Security policy

TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
Security Policy
Ray Trygstad
ITM 478/578
Spring 2004
Master of Information Technology & Management Program
CenterforProfessional Development
Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003

Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives
Upon completion of this lesson the
student should be able to:
– Understand management’s responsibilities and
role in the development, maintenance, and
enforcement of information security policy,
standards, practices, procedures, and guidelines
– Understand the differences between the
organization’s general information security policy
and the requirements and objectives of the various
issue-specific and system-specific policies

www.iit.edu
ITM 578 3
Learning Objectives
Upon completion of this lesson the
student should be able to:
– Recall what an information security blueprint is
and what its major components are
– Describe how an organization institutionalizes its
policies, standards, and practices using education,
training, and awareness programs
– Discuss what viable information security
architecture is, what it includes, and how it is
used

www.iit.edu
ITM 578 4
Information Security Policy, Standards, and Practices
 Management from all communities of
interest must consider policies as the basis
for all information security efforts
 Policies direct how issues should be
addressed and technologies used
 Security policies are the least expensive
control to execute, but the most difficult to
implement
 Shaping policy is difficult because policies
must:
– Never conflict with laws
– Stand up in court, if challenged
– Be properly administered

www.iit.edu
ITM 578 5
Definitions
 A policy is
A plan or course of action, as of a government,
political party, or business, intended to influence
and determine decisions, actions, and other
matters
 Policies are organizational laws
 Standards are more detailed statements of what
must be done to comply with policy
 Practices, procedures, and guidelines effectively
explain how to comply with policy
 For a policy to be effective it must be
– Properly disseminated
– Read, understood and agreed to by all to whom it applies

www.iit.edu
ITM 578 6
Types of Policy
Management defines three types of
security policy:
– General or security program policy
– Issue-specific security policies
– Systems-specific security policies

www.iit.edu
ITM 578 7
Policies Standards & Practices
Policies are sanctioned byPolicies are sanctioned by
senior managementsenior management
Standards are built on soundStandards are built on sound
policy and carry the weightpolicy and carry the weight
of policyof policy
PoliciesPolicies
StandardsStandards
Practices, guidelines, andPractices, guidelines, and
procedures include detailedprocedures include detailed
steps required to meet thesteps required to meet the
requirements of standardsrequirements of standards PracticesPractices GuidelinesGuidelines ProceduresProcedures
DRIDRI
VEVE
DRIDRI
VEVE
FIGURE 6-1 Policies, Standards and Practices

www.iit.edu
ITM 578 8
Security Program Policy
 Security program policy (SPP) also known as
– A general security policy
– IT security policy
– Information security policy
 Sets strategic direction, scope, and tone for
all security efforts within the organization
 An executive-level document
– Usually drafted by or with the CIO of the
organization
– Usually 2 to 10 pages long

www.iit.edu
ITM 578 9
Issue-Specific Security Policy (ISSP)
 As various technologies and processes are
implemented, certain guidelines are needed
to use them properly
 The ISSP:
– addresses specific areas of technology
– requires frequent updates
– contains an issue statement on the organization’s
position on an issue
 Three approaches:
– Create a number of independent ISSP documents
– Create a single comprehensive ISSP document
– Create a modular ISSP document

www.iit.edu
ITM 578 10
Example ISSP Structure
1. Statement of Policy
2. Authorized Access and Usage of
Equipment
3. Prohibited Usage of Equipment
4. Systems Management
5. Violations of Policy
6. Policy Review and Modification
7. Limitations of Liability

www.iit.edu
ITM 578 11
Telecommunications Use Policy
Considerations for an Effective Telecommunications Use PolicyConsiderations for an Effective Telecommunications Use Policy
1.1. Statement of policyStatement of policy
a. Scope and applicabilitya. Scope and applicability
b. Definition of technology addressesb. Definition of technology addresses
c. Responsibilitiesc. Responsibilities
2.2. Authorized access and usage of equipmentAuthorized access and usage of equipment
a. User accessa. User access
b. Fair and responsible useb. Fair and responsible use
c. Protection of privacyc. Protection of privacy
3.3. Prohibited usage of equipmentProhibited usage of equipment
a. Disruptive use or misusea. Disruptive use or misuse
b. Criminal useb. Criminal use
c. Offensive or harassing materialsc. Offensive or harassing materials
d. Copyrighted, licensed, or otherd. Copyrighted, licensed, or other
intellectual propertyintellectual property
e. Other restrictionse. Other restrictions
4.4. Systems managementSystems management
a. Management of stored materialsa. Management of stored materials
b. Employer monitoringb. Employer monitoring
c. Virus protectionc. Virus protection
d. Physical securityd. Physical security
e. Encryptione. Encryption
5.5. Violations of policyViolations of policy
a. Procedures for reporting violationsa. Procedures for reporting violations
b. Penalties for violationsb. Penalties for violations
6.6. Policy review and modificationPolicy review and modification
a. Scheduled review of policy anda. Scheduled review of policy and
procedures for modificationprocedures for modification
7.7. Limitations of liabilityLimitations of liability
a. Statements of liability or disclaimersa. Statements of liability or disclaimers
@2003 ACM, Inc., Included here by permission.@2003 ACM, Inc., Included here by permission.
FIGURE 6-2 Example of an Issue Specific Policy Statement‑

