Professional Documents
Culture Documents
Table of Contents
WHAT ARE POLICIES .............................................................................................................................................2 NEED FOR POLICY.................................................................................................................................................4 COMMON POLICY CHARACTERISTICS.........................................................................................................................4 COMMON POLICY COMPONENTS...............................................................................................................................5 DATA CLASSIFICATION...........................................................................................................................................6 RISK PROFILING....................................................................................................................................................7 POLICY REVIEW....................................................................................................................................................8 POLICY AREAS......................................................................................................................................................9 Introduction..........................................................................................................................................................9 Change Management............................................................................................................................................9 Privacy................................................................................................................................................................10 Network Access...................................................................................................................................................10 Server Hardening................................................................................................................................................11 Account Management.........................................................................................................................................11 Administrative and Special Access.....................................................................................................................12 Physical Security................................................................................................................................................13 Security Training................................................................................................................................................13 Portable Computing...........................................................................................................................................13 Password.............................................................................................................................................................14 Acceptable Use...................................................................................................................................................15 Virus Protection..................................................................................................................................................16 Incident Management.........................................................................................................................................17 Vendor Access.....................................................................................................................................................18 Network Configuration.......................................................................................................................................18 Backup/Disaster Recovery..................................................................................................................................19 Security Monitoring............................................................................................................................................19 Intrusion Detection.............................................................................................................................................20 Software Licensing..............................................................................................................................................20 System Development...........................................................................................................................................21 CONCLUSION.......................................................................................................................................................22
Revised 6/7/02
1 of
22
Policy Guide
Section x
Policies are management instructions indicating a course of action, a guiding principle, or an appropriate procedure that is expedient, prudent, or advantageous. Policies are high-level statements that provide guidance to workers who must make present and future decisions. It would also be correct to say that policies are generalized requirements that must be written down and communicated to certain groups of people inside, and in some cases, outside the organization. Although information security policies vary considerably by organization, they typically include general statements of goals, objectives, beliefs, ethics, controls, and worker responsibilities. Policies are higher-level requirement statements than standards, although both types of management instructions require compliance. Policies provide general instructions, while standards provide specific technical requirements. Standards cover details such as systems design concepts, implementation steps, software interface mechanisms, software algorithms, and other specifics. Standards provide a measure for comparison in quantitative or qualitative terms. Standards would, for example, define the number of secret key bits required in an encryption algorithm. Policies, on the other hand, would simply define the need to use an approved encryption process when sensitive information is sent over public networks such as the Internet. Standards will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly. This is in contrast to policies, which are intended to last for many years. Policies are generally aimed at a wider audience than standards. For example, a policy requiring the use of computer virus packages would apply to all personal computer users, but a standard requiring the use of public key digital certificates could be directed only at staff that conducts organizational business over the Internet. Policies are distinct from, and at a considerably higher-level than procedures, sometimes called standard operating procedures (SOP). Procedures are specific operational steps or methods that workers must employ to achieve a certain goal. A policy statement describes only the general means for addressing a specific problem. Policies should not become detailed or lengthy, otherwise, it becomes a procedure or can become too intermingled with procedures. For instance, in many information technology departments there are specific procedures for performing back-ups of server hard drives. In this example, a policy could describe the need for back-ups, for storage off-site, and for safeguarding the back-up media (using encryption, physical security, etc.). A standard could define the software to be used to perform back-ups and how to configure this software. A procedure could describe how to use the back-up software, the timing for making back-ups, and other ways that humans interact with the back-up system (how to get approvals by management, how to transfer the storage media to a transportation company, etc.).
