how to build a successful security infrastructure policies and procedures u trust models u security...
TRANSCRIPT
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Policies and ProceduresPolicies and Procedures
Trust ModelsTrust Models
Security Policy BasicsSecurity Policy Basics
Policy Design ProcessPolicy Design Process
Key Security Policies Key Security Policies
Key Security Procedures Key Security Procedures
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Security Policies - Why use Security Policies - Why use them?them?
Without security policies, you have no general Without security policies, you have no general security framework.security framework.
Policies define what behavior is and is not allowed. Policies define what behavior is and is not allowed.
Policies will often set the stage in terms of what tools Policies will often set the stage in terms of what tools and procedures are needed for the organization.and procedures are needed for the organization.
Policies communicate consensus among a group of Policies communicate consensus among a group of “governing” people.“governing” people.
Computer security is now a global issue and Computer security is now a global issue and computing sites are expected to follow the “good computing sites are expected to follow the “good neighbor” philosophy.neighbor” philosophy.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Who and What to TrustWho and What to Trust
Trust is a major principle underlying the development Trust is a major principle underlying the development of security policies.of security policies.
Initial step is to determine who gets access.Initial step is to determine who gets access. use principle of least accessuse principle of least access
Deciding on level of trust is a delicate balancing act.Deciding on level of trust is a delicate balancing act. too much -> eventual security problemstoo much -> eventual security problems too little -> difficult to find and keep satisfied employeestoo little -> difficult to find and keep satisfied employees
How much should you trust resources?How much should you trust resources?
How much should you trust people?How much should you trust people?
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Possible Trust ModelsPossible Trust Models
Trust everyone all of the timeTrust everyone all of the time easiest to enforce, but impracticaleasiest to enforce, but impractical one bad apple can ruin the whole barrelone bad apple can ruin the whole barrel
Trust no one at no timeTrust no one at no time most restrictive, but also impracticalmost restrictive, but also impractical impossible to find employees to work under such conditionsimpossible to find employees to work under such conditions
Trust some people some of the timeTrust some people some of the time exercise caution in amount of trust placed in employeesexercise caution in amount of trust placed in employees access is given out as neededaccess is given out as needed technical controls are needed to ensure trust is not violatedtechnical controls are needed to ensure trust is not violated
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Section Three:Section Three:Policies and ProceduresPolicies and Procedures
Trust ModelsTrust Models
Security Policy BasicsSecurity Policy Basics
Policy Design ProcessPolicy Design Process
Key Security Policies Key Security Policies
Key Security ProceduresKey Security Procedures
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Why the Political Turmoil?Why the Political Turmoil? People view policies as:People view policies as:
an impediment to productivityan impediment to productivity measures to control behaviormeasures to control behavior
People have different views about the need for People have different views about the need for security controls. security controls.
People fear policies will be difficult to follow and People fear policies will be difficult to follow and implement.implement.
Policies affect everyone within the organizationPolicies affect everyone within the organization most people resist measures which impede productivitymost people resist measures which impede productivity some people strongly resist changesome people strongly resist change some people strongly resist the “big brother syndrome”some people strongly resist the “big brother syndrome” some people just like to “rock the boat”some people just like to “rock the boat”
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Who Should be Concerned?Who Should be Concerned?
Users - policies will affect them the most.Users - policies will affect them the most.
System support personnel - they will be required to System support personnel - they will be required to implement and support the policies. implement and support the policies.
Managers - concerned about protection of data and Managers - concerned about protection of data and the associated cost of the policy.the associated cost of the policy.
Business lawyers and auditors - are concerned about Business lawyers and auditors - are concerned about company reputation, responsibility to company reputation, responsibility to clients/customers.clients/customers.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Section Three:Section Three:Policies and ProceduresPolicies and Procedures
Trust ModelsTrust Models
Security Policy BasicsSecurity Policy Basics
Policy Design ProcessPolicy Design Process
Key Security Policies Key Security Policies
Key Security ProceduresKey Security Procedures
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
The Policy Design ProcessThe Policy Design Process
Choose the policy development team.Choose the policy development team.
Designate a person or “body” to serve as the official Designate a person or “body” to serve as the official policy interpreter.policy interpreter.