www.iit.edu
ITM 578 12
Systems-Specific Policy (SysSP)
 While issue-specific policies are formalized as
written documents, distributed to users and
agreed to in writing, SysSPs are normally
codified as standards and procedures used
when configuring or maintaining systems
 Systems-specific policies fall into two groups:
– Access control lists (ACLs) consist of the access
control lists, matrices, and capability tables
governing the rights and privileges of a particular
user to a particular system
– Configuration rules comprise the specific
configuration codes entered into security systems
to guide the execution of the system

www.iit.edu
ITM 578 13
ACL Policies
 Both Microsoft Windows servers and Novell
Netware translate ACLs into sets of
configurations that administrators use to
control access to their respective systems
 ACLs allow configuration to restrict access
from anyone and anywhere
 ACLs regulate:
– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the system
from
– How authorized users can access the system

www.iit.edu
ITM 578 14
Novell Configuration Screens
FIGURE 6-3 Novell Configuration Screens

www.iit.edu
ITM 578 15
Windows 2000 Configuration Screens
FIGURE 6-3 Windows 2000 Configuration Screens

www.iit.edu
ITM 578 16
Rule Policies
Rule policies are more specific to the
operation of a system than ACLs
Many security systems require
specific configuration scripts telling
the systems what actions to perform
on each set of information they
process

www.iit.edu
ITM 578 17
FIGURE 6-5 Checkpoint VPN-1/Firewall-1 Policy Editor
VPN-1/Firewall-1 Policy Editor courtesy of Check Point Software Technologies Ltd.
Firewall Policy Editor

www.iit.edu
ITM 578 18
Policy Management
 Policies are living documents that must be
managed and nurtured, and are constantly
changing and growing
– Documents must be properly managed
 Special considerations should be made for
organizations undergoing mergers, takeovers,
and partnerships
 In order to remain viable, policies must have:
– an individual responsible for reviews
– a schedule of reviews
– a method for making recommendations for
reviews
– a specific effective and revision date

www.iit.edu
ITM 578 19
Information Classification
 Classification of information is an important
aspect of policy
 Same protection scheme created to prevent
production data from accidental release to
the wrong party should be applied to policies
in order to keep them freely available, but
only within the organization
 In today’s open office environments, it may
be beneficial to implement a clean desk
policy
 A clean desk policy stipulates that at the end
of the business day, all classified information
must be properly stored and secured

www.iit.edu
ITM 578 20
Clean Desk Policy?
FIGURE 6-7 Michael Whitman’s Desk

www.iit.edu
ITM 578 21
Systems Design
 At this point in the Security SDLC, the
analysis phase is complete and the design
phase begins – many work products have
been created
 Designing a plan for security begins by
creating or validating a security blueprint
 Use the blueprint to plan the tasks to be
accomplished and the order in which to
proceed
 Setting priorities can follow the
recommendations of published sources, or
from published standards provided by
government agencies or private consultants

www.iit.edu
ITM 578 22
Investigate
Design
planning for continuity
Chapter 7
Maintain
Analyze
Implement
Design
blueprint for security
Chapter 6
SecSDLC Methodology
SecSDLC MethodologyFIGURE 6-8

www.iit.edu
ITM 578 23
Information Security Blueprints
 One approach: adapt/adopt a published
model or framework for information security
 Framework
– Basic skeletal structure within which additional
detailed planning of the blueprint can be placed
as it is developed and refined
 Experience teaches us that what works well
for one organization may not precisely fit
another

