Term Paper on "Security Policy Dr. Fossett's Dental Office"

Quoted Instructions for "Security Policy Dr. Fossett's Dental Office" Assignment:

1. Draft a 3 page Security Policy for Dr. Fossett’s Dental Office. Other info will be emailed to aide *****. Also, include to papers on how to write a securtiy policy. Please use a ***** with Computer Science background.

2. Provide detailed outline of key areas.

3. Pay particular attention to access privilege levels, internet usage, email policy, and use of personal software.

4. Consider how hardware and software changes are performed as well as system backups.

Title: Security Policy: Dr. Fossett’s Dental Office

---------------------------------------------------

Dr. Fossett Enterprise-Wide Network Scenario Data

1. This dental office is in one Building. There are:

• 1 Receptionist

• 1 Scheduler

• 1 Billing Clerk

• 1 Senior Accounting Staff

• 3 Dental Hygienists

• 2 Full-time Dentists

• 2 Dental Assistants

2. The dental office has 4 separate rooms, each one with its own set up of dental equipment, and 1 X-ray room.

3. The dental office currently has sales of about $750K per year, and Dr. Fossett believes he can exceed this sale by 25% by year-end 2001, by leveraging on the networking technologies available to him.

4. Currently, there are only 2 stand-alone PCs – one handles the scheduling side and the other one is for the billing process.

5. The goals are to:

• Maximize sales by minimizing scheduling errors and cancellations

• Improve communication by establishing e-mail access to every employee

• Re-engineer the billing process and reduce the Accounts Receivable Cycle time

• Establish a network in the dental office,that will improve customer service response time, allow on-line access to patient records, maintain one database for patient records, and possibly, updated x-ray records.

• Allow dial-in access for the 2 dentists, in cases of emergencies, to view patient records from home.

• Allow database back up for security reasons.

How to write a Security Policy

The Basics of an IT Security Policy

Table of Contents

Purpose ………………………………………………………………………………… 3

What is and IT Security Policy ………………………………………………………… 3

What Determines a Good IT Security Policy ……………………………………………3

What are the Components of a Security Policy …………………………………………4

Security Definition ……………………………………………………………...4

Enforcement …………………………………………………………………….4

User Access to Computer Resources ……………………………………………5

Security Profiles ………………………………………………………………...5

Passwords ………………………………………………………………………6

E-mail …………………………………………………………………………..7

Internet ………………………………………………………………………….7

Anti-Virus ………………………………………………………………………8

Back-up and Recovery ………………………………………………………….8

Intrusion Detection ……………………………………………………………...8

Remote Access ………………………………………………………………….9

Auditing …………………………………………………………………………9

Awareness Training …………………………………………………………….10

Conclusion ……………………………………………………………………………10

References ……………………………………………………………………………. 11

Purpose

This paper is intended to address the importance of having a written and enforceable Information Technology (IT) security policy, and to provide an overview of the necessary components of an effective policy. The reader will gain an understanding of the basic processes, methodologies, and procedures needed to initiate the development of an organization-wide IT Security Policy.

When developing an IT Security Policy you should keep in mind the ‘defense in-depth ‘ model. In other words, you should not be relying on one principal means of protection (or layer)), ; instead, you should develop your security program so that it provides multiple layers of defense. This will ensure maximum protection of your data and resources and will minimize the potential for compromise.

Please keep in mind that we can only protect ourselves from known and existing exploits. We are all possible targets of zero day exploits! However, an effective IT security program will be enable you to detect anomalies in network traffic and take the necessary steps toward mitigation. (i.e., proactive v/s reactive).

What is an IT Security Policy?

An IT Security Policy is the most critical element of an IT security program. A security policy identifies the rules and procedures that all persons accessing computer resources must adhere to in order to ensure the confidentiality, integrity, and availability of data and resources. Furthermore, it puts into writing an organization’s security posture, describes and assigns functions and responsibilities, grants authority to security professionals, and identifies the incident response processes and procedures.

Note: The security-related decision’s you make, or fail to make largely determine how secure or insecure your network is, how much functionality your network offers, and how easy your network is to use. However, you cannot make good decisions about security without first determining what your security goals are. Until then, you cannot make effective use of any collection of security tools because you simply will not know what to check for and what restrictions to impose. [1]

What Determines a Good IT Security Policy?

In general a good IT Security Policy does the following:

• Communicates clear and concise information and is realistic;

• Includes defined scope and applicability;

• Makes enforceability possible;

• Identifies the areas of responsibility for users, administrators, and management;

• Provides sufficient guidance for development of specific procedures

• Balances protection with productivity;

• Identifies how incidents will be handled; and

• Is enacted by a senior official (e.g., CEO)

Development of a security policy should be a collaborative effort with security officials, management, and those who have a thorough understanding of the business rules of the organization. A security policy should not impede an organization from meeting its mission and goals. However, a good policy will provide the organization with the assurance and the “acceptable” level of asset protection from external and internal threats.

What are the Components of a Security Policy?

A key point to consider is to develop a security policy that is flexible and adaptable as technology changes. Additionally, a security policy should be a living document routinely updated as new technology and procedures are established to support the mission of the organization.