2 of
22
Policy Guide
Section x
continued
involves the combination of policies, standards, and procedures in a single document. When it comes time to update the document, the process is needlessly time-consuming and confusing. This is because the three different types of documents all have different levels of detail and focus on different things. The combination of policies, standards, and procedures in a single document is also not recommended because it can make the location of relevant information much more difficult for the reader. This combination approach also is inefficient in terms of distribution because a lot of irrelevant information is sent to people who really dont need it. To simplify document maintenance, usage, and cross-referencing, be sure to use separate documents for policies, standards, and procedures. Policies are also different from controls (also known as countermeasures, security measures, and safeguards). A control is a device or a mechanism used to regulate or guide the operation of a machine, apparatus, or system. An example of a control would be encryption of sensitive data stored on floppy disks. In many cases, policies provide broad objectives that are met with controls. For instance, a policy prohibiting actual or apparent conflicts of interest could be partially met via a control requiring employees to sign a statement indicating they have read the code of conduct and agree to comply. Likewise, in many instances, control measures are dictated directly by policy. For example, a requirement to sign a statement of compliance with a code of conduct might itself be a policy. In general, policies state the areas on which management attention should focus. For example, a policy might dictate that all software be fully tested before being used for production processing. Management, in most instances, will need to make a number of decisions about controls in order to meet the requirements of a policy. For example, the control measures in support of this testing policy could include software change control systems, a standard development process methodology, documentation standards, and a set of standard testing procedures. The policy may be deliberately vague about the control measures to be used so that management retains the latitude to change controls as evolving technology and business conditions dictate.
Revised 6/7/02
3 of
22
Policy Guide
Section x
The need for comprehensive security policies is manifold: Regulatory and legal requirements - One of the most compelling reasons for developing formal policy is because it is mandated. The funding of grants, the handling of sensitive or hazardous materials, financial management, government or related organizations, medical, legal, and other organizations are generally bound by common practices, many of which are required to be audited for compliance on a regular basis. Fairness - Policies ensure that the playing field is level; all users are treated fairly with respect to the level of access they may have. Consistency - Similar problems are treated in a similar fashion. Understanding - Policies ensure that all involved parties understand clearly what is expected. Conservation of time - By laying out rules ahead of time, the time required to assess how a situation is to be addressed is reduced. Policies can in some cases even prevent some problems from occurring at all. Professionalism - Because the development and enforcement of a security policy (and its attendant procedures) is a non-trivial task, the existence and use of these documents is testament to the commitment of an organization to professionalism. Creating a security policy for the sake of having a policy offers little benefit. The policy should meet certain criteria in order to be effective: Flexibility - Effective policy needs to be able to meet the current needs of the organization as well as the future needs by accommodating changes in technology and the organizations threat model. Pertinence - The policy must reflect the business goals of the organization. Applicability - The policy must reflect the realities of the environment. Implementation - The policy should be feasible to implement. Goals should be measurable and attainable. Timeliness - The policy should be current, reflecting recent developments in factors both external and internal to the organization. Cost-effectiveness - The policy should be cost-effective. Effort and materials expended should be in proportion to the value of the assets they are meant to safeguard. Enforceability - The policy should be enforceable. While policy is not intended to dictate the method of implementation, creating policy that is not possible to implement creates confusion and wastes effort. Integration - The policy should integrate well with the existing organizational policy.