Decide on the scope and goals of the policy.Decide on the scope and goals of the policy. scope should be a statement about who is covered by the scope should be a statement about who is covered by the
policy.policy.
Decide on how specific to make the policyDecide on how specific to make the policy not a detailed implementation plannot a detailed implementation plan don’t include facts which change frequentlydon’t include facts which change frequently
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
The Policy Design ProcessThe Policy Design Process
All people affected by the policy should be provided All people affected by the policy should be provided an opportunity to review and comment on the policy an opportunity to review and comment on the policy before it becomes official.before it becomes official. very unrealistic for large organizationsvery unrealistic for large organizations often difficult to get the information out and ensure people often difficult to get the information out and ensure people
read it.read it.
Incorporate policy awareness as a part of employee Incorporate policy awareness as a part of employee orientation.orientation.
Provide refresher overview course on policies once or Provide refresher overview course on policies once or twice a year.twice a year.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Basic RequirementsBasic Requirements
Policies must:Policies must: be implementable and enforceablebe implementable and enforceable be concise and easy to understandbe concise and easy to understand balance protection with productivitybalance protection with productivity be updated regularly to reflect the evolution of the organizationbe updated regularly to reflect the evolution of the organization
Policies should:Policies should: state reasons why policy is neededstate reasons why policy is needed describe what is covered by the policies - whom, what, and wheredescribe what is covered by the policies - whom, what, and where define contacts and responsibilities to outside agenciesdefine contacts and responsibilities to outside agencies discuss how violations will be handleddiscuss how violations will be handled
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Determining Level of ControlDetermining Level of Control
Security needs and culture play major role.Security needs and culture play major role.
Security policies MUST balance level of control with Security policies MUST balance level of control with level of productivity.level of productivity.
If policies are too restrictive, people will find ways to If policies are too restrictive, people will find ways to circumvent controls.circumvent controls.
Technical controls are not always possible.Technical controls are not always possible.
Must have management commitment on level of Must have management commitment on level of control.control.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Choosing A Policy StructureChoosing A Policy Structure
Dependent on company size and goals.Dependent on company size and goals.
One large document or several small ones?One large document or several small ones? smaller documents are easier to maintain and updatesmaller documents are easier to maintain and update
Some policies appropriate for every site, others are Some policies appropriate for every site, others are specific to certain environments.specific to certain environments.
Some key policies:Some key policies: Acceptable UseAcceptable Use User AccountUser Account Remote AccessRemote Access Information ProtectionInformation Protection
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Section Three:Section Three:Policies and ProceduresPolicies and Procedures
Trust ModelsTrust Models
Security Policy BasicsSecurity Policy Basics
Policy Design ProcessPolicy Design Process
Key Security Policies Key Security Policies
Key Security ProceduresKey Security Procedures
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
The Acceptable Use PolicyThe Acceptable Use Policy
Discusses and defines the appropriate use of the Discusses and defines the appropriate use of the computing resources.computing resources.
Users should be required to read and sign AU policy Users should be required to read and sign AU policy as part of the account request process.as part of the account request process.
Many examples of AU policies can be found on:Many examples of AU policies can be found on: http://www.eff.org/pub/CAF/policies/http://www.eff.org/pub/CAF/policies/
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Some Elements of the Some Elements of the Acceptable Use PolicyAcceptable Use Policy
Should state responsibility of users in terms of Should state responsibility of users in terms of protecting information stored on their accounts.protecting information stored on their accounts.
Should state if users can read and copy files that are Should state if users can read and copy files that are not their own, but are accessible to them.not their own, but are accessible to them.
Should state if users can modify files that are not their Should state if users can modify files that are not their own, but for which they have write access.own, but for which they have write access.
Should state if users are allowed to make copies of Should state if users are allowed to make copies of systems configuration files (e.g., systems configuration files (e.g., /etc/passwd/etc/passwd) for their ) for their personal use, or to provide to other people.personal use, or to provide to other people.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Acceptable Use PolicyAcceptable Use Policy
Should state if users are allowed to use Should state if users are allowed to use .rhosts .rhosts files files and what types of entries are acceptable.and what types of entries are acceptable.
Should state if users can share accounts.Should state if users can share accounts.
