General Security Principles and Practices

Security PrinciplesCommon Security PrinciplesSecurity PoliciesSecurity AdministrationPhysical Security

Common Security PrinciplesMany principles come from:militarybusinessesSeparation of Privileges PrincipleNo single person should have enough authority to cause a critical event to happenMany examples from outside of computing, e.g., two keys needed to launch a missileTradeoff between security gained and manpower required to achieve it

Common Security PrinciplesSeparation of Privileges PrincipleCIO should not have access to all systemsDBA should not have access to encryption keyExample: Accountant with privilege to write check as well as balance the businesses account is potential for abuseNumerous instances all over the world on this one aspect onlyLouisville is no exception

Common Security PrinciplesLeast Privilege PrincipleAllow only the minimum level of access controls necessary to carry out job functionsA common violation of this principle occurs because of administrator inattentionUsers are placed in groups that are too broadAnother common violation occurs because of privilege creepUsers are granted new privileges when they change roles without reviewing existing privileges

Common Security PrinciplesDefense in Depth PrincipleDefenses should be layeredLayers begin with points of access to a network and continue with cascading security at bottleneck pointsSecurity through ObscuritySecrecy maintained about security that was in placeNo longer very effective in a free society

Defense in Depth

Security PoliciesSecurity objectives to:Design specific controlsKeep users informed of expected behaviorA security policy should be a written documentAvailable to all users of an organizational information systemSecurity policies range from single documents to multiple documents for specialized use or for specific groups of users

Acceptable Use PolicyDefines allowable uses of an organizations information resourcesEmailWeb spaceMust be specific enough to guide user activity but flexible enough to cover unanticipated situationsShould answer key questionsWhat activities are acceptable?What activities are not acceptable?Where can users get more information as needed?What to do if violations are suspected or have occurred?

Acceptable Use PolicyOrganization thinks:Anything that is not permitted is prohibitedUser thinks:Anything that is not prohibited is permitted

Backup PolicyData backups protect against corruption and loss of data To support the integrity and availability goals of securityBackup policy should answer key questionsWhat data should be backed up and how?Where should backups be stored? Who should have access?How long should backups be retained?How often can backup media be reused?

Backup PolicyBackup types:Cold siteWarm siteHot siteRecovery testing essentialPolicy governing periodic recovery

Confidentiality PolicyOutlines procedures used to safeguard sensitive informationShould cover all means of information dissemination including telephone, print, verbal, and computer Questions includeWhat data is confidential and how should it be handled?How is confidential information released?What happens if information is released in violation of the policy?Employees may be asked to sign nondisclosure agreements

Data Retention PolicyDefines categories of dataDifferent categories may have different protections under the policyFor each category, defines minimum retention timeTime may be mandated by law, regulation, or business needs, e.g., financial information related to taxes must be retained for 7 yearsFor each category, defines maximum retention timeThis time may also be mandated by law, regulation, or business needsCommon in personal privacy areas

Wireless Device PolicyIncludes mobile phones, PDAs, palm computersUsers often bring personal devices to the workplacePolicy should defineTypes of equipment that can be purchased by the organizationType of personal equipment that may be brought into the facilityPermissible activitiesApproval authorities for exceptions

Implementing PolicyA major challenge for information security professionalsIncludes processes of developing and maintaining the policies themselves as well as ensuring their acceptance and use within the organizationActivities related to policy implementation are often ongoing within an organization

Developing PoliciesTeam approach should be employedInclude members from different departments or functional elements within the organizationDevelop a high-level list of business objectivesDetermine the documents that must be written to achieve objectivesRevise documents drafts until consensus is achieved

Building Consensusbuy-in from employees is essentialPolicy implementers are employees. Without buy-in policy enforcement would falterOften the policies are promoted and advertised by senior management

EducationNew policies implementation require sufficient training for employeesUsers should be aware of their responsibilities with regard to policiesTwo types of trainingOne-time initial training to all employeesPeriodic training toRemind employees of their responsibilitiesProvide employees with updates of policies and technologies that affect their responsibilities

Enforcement and MaintenancePolicies should define responsibilities for Reporting violationsProcedures when violations occurPolicies should be strictly and uniformly enforcedPolicy changes occur as companies and technologies changePolicies should contain provisions for modification through maintenance proceduresEssential to have mandated periodic reviews

Security Administration ToolsTools help with consistent application of policyenforcement of policySecurity checklistsSecurity professionals should review all checklists used in an organization for compliance with security proceduresSecurity professionals may develop their own checklists for security-specific tasksSecurity matricesUsed in development of security policies and implementation of particular proceduresHelps focus amount of attention paid to particular goals

Security Matrices

Physical SecurityEnsures that only authorized people gain physical access to a facilityProtection from natural disasters such as fires and floodsLarge organizations outsource physical securityThree common categories of physical security issuesPerimeter protectionElectronic emanationsFire protection

Physical SecurityAddresses security countermeasures using:DesignImplementationMaintenanceManagement responsibilityPolicy development

Perimeter SecurityPerimeter security includes:FencesWallsGatesLightingMotion detectorsDogsPatrols

Access ControlLocksManualElectronicBiometricDefense in depth principleFences around the facility and biometrics for specific offices within a facility

Access ControlID cards and badgesElectronic monitoringMantrapAlarms

Fire SafetyFire detectionThermal detectionFixed-temperature detectionRate-of-rise detectionSmoke detectionPhotoelectric sensorsFire classesClass A less seriousClass B combustible liquidsClass C electrical firesClass D dangerous chemicals

Fire SafetyFire suppressionWater sprinklerDry pipeWet pipeMist sprinklerDeluge systemHalon gasInergen gas (nitrogen, argon, carbon dioxide)

Electrical PowerUPSStandbyLine-interactiveTrue-onlineEmergency shutoffGroundingPower management and conditioning

Electronic SurveillanceFacility monitoring using surveillance videoCheck for electromagnetic signals leaking dataElectromagnetic signals can be picked up and interpreted outside facilityExpensive to block electronic eavesdroppingFire protection requires detection and suppression systemsOften dictated by building codesSuppression systems include sprinklers, chemicals, and fire extinguishers

Personnel SecurityPeople are the weakest link in a security systemPerform background investigationsCan include criminal record checks, reference evaluations Monitor employee activityCan include monitoring Internet activity, surveillance cameras, telephone recordingMandatory vacationsExit procedures for employees leaving the companyRemind employees of any nondisclosure agreements

ReferencesCurtis Dalton, Had a security physical lately? Business Communications Review, May 2002.Types of locks http://www.secmgmt.com/UPS http://www.pcguide.com/ref/power/ext/ups/types.htmEric Maiwald and William Sieglein, Security Planning and Disaster Recovery, McGraw-Hill/Osborne, NY, 2002.