Revised 6/7/02
4 of
22
Policy Guide
Section x
The statement of policy is the most important element of the document. It should be brief, clearly worded, and state what is expected. A Statement of Policy is most effective when it can, on its own, give the reader sufficient information to determine if the policy is applicable in a particular situation and to what or whom it applies. The second most important item in the policy document is the authority from which the policy is derived. Most frequently, this is an officer or senior executive of the company. It is important that the authorizing executive be aware. It should not be placed artificially with a highly positioned officer or it may be successfully challenged in the absence of a knowledgeable defender. Similarly, it should not be placed too many levels down in an organization lest higher-placed officials frequently override it. The name of the individual or group responsible for authorship of the document should be included. Questions of interpretation, changes, or clarifications can then be communicated to the source, reducing the need for formal amendment or replacement processes. Many times policies are related to other policies that currently exist or are in development. Because changes to referring policies may affect yet other policies, clear references to other relevant policies assist in the maintenance of the policy structure. Policy compliance and effectiveness is seldom best measured with a binary state. Expectations should be stated clearly both in terms of how they are measured and in the definition of the terminology used. The process for which exceptions can be requested is also important. If no exceptions are allowed, it should be so stated. It should be noted that the conditions under which exceptions are issued should not be described, only the process. Excessive explicitness in defining possible exceptions can result in an abundance of similarly worded requests for exceptions, many with only a marginal basis for acceptance. A policy that has no action upon violation should not be made into policy. Rather it should be included as part of a suggested procedure or advisory. A policy that is written to require compliance must show penalty if violated. All policies should have a date for which they are effective, and a date upon which they expire or are subject to review. It is important for old polices to be updated, obsolete policies purged, and new requirements included into a living document which is more likely to be upheld and respected by the intended audience.
Revised 6/7/02
5 of
22
Policy Guide
Section x
Data Classification
The information produced or processed by an organization must be categorized according to its sensitivity to loss or disclosure in order to develop effective information security policy. Most organizations use some set of information categories, such as Proprietary, For Internal Use Only, or Company Sensitive. The categories used in the information security policy should be consistent with any existing categories the organization already uses. For example, data may be broken into four sensitivity classifications with separate handling requirements: SENSITIVE, CONFIDENTIAL, PRIVATE, and PUBLIC. The standard data sensitivity classification system developed for an organization must be used throughout the organization. The designated owners of information are responsible for determining data classification levels, subject to executive management review. These classifications are defined as follows: SENSITIVE: This classification applies to information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion. It is information that requires a higher than normal assurance of accuracy and completeness. Sensitive information might include organization financial transactions and regulatory actions. CONFIDENTIAL: This classification applies to the most sensitive business information that is intended strictly for use within the organization. This information is exempt from disclosure under the provisions of the Freedom of Information Act or other applicable federal laws or regulations. Its unauthorized disclosure could seriously and adversely impact the organization, its stockholders, its business partners, and/or its customers. For example, health care related information should be considered at least CONFIDENTIAL. PRIVATE: This classification applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and/or its employees. PUBLIC: This classification applies to all other information that does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely the organization, its employees, and/or its customers.
Revised 6/7/02
6 of
22
Policy Guide
Section x
Risk Profiling
In todays environment of severely constrained staffing and financial resources, investments in security controls must show a positive return on investment. Information security can be looked at as an enabling investment, reducing operational costs or opening new revenue streams; or as a protective investment, preventing potential costs or negative business impacts. In either case, the cost of the security controls must be appropriate for the risk and reward environment faced by the organization. Security policy provides the baseline for implementing security controls to reduce vulnerabilities and reduce risk. In order to develop cost effective security policy, a risk analysis must be performed to determine the required rigor of the policy which will drive the cost of the security controls deployed to meet the requirements of the security policy. How rigorous this effort must be is a factor of the level of threat an organization faces, the visibility of the organization to the outside world, the sensitivity of the organization to the consequences of potential security incidents, and legal and regulatory issues that may dictate formal levels of risk analysis. More formal methods of risk assessment may be appropriate for organizations that are subject to regulatory oversight or that handle life-critical information.
Revised 6/7/02
7 of
22
Policy Guide
Section x
Policy Review
A security policy is of little use if it is improperly or inadequately implemented. Threats, technologies, and business needs change over time. Reviewers should examine past security-relevant decisions and determine if the decisions were appropriate. Additionally, existing policy and procedures should be evaluated as to their effectiveness in helping to support the decision-making process. Many reviews, each with more changes to the policy document, are often necessary. Over and above the practical considerations of review, some environments require a periodic formal audit to satisfy internal or external legal obligations. For example, publicly traded companies are held to a good faith due diligence standard. Often it is best for these reviews to be conducted by an independent third party. The final step in any policy review process should include the signature of the General Manager, President, Chief Executive Officer, or Chairman of the Board. The signature of executive management (and ideally a brief message about expected compliance) is critical to widespread adoption, showing that policy is the concern of the entire organization, and not the sole mandate of the Information Security Department. Although security audits and audit trail analysis play an important role in ensuring the ongoing success of a security policy and controls, there are other tasks that will need to be accomplished: Maintaining a qualified technical staff to assist in implementation and evaluation. Ensuring that staff has sufficient resources to perform their work User awareness training so that employees, users, and support staff are aware of security policies and procedures.