www.iit.edu
ITM 578 24
ISO 17799/BS 7799
 Information Technology – Code of Practice for
Information Security Management
– One of the most widely referenced and often
discussed security models
– Originally published as British Standard BS 7799
 Adopted in 2000 as international standard
ISO/IEC 17799 by the International
Organization for Standardization (ISO) and
the International Electrotechnical
Commission (IEC) as a framework for
information security

www.iit.edu
ITM 578 25
Major Process Steps
See the textbook
page 210

www.iit.edu
ITM 578 26
ISO 17799 / BS 7799
 Several countries have not adopted 17799
claiming there are fundamental problems:
– “The global information security community has
not defined any justification for a code of practice
as identified in the ISO/IEC 17799”
– 17799 lacks “the necessary measurement precision
of a technical standard”
– There is no reason to believe that 17799 is more
useful than any other approach currently available
– 17799 is not as complete as other frameworks
available
– 17799 is perceived to have been hurriedly prepared
given the tremendous impact its adoption could
have on industry information security controls

www.iit.edu
ITM 578 27
ISO/IEC 17799
 Organizational Security Policy is needed to
provide management direction and support
 Objectives/content:
– Operational Security Policy
– Organizational Security Infrastructure
– Asset Classification and Control
– Personnel Security
– Physical and Environmental Security
– Communications and Operations Management
– System Access Control
– System Development and Maintenance
– Business Continuity Planning
– Compliance

www.iit.edu
ITM 578 28
NIST Security Models
 Another approach available is described in
the many documents available from the
Computer Security Resource Center of the
National Institute for Standards and
Technology (csrc.nist.gov) – including:
– NIST SP 800-12 - The Computer Security
Handbook
– NIST SP 800-14 - Generally Accepted Principles
and Practices for Securing IT Systems
– NIST SP 800-18 - Guide for Developing Security
Plans for Information Technology Systems
 These are among the references cited by the
government of the U.S. when deciding not to
select the ISO/IEC 17799 standards

www.iit.edu
ITM 578 29
NIST SP 800-14
 Security Supports the Mission of the Organization
 Security is an Integral Element of Sound
Management
 Security Should Be Cost-Effective
 Systems Owners Have Security Responsibilities
Outside Their Own Organizations
 Security Responsibilities and Accountability Should
Be Made Explicit
 Security Requires a Comprehensive and Integrated
Approach
 Security Should Be Periodically Reassessed
 Security is Constrained by Societal Factors
 33 Principles enumerated

www.iit.edu
ITM 578 30
NIST SP 800-14 Principles for Securing IT Systems
1. Establish a sound security policy as the
“foundation” for design.
2. Treat security as an integral part of the
overall system design.
3. Clearly delineate the physical and logical
security boundaries governed by associated
security policies.
4. Reduce risk to an acceptable level.
5. Assume that external systems are insecure.
6. Identify potential trade-offs between
reducing risk and increased costs and
decrease in other aspects of operational
effectiveness.

www.iit.edu
ITM 578 31
7. Implement layered security (Ensure no single point
of vulnerability).
8. Implement tailored system security measures to
meet organizational security goals.
9. Strive for simplicity.
10.Design and operate an IT system to limit
vulnerability and to be resilient in response.
11.Minimize the system elements to be trusted.
12.Implement security through a combination of
measures distributed physically and logically.

www.iit.edu
ITM 578 32
13. Provide assurance that the system is, and
continues to be, resilient in the face of expected
threats.
14. Limit or contain vulnerabilities.
15. Formulate security measures to address multiple
overlapping information domains.
16. Isolate public access systems from mission critical
resources (e.g., data, processes, etc.).
17. Use boundary mechanisms to separate computing
systems and network infrastructures.
18. Where possible, base security on open standards
for portability and interoperability.
19. Use common language in developing security
requirements.

www.iit.edu
ITM 578 33
20. Design and implement audit mechanisms to detect
unauthorized use and to support incident
investigations.
21. Design security to allow for regular adoption of new
technology, including a secure and logical
technology upgrade process.
22. Authenticate users and processes to ensure
appropriate access control decisions both within
and across domains.
23. Use unique identities to ensure accountability.
24. Implement least privilege.
25. Do not implement unnecessary security
mechanisms.

www.iit.edu
ITM 578 34
26. Protect information while being processed, in
transit, and in storage.
27. Strive for operational ease of use.
28. Develop and exercise contingency or disaster
recovery procedures to ensure appropriate
availability.
29. Consider custom products to achieve adequate
security.
30. Ensure proper security in the shutdown or
disposal of a system.