The components of a security policy will change by organization based on size, services offered, technology, and available revenue. Here are some of the typical elements included in a security policy.

Security Definition – All security policies should include a well-defined security vision for the organization. The security vision should be clear and concise and convey to the readers the intent of the policy. In example:

“This security policy is intended to ensure the confidently, integrity, and availability of data and resources through the use of effective and established IT security processes and procedures.”

Further, the definition section should address why the security policy is being implemented and what the corresponding mission will entail. This is where you tie the policy to the mission and the business rules of the organization.

Enforcement – This section should clearly identify how the policy will be enforced and how security breaches and/or misconduct will be handled.

The Chief Information Officer (CIO) and the Information Systems Security Officer (ISSO) typically have the primary responsibility for implementing the policy and ensuring compliance. However, you should have a member of senior management, preferably the top official, implement and embrace the policy. This gives you the enforcement clout and much needed ‘buy-in’.

This section may also include procedures for requesting short-term exceptions to the policy. All exceptions to the policy should be reviewed and approved, or denied, by the Security Officer. Senior management should not be given the flexibility to overrule decisions. Otherwise, your security program will be full of exceptions that will lend themselves toward failure.

User Access to Computer Resources - This section should identify the roles and responsibilities of users accessing resources on the organization’s network. This should include information such as:

• Procedures for obtaining network access and resource level permission;

• Policies prohibiting personal use of organizational computer systems;

• Passwords;

• Procedures for using removal media devices;

• Procedures for identifying applicable e-mail standards of conduct;

• Specifications for both acceptable and prohibited Internet usage;

• Guidelines for applications;

• Restrictions on installing applications and hardware;

• Procedures for Remote Access;

• Guidelines for use of personal machines to access resources (remote access);

• Procedures for account termination;

• Procedures for routine auditing;

• Procedures for threat notification; and

Security awareness training;

Depending on the size of an organization’s network, a more detailed listing may be required for the connected Wide Area Networks (WAN), other Local Area Networks (LAN), Extranets, and Virtual Private Networks (VPN).

Some organizations may require that other connected (via LAN, WAN, VPN) or trusted agency’s meet the terms and conditions identified in the organization’s security policy before they are granted access. This is done for the simple reason that your security policy is only as good as the wea***** link. For example, If Company ‘A’ has a rigid security policy and Company ‘B’ has a substandard policy and wants to partner with Company ‘A’, Company ‘B’ may request to have a network connection to Company ‘A’ (behind the firewall). If Company’ A’ allows this without validating Company ‘B’s’ security policy then Company ‘A’ can now be compromised by exploits launched from Company ‘B’.

When developing a security policy one should take situations such as this one very serious and develop standards that must be met in order for other organizations to be granted access. One method is to require the requesting organization to meet, at a minimum, your policy and guidelines.

Security Profiles - A good security policy should also include information that identifies how security profiles will be applied uniformly across common devices (e.g., servers, workstations, routers, switches, firewalls, p***** servers, etc.). The policy should reference applicable standards and procedures for locking down devices. Those standards may include security checklists to follow when adding and/or reconfiguring devices.

New devices come shipped with the default configuration for ease of deployment and it also ensures compatibility with most architectures. This is very convenient for the vendor, but a nightmare for security professionals. An assessment needs to be completed to determine what services are necessary on which devices to meet the organizational needs and requirements. All other services should be turned off and/or removed and documented in the corresponding standard operating procedure.

For example, if your agency does not have a need to host Internet or Intranet based applications then do not install Microsoft IIS. If you have a need to host HTML services, but do not have a requirement for allowing FTP, then disable it.

Additional information for securing some vendor devices can be found at the following web sites:

• http://www.microsoft.com

• http://www.cisco.com

• http://www.sun.com

• http://www.novel.com

Passwords - Passwords are a critical element in protecting the infrastructure. Remember, your security policy is only as good as the wea***** link. If you have weak passwords then you are at a higher risk for compromise not only by external threats, but also from insiders. If a password is compromised through social engineering or password cracking techniques, an intruder now has access to your resources. The result will mean that, you have just lost confidentiality and possibly the integrity of the data, and availability may have been compromised or in progress.

The policy should clearly state the requirements imposed on users for passwords. Passwords should not be any of the following:

• Same as the username;

• Password;

• Any personal information that a hacker may be able to obtain (e.g., street address, social security number, names of children, parents, cars, boats, etc.);

• A dictionary word; or

• Telephone number

These are some examples of passwords not to use. You should force users through automated password policy techniques to require a minimum of eight characters, use of a combination of symbols, alpha charters, and numerals, and a mixture of uppercase and lowercase. Users should be required to change their password at least quarterly. Previous passwords should not be authorized. Lastly, an account lockout policy should be implemented after a predetermined number of unsuccessful logon attempts.

Another tip to consider is that you should be logging all successful and failed logon attempts. A hacker may be trying several accounts to logon to your network. If you see several ‘failed’ logon attempts in a row and then no activity; does this mean the hacker gave up or did he “successfully” logon?

