SECURITY POLICIES

Indu Ramachandran

Outline General idea/Importance of security policies When security policies should be developed Who should be involved in this process Cost of security policies Available resources Security policies in detail Failure of Security policies After Security policy is written

About Security Policies Increased level of threats Organization’s attitude towards security

policies Establishing Standards More than just “Keeping the bad guys out”! Management and Security policy Policies Not Procedures!!

Importance of Security Policies Establishes Standards

Provides basic guidelines

Defines appropriate behavior

Helps against being sued

Aspects of Security

Traditional Ideas of Security

Revised Security aspects Confidentiality

Protect objects from unauthorized release/use of info

Integrity Preserve objects / avoid unauthorized modification

When should Policies be developed Ideal Scenario

Often not the case

After a Security Breach To mitigate Liability For document compliance To demonstrate quality control processes Customers/Clients requirements

Who should be involved Basically EVERYONE!!!!! System users System support personnel Managers Business lawyers

Importance of Involving Management

Funding and Commitment

Leadership

Authority

Responsibility/Support

Do you need Sec. Policies?? Questions to answer this question…

Do workers at your organization handle information that is confidential?

Do workers at your organization access the internet?

Does your organization have trade secrets?

Custom questions to suit you!!

The Security Cost Function

Cost for security Exponential increase Trade off between cost for security and cost of

violations Formula for calculating cost :

Total cost for Violations = Cost for a single Violation X

frequency of the violation

GOOD NEWS!!!! You are not on your own !!!

Internet Resources The SANS institute NIST (National Inst. Of Stds. And

Technology) RFC Universities

Resources (cont’d) Books

Guide for Developing Security Policies for Information Technology Systems

Information Security Policies made easy around 1360+ security templates used by several large organizations

Training Sessions SANS Institute

Types of security policies Administrative Security Policy

Examples of Administrative sec policies: Users must change password each quarter Employees must not use dial out modems from

their desktops.

Technical sec policies Examples

Server will be configured to expire password each quarter

Accounts must initiate a lockout after four unsuccessful attempts to login

What is in a security policy

Three Categories

First category – Parameters Section Introduction Audience Definitions

What is in a security policy (cont’d)

The Second category Risk assessments

When this should be done Benefits Who should do this

Identifying Assets Threats to assets

What is in a security policy (cont’d)

The Third Category Actual Policies

Examples of policies

Physical security

Examples of policies (cont’d)

Authentication

Password policy

Remote Access Policy The Modem Issue

Examples of policies (cont’d) Acceptable Use Policy

Examples of AU Policy at http://www.eff.org/pub/CAF/policies

Other Policies Examples of policies as well as their templates on

the SANS website. http://www.sans.org/resources/policies/

What makes a good security policy Must be usable Must communicate clearly Must not impede/interfere with business Enforceable Update regularly Other factors

Interests Laws

Problems with Sec. Policies

Increase in tension level

Security needs viewed differently

Too restrictive/hard to implement

Impediments productivity

Conflict and Politics Management concentrates on goals for

company

Technical Personnel’s agenda

So what happens???

What do you do???

Information Security Management Committee

Bridge the gap

Committee Composition

Responsibilities of the committee

Real world problems caused by missing policies

At A Government Agency...

At A Local Newspaper...

Why Security Policies Fail

Security is a barrier to Progress Perceived to have zero benefit Obstacles/Impediment productivity

Security is a learned behavior Not instinct Value of assets Not taken seriously

Why Security Policies Fail (cont’d)

Complexity Security work is never finished

Failure to review Other reasons

Lack of stake holder support Organizational Politics

Compliance & Enforcement

Training

Testing and effectiveness of the policy

Monitoring

Taking Action

Review The Policy

Review Committee Good representation

Frequency of review meetings Responsibilities What to Review

References Barham, Scott - Writing information security policies http://dmoz.org/Computers/Security/Policy/Sample_Poli

cies/ http://www.netiq.com/products/pub/ispme_realproblems

.asp http://www.sans.org/rr/policy/policy.php http://www.networknews.co.uk/Features/1138373 http://irm.cit.nih.gov/security/sec_policy.html http://www.cisco.com/warp/public/126/secpol.html