Although non-management personnel may perform these ongoing activities, management personnel should be aware of and should support the work necessary to keep the organizations security infrastructure current and functional.
Revised 6/7/02
8 of
22
Policy Guide
Section x
Policy Areas
Introduction
The policy templates provided as part of this documentation project are in generic form. They should not be used without customization to a specific organizations information systems security environment. A specialist in information security must be involved in the process for such customization to be properly performed. This person should possess a broad understanding of the risks faced by the organization; the controls used to handle these risks; and a good understanding of existing organizational informationsecurity-related policies, guidelines, procedures, standards, and related material. Certain background work will need to be performed by the organization seeking to customize these policy templates. For example, a risk assessment such as a scenario analysis, a quantitative risk analysis, or a standard-ofdue-care controls review will help an organization understand and quantify the risks in its particular environment and deploy resources appropriately. Similarly, a series of interviews with involved parties will facilitate discovering not only what the existing policies mean, but also how wellknown the policies are, how well workers have complied with the existing policies, and the costs and benefits the existing policies have engendered. The Information Security Office of the Department of Information Resources is available to assist organizations with the customization of the security policy templates.
Change Management
A formal change control process will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner. This will in turn, in most instances, increase the percentage of time the system is available for processing business transactions. Such change control processes are also a useful way to force the preparation of documentation which will be important for problem resolution and contingency planning purposes. An explicit definition of "production processing" may be an important supplement to this policy. The change control policy should mandate the existence of change control procedures, outline what elements those procedures should contain, require that those procedures be followed, and describe actions to be taken should violations occur. For example, in some working environments, it may be desirable for network infrastructure management to immediately disable or remove from operation systems that are not in compliance with the organizations change control policy. This policy is relevant to voice communications systems such as voice mail and PBXs, as well as data communications systems like intranets.
Revised 6/7/02
9 of
22
Policy Guide
Section x
Network Access
The organizations network infrastructure is provided as a central utility for all information resource users. It is important that the infrastructure, which includes cabling and the associated 'active equipment', continues to develop with sufficient flexibility to meet organizational demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services. The purpose of the Network Access policy is to establish the rules for the access and use of the network infrastructure. This includes issues of documentation and change control, as well as those of connectivity to other networks such as the Internet and extranets. Issues of allowed (or denied) access to Web browsing, remote terminal access to the system, file transfers, and e-mail.
Revised 6/7/02
10 of
22
Policy Guide
Section x
Account Management
Access to information resources must be restricted based on the need-toknow. This means that privileges must not be extended unless a legitimate business-oriented need for such privileges exists. For this reason, consistent procedures must be created, maintained, and audited to ensure that such access is granted only when a demonstrated need exists. If the site has more than one classification of user, this policy should define them. Any time a policy should apply to some users and not others, a different user classification exists. The intended use of accounts, how users apply for accounts, and how accounts are created, expired, deactivated, and revoked should be covered.
Revised 6/7/02
11 of
22
Policy Guide
Section x
Revised 6/7/02
12 of
22
Policy Guide
Section x
Security Training
This policy communicates from top management to lower level management requirements for training and documentation. The specific material to be delivered to workers will vary based on the nature of the jobs that these workers perform. This policy relies on the local manager to decide what constitutes sufficient information security training; some organizations may prefer to say that the Information Security Department will determine what constitutes sufficient training. In any case, training, whether internal, or externally provided by a third party, constitutes an important part of a comprehensive security plan. Consider providing a security training session or orientation as a requirement for new users to help them become familiar with computing facilities, as well as with the organizations policies, standards, and procedures.