Should state if users can make copies of copyrighted Should state if users can make copies of copyrighted software?software?
Should state level of acceptable usage for electronic Should state level of acceptable usage for electronic mail, Internet news and web access.mail, Internet news and web access.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
User Account PolicyUser Account Policy
Outlines the requirements for requesting and Outlines the requirements for requesting and maintaining an account on the systems.maintaining an account on the systems.
Very important for large sites where users typically Very important for large sites where users typically have accounts on many systems.have accounts on many systems.
Some sites have users read and sign an Account Some sites have users read and sign an Account Policy as part of the account request process.Policy as part of the account request process.
Example User Account Policies are also available on Example User Account Policies are also available on the CAF archive along with the Acceptable Use the CAF archive along with the Acceptable Use Policies.Policies. http://www.eff.org/pub/CAF/policies/http://www.eff.org/pub/CAF/policies/
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Elements of a User Account Elements of a User Account PolicyPolicy
Should state who has the authority to approve Should state who has the authority to approve account requests.account requests.
Should state who is allowed to use the resources Should state who is allowed to use the resources (e.g., employees or students only)(e.g., employees or students only)
Should state any citizenship/resident requirements.Should state any citizenship/resident requirements.
Should state if users are allowed to share accounts or Should state if users are allowed to share accounts or if users are allowed to have multiple accounts on a if users are allowed to have multiple accounts on a single host.single host.
Should state the users’ rights and responsibilities.Should state the users’ rights and responsibilities.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Elements of User Account PolicyElements of User Account Policy
Should state when the account should be disabled Should state when the account should be disabled and archived.and archived.
Should state how long the account can remain Should state how long the account can remain inactive before it is disabled.inactive before it is disabled.
Should state password construction and aging rules.Should state password construction and aging rules.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Remote Access PolicyRemote Access Policy
Outlines and defines acceptable methods of remotely Outlines and defines acceptable methods of remotely connecting to the internal network.connecting to the internal network.
Essential in large organization where networks are Essential in large organization where networks are geographically dispersed and even extend into the geographically dispersed and even extend into the homes.homes.
Should cover all available methods to remotely Should cover all available methods to remotely access internal resources:access internal resources: dial-in (SLIP, PPP)dial-in (SLIP, PPP) ISDN/Frame RelayISDN/Frame Relay telnet access from Internettelnet access from Internet Cable modemCable modem
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Elements of Remote Access Elements of Remote Access PolicyPolicy
Should define who is allowed to have remote access Should define who is allowed to have remote access capabilities.capabilities.
Should define what methods are allowed for remote Should define what methods are allowed for remote access.access.
Should discuss if dial-out modems are allowed.Should discuss if dial-out modems are allowed.
Should discuss who is allowed to have high-speed Should discuss who is allowed to have high-speed remote access such as ISDN, Frame Relay or cable remote access such as ISDN, Frame Relay or cable modem.modem. what extra requirements are there?what extra requirements are there? can other members of household use network?can other members of household use network?
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Elements of Remote Access Elements of Remote Access PolicyPolicy
Should discuss any restrictions on data that can be Should discuss any restrictions on data that can be accessed remotely.accessed remotely.
If partners connections are commonplace, should If partners connections are commonplace, should discuss requirements and methods.discuss requirements and methods.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Information Protection PolicyInformation Protection Policy
Provides guidelines to users on the processing, Provides guidelines to users on the processing, storage and transmission of sensitive information.storage and transmission of sensitive information.
Main goal is to ensure information is appropriately Main goal is to ensure information is appropriately protected from modification or disclosure.protected from modification or disclosure.
May be appropriate to have new employees sign May be appropriate to have new employees sign policy as part of their initial orientation.policy as part of their initial orientation.
Should define sensitivity levels of information.Should define sensitivity levels of information.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Key Elements of Key Elements of Information Protection PolicyInformation Protection Policy
Should define who can have access to sensitive Should define who can have access to sensitive information.information. special circumstancesspecial circumstances non-disclosure agreementsnon-disclosure agreements
Should define how sensitive information is to be stored Should define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, and transmitted (encrypted, archive files, uuencoded, etc).etc).
Should define on which systems sensitive information Should define on which systems sensitive information can be stored.can be stored.
