected. Lastly, because the development and enforcement of a security policy (and its attendant procedures) is a nontrivial task, the existence and use of these documents is testament to the commitment of an organization to professionalism. Therefore, effective computer security requires clear, documented policy that is supported by the entire organizations community. These policies must be based on an understanding of mission priorities and the assets and business operations necessary to fulfill them. They must also be based on a pragmatic assessment of the threats against these assets and operations. The development of security policies will provide a number of benefits: they help to make decisions regarding other policies, making purchasing decisions, a framework for deciding what actions to take in particular circumstances, and a framework for computer system configuration and network design. As such, these policies should be approached with the intent of covering each aspect of the organization's security needs (security policies, physical security, data access, network infrastructure, systems development, systems administration, contingency planning, and maintenance). Any aspect missing from the security policy will likewise result in gaps in the ability to identify and respond to events in the areas that are lacking. The creation of a security policy and its supporting mechanisms and processes will help ensure the integrity of information resources and provide a sound foundation for the expansion of the organizations operations.

Revised 6/7/02

22 of

22

Policy Guide