www.iit.edu
ITM 578 35
31. Protect against all likely classes of
“attacks.”
32. Identify and prevent common errors and
vulnerabilities.
33. Ensure that developers are trained in
how to develop secure software.

www.iit.edu
ITM 578 36
ISO/IEC Standard Versus NIST
Major difference:
– ISO/IEC 17799 must be purchased before
use
– NIST standards were paid for by the
American taxpayer and are provided
free of charge
U.S. Federal Government does not
support ISO/IEC 17799 or view it as
adequate for its purpose

www.iit.edu
ITM 578 37
IETF Security Architecture
 The Security Area Working Group acts as
an advisory board for the protocols and
areas developed and promoted through the
Internet Society
– No specific architecture is promoted through
IETF
 RFC 2196: Site Security Handbook provides
an overview of five basic areas of security
 Topics include:
– security policies
– security technical architecture
– security services
– security incident handling

www.iit.edu
ITM 578 38
VISA Model
 VISA International promotes strong security
measures and has security guidelines
 Developed two important documents that
improve and regulate its information systems
– “Security Assessment Process”
– “Agreed Upon Procedures”
 Using the two documents, a security team
can develop a sound strategy for the design of
good security architecture
 The only down side to this approach is the
very specific focus on systems that can or do
integrate with VISA’s systems

www.iit.edu
ITM 578 39
Baselining and Best Practices
 Baselining and best practices are solid
methods for collecting security practices, but
they can have the drawback of providing less
detail than would a complete methodology
 It is possible to gain information by
baselining and using best practices and thus
work backwards to an effective design
 The Federal Agency Security Practices Site (
csrc.nist.gov/fasp/) is designed to provide
best practices for public agencies

www.iit.edu
ITM 578 40
Professional Membership
 Probably worth an information security
professional’s time and money to join
professional societies with information on
best practices for its members
 Many organizations have seminars and
classes on best practices for implementing
security
 Finding information on security design is the
easy part, sorting through the collected mass
of information, documents, and publications
can take a substantial investment in time
and human resources

www.iit.edu
ITM 578 41
NIST SP 800-26
Management Controls
– Risk Management
– Review of Security Controls
– Life Cycle Maintenance
– Authorization of Processing (Certification and Accreditation)
– System Security Plan
Operational Controls
– Physical Security
– Production, Input/Output Controls
– Contingency Planning
– Hardware and Systems Software
– Data Integrity
– Documentation
– Security Awareness, Training, and Education
– Incident Response Capability
Technical Controls
– Identification and Authentication
– Logical Access Controls
– Audit Trails

www.iit.edu
ITM 578 42
Spheres of Security

www.iit.edu
ITM 578 43
Sphere of Use
 Generally speaking, the concept of the sphere is to
represent the 360 degrees of security necessary to
protect information at all times
 The first component is the “sphere of use”
 Information, at the core of the sphere, is available
for access by members of the organization and other
computer-based systems:
– To gain access to the computer systems, one must either
directly access the computer systems or go through a
network connection
– To gain access to the network, one must either directly
access the network or go through an Internet connection

www.iit.edu
ITM 578 44
Sphere of Protection
 The “sphere of protection” overlays each of
the levels of the “sphere of use” with a layer
of security, protecting that layer from direct
or indirect use through the next layer
 The people must become a layer of security, a
human firewall that protects the information
from unauthorized access and use
 Information security is therefore designed
and implemented in three layers
– policies
– people (education, training, and awareness
programs)
– technology

www.iit.edu
ITM 578 45
Controls
 Management controls cover security
processes that functionality of security in the
organization
 Operational controls are designed by the
strategic planners and performed by security
administration of the organization
 Operational controls deal with the
operational also address personnel security,
physical security, and the protection of
production inputs and outputs
 Technical controls address those tactical and
technical issues related to designing and
implementing security in the organization

www.iit.edu
ITM 578 46
The Framework
 Management Controls
– Program Management
– System Security Plan
– Life Cycle Maintenance
– Risk Management
– Review of Security
Controls
– Legal Compliance
 Operational Controls
– Contingency Planning
– Security ETA
– Physical Security
– Production Inputs and
Outputs
– Hardware & Software
Systems Maintenance
– Data Integrity
 Technical Controls
– Logical Access Controls
– Identification,
Authentication,
Authorization, and
Accountability
– Audit Trails
– Asset Classification and
Control
– Cryptography