Should discuss what levels of sensitive information can Should discuss what levels of sensitive information can be printed on physically insecure printers.be printed on physically insecure printers.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Key Elements of Key Elements of Information Protection PolicyInformation Protection Policy
Should define how sensitive information is removed Should define how sensitive information is removed from systems and storage devices.from systems and storage devices. degaussing of storage mediadegaussing of storage media scrubbing of hard drivesscrubbing of hard drives shredding of hardcopy outputshredding of hardcopy output
Should discuss any default file and directory Should discuss any default file and directory permissions defined in system-wide configuration permissions defined in system-wide configuration files.files.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Firewall Management PolicyFirewall Management Policy
Describes how firewall hardware and software is Describes how firewall hardware and software is managed and how changes are requested and approved.managed and how changes are requested and approved.
Should discuss who can obtain privileged access to Should discuss who can obtain privileged access to firewall systems.firewall systems.
Should discuss the procedure to request a firewall Should discuss the procedure to request a firewall configuration change and how the request is approved.configuration change and how the request is approved.
Should discuss who is allowed to obtain information Should discuss who is allowed to obtain information regarding the firewall configuration and access lists.regarding the firewall configuration and access lists.
Should discuss review cycles for firewall system Should discuss review cycles for firewall system configurations.configurations.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Special Access PolicySpecial Access Policy
Defines requirements for requesting and using special Defines requirements for requesting and using special systems accounts (root, bkup,).systems accounts (root, bkup,).
Should discuss how users can obtain special access.Should discuss how users can obtain special access.
Should discuss how special access accounts are Should discuss how special access accounts are audited.audited.
Should discuss how passwords for special access Should discuss how passwords for special access accounts are set and how often they are changed.accounts are set and how often they are changed.
Should discuss reasons why special access is Should discuss reasons why special access is revoked.revoked.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Network Connection PolicyNetwork Connection Policy
Defines requirements for adding new devices to the Defines requirements for adding new devices to the network.network.
Well suited for sites with multiple support teams.Well suited for sites with multiple support teams.
Important for sites which are not behind a firewall.Important for sites which are not behind a firewall.
Should discuss:Should discuss: who can install new resources on networkwho can install new resources on network what approval and notification must be donewhat approval and notification must be done how changes are documentedhow changes are documented what are the security requirementswhat are the security requirements how unsecured devices are treatedhow unsecured devices are treated
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Other Important PoliciesOther Important Policies
Policy which addresses forwarding of email to offsite Policy which addresses forwarding of email to offsite addresses.addresses.
Policy which addresses wireless networks.Policy which addresses wireless networks.
Policy which addresses baseline lab security Policy which addresses baseline lab security standards.standards.
Policy which addresses baseline router configuration Policy which addresses baseline router configuration parameters.parameters.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Section Three:Section Three:Policies and ProceduresPolicies and Procedures
Trust ModelsTrust Models
Security Policy BasicsSecurity Policy Basics
Policy Design ProcessPolicy Design Process
Key Security Policies Key Security Policies
Key Security ProceduresKey Security Procedures
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Security Procedures Security Procedures
Policies only define "what" is to be protected. Policies only define "what" is to be protected. Procedures define "how" to protect resources and are Procedures define "how" to protect resources and are the mechanisms to enforce policy.the mechanisms to enforce policy.
Procedures define detailed actions to take for specific Procedures define detailed actions to take for specific incidents.incidents.
Procedures provide a quick reference in times of Procedures provide a quick reference in times of crisis.crisis.
Procedures help eliminate the problem of a single Procedures help eliminate the problem of a single point of failure (e.g., an employee suddenly leaves or point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis).is unavailable in a time of crisis).
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Configuration Management Configuration Management ProcedureProcedure
Defines how new hardware/software is tested and Defines how new hardware/software is tested and installed.installed.
Defines how hardware/software changes are Defines how hardware/software changes are documented.documented.
Defines who must be informed when hardware and Defines who must be informed when hardware and software changes occur.software changes occur.
Defines who has authority to make hardware and Defines who has authority to make hardware and software configuration changes.software configuration changes.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Data Backup and Off-site Data Backup and Off-site Storage ProceduresStorage Procedures
Defines which file systems are backed up.Defines which file systems are backed up.
