Guide to Network Defense and Countermeasures Second Edition Chapter 3 Security Policy Implementation

Guide to Network Defense and Countermeasures Second Edition

Chapter 3Security Policy Implementation

Guide to Network Defense and Countermeasures, Second Edition 2

Objectives

• Explain best practices in security policies

• Formulate a security policy and identify security policy categories

• Explain the importance of ongoing risk analysis and define incident-handling procedures


What Makes a Good Security Policy?

• Benefits of a security policy– Provides a foundation for an organization’s overall

security stance– Gives employees guidelines on how to handle

sensitive information– Gives IT staff instructions on what defensive systems

to configure– Reduces the risk of legal liability

• A good security policy is comprehensive and flexible– It is not a single document but a group of documents


General Security Policy Best Practices

• Basic concepts– If it is too complex, nobody will follow it– If it affects productivity negatively, it will fail– It should state clearly what can and cannot be done

on company equipment– Include generalized clauses– People need to know why a policy is important– Involve representatives of all departments– It should contain clauses stating the specific

consequences for violating the policy


General Security Policy Best Practices (continued)

• Basic concepts (continued)– Needs support from the highest level of the company

– Employees must sign a document acknowledging the policy

• And agreement to abide by it

– Keep it updated with current technologies– Policy directives must be consistent with applicable

laws



• Considering cyber risk insurance– Insurance policy that protects against losses to

information assets– Insurance and security policies are related

• Many answers to insurance application questions come directly from the security policy

• It could even earn your company a break on rates




• Developing security policies from risk assessment– Steps

• Identify what needs to be protected• Define the threats faced by the network• Define the probability of those threats and their

consequences• Propose safeguards and define how to respond to

incidents– Penalties for violating the policy are stated

prominently near the top– Policy effectiveness must be monitored



• Teaching employees about acceptable use– Issue of trust is an integral part of a security policy

– Policy should define who to trust • And what level of trust should be placed in them

– Seek for a balance between trust and issuing orders



• Outlining penalties for violations– Policy should state what to do and not to do– Policy should also contain guidelines for the penalty

process– Establish flexible methods of punishment

• Can be applied at management’s discretion



• Criminal computer offenses– Policy violations can become criminal offenses– Subpoena

• Order issued by a court demanding that a person appear in court or produce some form of evidence

– Search warrant• Similar to a subpoena• Compels you to cooperate with law enforcement

officers conducting an investigation– Due process

• Constitutional guarantee to a fair and impartial trial



• Enabling Management to Set Priorities– Policy provides a way to identify the most important

security priorities– Policy lists network resources that managers find

most valuable in the organization



• Helping network administrators do their jobs– Policy spells out mundane but important information– Privileged access policy

• Policy that covers network administrators

• Specifies whether they are allowed to

– Run network-scanning tools

– Run password-checking software

– Have root or domain administrator access



• Using security policies to conduct risk analysis– Design and implement a security policy– Monitor your network behavior

• Response time• Traffic signatures

– Use this information in further rounds of risk analysis– Conduct a risk analysis after a major change occurs


Formulating a Security Policy

• Start by analyzing the level of risk to the organization’s assets

• Identify safeguards to protect the assets• Identify potential need for cyber risk insurance


Seven Steps to Creating a Security Policy

• Steps– Call for the formation of a group that meets to

formulate the security policy– Determine whether the overall approach to security

should be restrictive or permissive– Identify the assets you need to protect– Determine what needs to be logged and/or audited– List the security risks that need to be addressed– Define acceptable use of the Internet, office

computers, passwords, and other network resources– Create the policy



Components of Security Policies

• Acceptable use policy– Establishes what is acceptable use of company

resources– Usually stated at the beginning of a security policy– Security user awareness program

• Gets employees involved and excited about the policy

• Explains how the policy benefits the employees


Components of Security Policies (continued)

• Violations and penalties– Specifies what constitutes a violation

• And how violations are dealt with

– Can help a company avoid legal problems



• User accounts and password protection– Guides how user accounts are to be used– Passwords represent a first line of defense



• Remote access policy– Spells out the use of role-based authentication

• Gives users limited access based on their roles and what resources a role is allowed to use

– Virtual Private Networks (VPNs)• VPNs create a tunnel to transport information through

public communications media

• Data are kept safe by the use of tunneling protocols and encryption



• Secure use of the Internet and e-mail– Covers how employees can access and use the

Internet and e-mail• Prohibits broadcasting any e-mail messages

• Spells out whether users are allowed to download software or streaming media from the Internet

• Blocks any objectionable Web sites



• LAN security policy– Protects information that is processed, stored, and

transmitted on the LAN • And the LAN itself



• LAN security policy (continued)– Should describe the following

• Applicability

• Evaluations

• Responsibilities

• Commitment

– Can include the following employees• Functional managers

• Users

• Local administrators

• End users


Conducting Ongoing Risk Analysis

• Re-evaluate the organization’s security policy on an ongoing basis– Decide on a routine reassessment of the risk to the

company and its assets


Conducting Routine Security Reviews

• Security policies can specify how often risk analyses should be conducted– Identifying the people who conduct the analysis– Describing the circumstances for a new risk analysis

• Policy should be flexible enough to allow “emergency” reassessments as needed


Working with Management

• Managers usually think in term of ROI– They should consider these other factors:

• How much information systems and data are worth

• Possible threats they have already encountered and will encounter

• Chances security threats will result in real losses


Working with Management (continued)

• Some business activities affected by intrusions:– Costs related to financial loss and disruption– Personnel safety and personnel information– Legal and regulatory obligations– Commercial and economic interests



• Dealing with the approval process– Developing a security policy can take several weeks

or several months• Take the time to do it right and cover all bases

– Policy needs to be reviewed and approved by upper management

• You might encounter resistance• A security user awareness program can help



• Feeding security information to the security policy team– Inform them of any change to the organization’s

security configuration


Responding to Security Incidents

• Escalation procedures– Levels of escalation

• Level One incidents – least severe– Managed within one working day– Requires notifying only on-duty security analyst

• Level Two incidents – moderate seriousness– Managed the same day– Requires notifying the security architect

• Level Three incidents – most serious– Managed immediately– Requires notifying the chief security officer


Responding to Security Incidents (continued)

• Incident handling– Incident examples

• Loss of passwords – Level One incident• Burglary or other illegal building access – Level Two

incident• Property loss or theft – Level Two or Level Three

incident


Updating the Security Policy

• Update your policy– Based on the security incidents reported

• Any changes to the policy should be broadcast to the entire staff– By e-mail or posting the changes in the intranet

• Security policy should result in actual physical changes to the organization’s security configuration– New hardware or software that makes security tasks

easier• Better protection means fewer internal or external

incidents


Summary

• Benefits of a security policy are wide ranging

• Security policy protects a company’s overall security– States what rights employees have and how they

should handle company resources

• Cyber risk insurance is becoming necessary for businesses

• Good security policy– Based on risk assessment– Covers acceptable use of system resources– Set priorities for the most critical resources


Summary (continued)

• Legal liabilities should be covered in a security policy

• Incidents can become legal offenses– Understand your legal obligations

• Security policy comprises a series of several specific policies– Seven steps in creating a policy

• Must present the proposal to management and gain approval– Involves explaining the expected ROI and other costs


Summary (continued)

• Security policy sections– Acceptable use– Violations and penalties– Incident handling– Escalation procedures

• Security policies should be reviewed and updated regularly

Documents

Guide to Network Defense and Countermeasures Second Edition Chapter 3 Security Policy Implementation