Portable Computing
Portable computing devices are becoming increasing powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. The portability offered by these devices however, may increase the security exposure to group using the devices. It is important that this policy address issues that the user is expected to be aware of while using portable devices to access the organizations information resources. What, if any, additional precautions are users expected to take while traveling with data, such as using secure e-mail or encrypting a laptop hard drive? Are dial-up connections allowed? Are wireless connections allowed? How are they authenticated? Is wire-tapping considered a threat? If so, how is it addressed? What level of access to the internal network do dial-in connections provide? How does that compare to the access they should provide?
Revised 6/7/02
13 of
22
Policy Guide
Section x
Revised 6/7/02
14 of
22
Policy Guide
Section x
15 of
22
Policy Guide
Section x
Virus Protection
For organizations that allow downloading of software over the Internet (which can be via Internet email attachments) virus scanning at the firewall can be an appropriate choice - but it does not eliminate the need for client and server based virus scanning, as well. Viruses imported on floppy disks, or infected vendor media, will continue to be a threat. The security policy for viruses has three aspects: Prevention - policies that prevent the introduction of viruses into a computing environment Detection - determination that an executable, boot record, or data file is contaminated with a virus Removal - deletion of the virus from the infected computing system may require reinstallation of the OS from the ground up, deleting files, or deleting the virus from an infected file. There are various factors that are important in determining the level of security concern for virus infection of a computer. Viruses are most prevalent on DOS, Windows (3.x, 9x, ME), and NT operating systems. There are however, also some UNIX and even LINUX viruses. The frequency that new applications or files are loaded on to the computer is proportional to the susceptibility of that computer to viruses. Configuration changes resulting from exposure to the Internet, exposure to mail, or receipt of files from external sources, are more at risk for contamination. The greater the value of the computer, or data on the computer, the greater the concern should be for insuring that virus policy as well as implementation procedures are in place. The cost of removal of the virus from the computing environment must be considered within your organization as well as from customers you may have infected. Cost may not always be identified as monetary; company reputation and other considerations are just as important. It is important to note that viruses are normally introduced into a system by a voluntary act of a user (e.g., installation of an application, FTP of a file, reading mail, etc.) Prevention policies can therefore focus on limiting introduction of potentially infected software and files to a system. In a highrisk environment, virus scanning efforts should be focused on when new software or files are introduced to maximize protection. As with the password policy it is important that issues such as the type of controls used (such as the brand or version of the virus protection software), the interval on which such software might have its virus signatures updated, and how such changes will be handled across the enterprise, be relegated to standards and procedures that the policy requires.
16 of
22
Policy Guide
Section x
Incident Management
The purpose of this policy is to require that specific individuals be defined as responsible for handling such incidents and that these people know that they are responsible for developing and maintaining procedures for handling incidents. In addition to normal contingency plans, the procedures that these individuals develop can include ways to document an investigation, ways to determine how to prevent the problem's recurrence, ways to report the incident to management and third parties, and ways to protect logs and audit trails should they be needed for disciplinary or prosecution purposes. Security is normally enforced through a combination of technical and traditional management methods. Not all of these tools are used within all network environments, nor should they be. Instead, the tools that are appropriate within the context of asset valuation, risk assessment, cost justification, and resources available should be selected for each situation. A decision must be made on the role technology will play in enforcing or supporting the policy. The methods listed tend to be technology based, although significant consideration should be given to management tasks relative to these technologies. Documented incident handling procedures must be developed and in place. The intrusion detection systems and procedures are only one part of a comprehensive security program. While some limited utility may be derived from any one component of a security program (access control, intrusion detection, incident response, etc.) for best results, all components should be implemented in a unified approach based on a security policy developed for the specific site. For example, if server-based alarms are forwarded to the client/server support group, but the network support group handles firewall alarms, the extent of an intrusion may be underestimated or missed entirely.