Defines how often backups are performed.Defines how often backups are performed.
Defines how often storage media is rotated.Defines how often storage media is rotated.
Defines how often backups are stored off-site.Defines how often backups are stored off-site.
Defines how storage media is labeled and Defines how storage media is labeled and documented.documented.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Security Incident Escalation Security Incident Escalation ProcedureProcedure
A "cookbook" procedure for frontline support A "cookbook" procedure for frontline support personnel.personnel.
Defines who to call and when.Defines who to call and when.
Defines initial steps to take.Defines initial steps to take.
Defines initial information to record.Defines initial information to record.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Incident Handling ProcedureIncident Handling Procedure
Defines how to handle intruder attacks.Defines how to handle intruder attacks.
Defines areas of responsibilities for members of the Defines areas of responsibilities for members of the response team.response team.
Defines what information to record and track.Defines what information to record and track.
Defines who to notify and when.Defines who to notify and when.
Defines who can release information and the Defines who can release information and the procedure for releasing the information. procedure for releasing the information.
Defines how a follow-up analysis should be performed Defines how a follow-up analysis should be performed and who will participate.and who will participate.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Disaster Planning and ResponseDisaster Planning and Response
A disaster is a large scale event which affects major A disaster is a large scale event which affects major portions of an organization.portions of an organization. a major earthquake, flood, hurricane, or tornadoa major earthquake, flood, hurricane, or tornado a major power outage lasting > 48 hoursa major power outage lasting > 48 hours destruction of building structuresdestruction of building structures
Main goal of plan is to outline tasks to keep critical Main goal of plan is to outline tasks to keep critical resources running and to minimize impact of disaster.resources running and to minimize impact of disaster.
Ensure critical information needed for disaster Ensure critical information needed for disaster response is kept off-site and easily accessible after response is kept off-site and easily accessible after the onset of a disaster.the onset of a disaster.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Disaster Planning and ResponseDisaster Planning and Response
Plan should outline several operating modes based Plan should outline several operating modes based on level of damage to resources.on level of damage to resources.
Determine the need for “hot” or “cold” sites.Determine the need for “hot” or “cold” sites.
Disaster preparedness drills should be conducted Disaster preparedness drills should be conducted several times a year.several times a year.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Resources For Security Resources For Security Policies and ProceduresPolicies and Procedures
RFC2196 - The Site Security Procedures HandbookRFC2196 - The Site Security Procedures Handbook obsoletes rfc1244 as of 9/97.obsoletes rfc1244 as of 9/97. http://ds.internic.net/rfc/rfc2196.txthttp://ds.internic.net/rfc/rfc2196.txt
Some useful Web sites:Some useful Web sites: http://www.gatech.edu/itis/policy/usage/contents.htmlhttp://www.gatech.edu/itis/policy/usage/contents.html http://csrc.ncsl.nist.gov/secplcy/http://csrc.ncsl.nist.gov/secplcy/
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Section Three RecapSection Three Recap
Ensure policies and procedures are provided to Ensure policies and procedures are provided to managers, users and support staff.managers, users and support staff.
Ensure polices are in line with the security philosophy Ensure polices are in line with the security philosophy and any regulations the organization is required to and any regulations the organization is required to follow.follow.
Ensure policies are reviewed on a regular basis and Ensure policies are reviewed on a regular basis and are updated as necessary.are updated as necessary.
Ensure sufficient training is provided on a regular Ensure sufficient training is provided on a regular basis.basis.
How To Build A Successful Security InfrastructureHow To Build A Successful Security Infrastructure
Three RecapThree Recap
Important policies every site should have:Important policies every site should have: Acceptable Use PolicyAcceptable Use Policy Remote Access PolicyRemote Access Policy Information Protection PolicyInformation Protection Policy Firewall Management PolicyFirewall Management Policy
Important Procedures every site should have:Important Procedures every site should have: Configuration Management ProcedureConfiguration Management Procedure Data Backup and Off-site StorageData Backup and Off-site Storage Incident Handling ProcedureIncident Handling Procedure Disaster Recovery ProcedureDisaster Recovery Procedure