www.iit.edu
ITM 578 47
SETA
 As soon as the policies exist, policies to
implement security education, training, and
awareness (SETA) should follow
 SETA is a control measure designed to
reduce accidental security breaches
 Supplement the general education and
training programs in place to educate staff
on information security
 Security education and training builds on
the general knowledge the employees must
possess to do their jobs, familiarizing them
with the way to do their jobs securely

www.iit.edu
ITM 578 48
SETA Elements
The SETA program consists of three
elements
– security education
– security training
– security awareness
The organization may not be capable or
willing to undertake all three of these
elements but may outsource them

www.iit.edu
ITM 578 49
Purpose of SETA
The purpose of SETA is to enhance
security by:
– Improving awareness of the need to
protect system resources
– Developing skills and knowledge so
computer users can perform their jobs
more securely
– Building in-depth knowledge, as needed,
to design, implement, or operate
security programs for organizations and
systems

www.iit.edu
ITM 578 50
Comparative Framework of SETA
Education Training Awareness
AttributeAttribute WhyWhy HowHow WhatWhat
LevelLevel InsightInsight KnowledgeKnowledge InformationInformation
ObjectiveObjective UnderstandingUnderstanding SkillSkill
Teaching methodTeaching method Theoretical instructionTheoretical instruction
•• Discussion seminarDiscussion seminar
•• Background readingBackground reading
Practical instructionPractical instruction
•• LectureLecture
•• Case study workshopCase study workshop
•• Hands on practice‑Hands on practice‑
MediaMedia
•• VideosVideos
•• NewslettersNewsletters
•• PostersPosters
•• True or falseTrue or false
Test measureTest measure EssayEssay
(interpret learning)(interpret learning)
Problem solvingProblem solving
(apply learning)(apply learning)
Multiple choiceMultiple choice
(identify learning)(identify learning)
Impact timeframeImpact timeframe Long term‑Long term‑ IntermediateIntermediate Short term‑Short term‑
TABLE 6-1 Comparative Framework of SETA: NIST SP800 12‑

www.iit.edu
ITM 578 51
Security Education
 Everyone in an organization needs to be
trained and aware of information security,
but not every member of the organization
needs a formal degree or certificate in
information security
 When formal education for appropriate
individuals in security is needed an employee
can identify curriculum available from local
institutions of higher learning or continuing
education
 A number of universities have formal
coursework in information security

www.iit.edu
ITM 578 52
Security Training
Security training involves providing
members of the organization with
detailed information and hands-on
instruction designed to prepare them
to perform their duties securely
Management of information security
can develop customized in-house
training or outsource the training
program

www.iit.edu
ITM 578 53
Security Awareness
 One of the least frequently implemented, but
the most beneficial programs is the security
awareness program
 Designed to keep information security at the
forefront of the users’ minds
 Need not be complicated or expensive
 If the program is not actively implemented,
employees begin to ‘tune out’, and the risk of
employee accidents and failures increases

www.iit.edu
ITM 578 54
InfoSec Awareness at KSU
InfoSec Awareness at KSU
FIGURE 6-17

www.iit.edu
ITM 578 55
Comments
 Defense in Depth
– One of the foundations of security architectures is
the requirement to implement security in layers
– Defense in depth requires that the organization
establish sufficient security controls and
safeguards, so that an intruder faces multiple
layers of controls
 Security Perimeter
– The point at which an organization’s security
protection ends, and the outside world begins
– Referred to as the security perimeter
– Unfortunately the perimeter does not apply to
internal attacks from employee threats, or on-site
physical threats

www.iit.edu
ITM 578 56
Defense in Depth

www.iit.edu
ITM 578 57
Security Perimeters & Domains

www.iit.edu
ITM 578 58
Key Technology Components
 Other key technology components
– A firewall is a device that selectively
discriminates against information flowing into
or out of the organization
– The DMZ (demilitarized zone) is a no-man’s
land, between the inside and outside networks,
where some organizations place Web servers
– In an effort to detect unauthorized activity
within the inner network, or on individual
machines, an organization may wish to
implement Intrusion Detection Systems or IDS

www.iit.edu
ITM 578 59
Firewalls, Proxies & DMZ

www.iit.edu
ITM 578 60
The End…
Questions?

Security policy

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Security policy

Ähnlich wie Security policy (20)

Mehr von Dhani Ahmad

Mehr von Dhani Ahmad (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Security policy

Hinweis der Redaktion