Revised 6/7/02
17 of
22
Policy Guide
Section x
Network Configuratio n
The purpose of the Network Configuration policy is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the integrity, availability, and confidentiality of all organizational information resources. It is important that the network infrastructure, which includes cabling and the associated active equipment such as routers and switches, continues to develop with sufficient flexibility to meet user demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services.
Revised 6/7/02
18 of
22
Policy Guide
Section x
Security Monitoring
Security Monitoring is a method to ensure that Information Resource security controls are in place, are effective, and are not being bypassed. The monitoring is of the Information Resources security controls, not the individuals utilizing the IR. It is necessary to set privacy expectations of all users of an agencys IR through the Privacy Policy. A number of court cases in the United States have focused on employee expectations of privacy while using an employer's computer and communications systems, particularly electronic mail. Most organizations are adopting a policy such as the one shown here, although management can choose to provide employees with the same privacy rights that they would enjoy when using a common carrier such as the telephone company. Whatever position management chooses to follow, it is important that the privacy status of employee-generated data on organizational systems be clearly specified. Employee expectations must be clarified to avoid litigation, employee grievances, and morale problems.
Revised 6/7/02
19 of
22
Policy Guide
Section x
Software Licensing
The Internet has allowed many software companies to use new means of distributing software. Many organizations allow the downloading of trial versions of their products, sometimes limited versions ("crippleware") or versions that only operate for a limited period of time. Many organizations however, take a shareware approach, allowing fully functional copies of software to be downloaded for trial use and requiring the user to register and pay for the software when used for commercial purposes. When users forget, or decline to properly register software downloaded over the Internet, the organization can be in violation of software licenses. If such violations are discovered they put a organization at severe risk of penalties or loss of reputation. The Business Software Alliance and the Software Publishing Alliance actively audit corporate licensing and pursue violators. Internet security policy should detail corporate policy on downloading commercial software. The purpose of this policy is to ensure the agreements for all computer programs licensed from third parties are periodically reviewed for compliance. The policy should cover issues such as the copying, distribution, and use of software for business purposes, as well as when software should be installed, and by whom. Whether users are allowed to install their own software should likewise be covered.
Revised 6/7/02
20 of
22
Policy Guide
Section x
Revised 6/7/02
21 of
22
Policy Guide
Section x
Conclusion
The absence of a computer security policy leaves a large void in any organization's ability to operate effectively and maintain business continuity, and allows for ad-hoc decisions to be made by unauthorized personnel. On the other hand, a well-written and easily understandable security policy provides an effective basis for decision making and planning. It gives both providers and users of a resource a clear understanding of what is expected. Lastly, because the development and enforcement of a security policy (and its attendant procedures) is a nontrivial task, the existence and use of these documents is testament to the commitment of an organization to professionalism. Therefore, effective computer security requires clear, documented policy that is supported by the entire organizations community. These policies must be based on an understanding of mission priorities and the assets and business operations necessary to fulfill them. They must also be based on a pragmatic assessment of the threats against these assets and operations. The development of security policies will provide a number of benefits: they help to make decisions regarding other policies, making purchasing decisions, a framework for deciding what actions to take in particular circumstances, and a framework for computer system configuration and network design. As such, these policies should be approached with the intent of covering each aspect of the organization's security needs (security policies, physical security, data access, network infrastructure, systems development, systems administration, contingency planning, and maintenance). Any aspect missing from the security policy will likewise result in gaps in the ability to identify and respond to events in the areas that are lacking. The creation of a security policy and its supporting mechanisms and processes will help ensure the integrity of information resources and provide a sound foundation for the expansion of the organizations operations.
Revised 6/7/02
22 of
22
Policy Guide