E-mail – An email usage policy is a must. Several viruses, Trojans, and malware use email as the vehicle to propagate themselves throughout the Internet. A few of the more recent worms were Code Red, Nimda, and Gonner. These types of exploits prey on the unsuspecting user to double click on the attachment thereby infecting the machine and launching propagation throughout the entire network. This could cause several hours and/or days of downtime while remedial efforts are taken.

A couple of things you may want to address in your policy are content filtering of email messages. Filtering out attachments with extensions such as *.exe, *.scr, *.bat, *.com, and *.inf will enhance your prevention efforts. Also, personal use of the email system should be prohibited. Email messages can and have been used in litigation (Microsoft anti-trust case). This includes all email messages both personal and business. Additionally, some institutions archive email messages indefinitely (Federal Government). Those messages are subject to the Freedom of Information Act (FOIA) requirements. Just think how embarrassing it would be if several email messages with vulgar content were released to a law firm or the media. This could have significant negative publicity for your organization.

Internet – The World Wide Web was the greatest invention, but the worst nightmare from a security standpoint. The Internet is the pathway in which vulnerabilities are manifested. The black-hat community typically launches their ‘zero day’ and old exploits on the Internet via IRC chat rooms, through Instant Messengers, and free Internet email providers (hotmail, yahoo, etc.). Therefore, the Internet usage policy should restrict access to these types of sites and should clearly identify what, if any, personal use is authorized.

Moreover, software should be employed to filter out many of the forbidden sites that include pornographic, chat rooms, free web-based email services (hotmail, Yahoo, etc.), personals, etc. There are several Internet content filtering applications available that maintain a comprehensive database of forbidden URLs. The following are being provided for additional information.

• http://www.superscout.com

• http://www.telemate-software.com/internet_monitoring_software.htmhttp://www.symantec.com

Anti-Virus - Anti-virus software is a ‘must’ in the detection and mitigation of viruses. The policy should identify the frequency of updating the virus definition files. The policy should also identify how removable media, attachments to email, and other files should be scanned before opening. Your anti-virus software should be configured to automatically scan all incoming and outgoing files. If a virus is found you need to identify what action should be taken (e.g., clean, notify administrator, deny access to file, etc.). Anti-virus vendors include:

• Mcafee (http://www.mcafee.com)

• Norton (http://www.symantec.com)

• Computer Associates Innoculate IT (www.ca.com/innoculate)

Back-up and Recovery – A comprehensive back-up and recovery plan is critical to mitigating incidents. You never know when a natural or other disaster may occur. For example take the 9/11 incident. What would have happened if there were no off-site storage locations for the companies in the World Trade Center?

Answer: All data would have been permanently lost! Back-ups are your key to the past. Organizations must have effective back-up and recovery plans that are established through a comprehensive risk assessment of all systems on the network. Your back-up procedures may be different for a number of systems on your network. For example, your budget and payroll system will have different back-up requirements than a miscellaneous file server.

You may be required to restore from a tape back-up, if the system crashes, you get hacked, upgrade hardware, and/or files get inadvertently deleted. You should be prepared. Your back-up and recovery policy (separate document) should stand on its own , but be reflected in the security policy. At a minimum, your back-up recovery plan should include:

• Back-up schedules;

• Identification of the type of tape back-up (full, differential, etc.)

• The type of equipment used;

• Tape storage location (on and off-site);

• Tape labeling convention;

• Tape rotation procedures;

• Testing restorations; and

• Checking log files.

Intrusion Detection – A Network Intrusion Detection System (NIDS) is a system that is responsible for detecting anomalous, inappropriate, or other data that may be considered unauthorized occurring on a network. Unlike a firewall, an NIDS captures and inspects all traffic, regardless of whether it's permitted or not. Based on the contents, at either the IP or application level, an alert is generated [4]

Intrusion detection tools will help assist in the detection and mitigation of access attempts into your network. You need to make the decision through the risk assessment process of whether to implement network or host based NDIS or a combination of both. Additional standard operating procedures should be derived form the policy to specifically address intrusion detection processes and procedures. Following are some examples of NDIS systems:

• ISS - (http://www.iss.com)

• Cisco - (http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/)

• Snort - (http://www.linuxsecurity.com/feature_stories/using-snort.html)

• Zone Alarm – (http://www.zonealram.com)

Remote Access - Dial-up access to your network will represent one of your greatest risks. Your policy should identify the procedures that one must follow in order to be granted dial-up access. You also need to address whether or not personal machines will be allowed to access your organization’s resources.

The whole issue of remote access causes heartburn for security officials. You can lock down you’re your perimeter, but all it takes in one remote access client dialing into the network (behind the firewall) who has been compromised while surfing the Internet with that Trojan ready and willing to start looking for other unsuspecting prey. Next thing you know your network has been compromised. Following are some examples to include in your policy:

• Install and configure personal firewall on remote client machines (examples, Norton or BlackIce Defender);

• Ensure antivirus software, services packs and security patches are maintained and up-to-date;

• Ensure modems are configured to not auto answer;

• Ensure file sharing is disabled;

• If not using token or PKI certificates, then username and password should be encrypted;

• If possible push policies from server to client machines; and

• Prohibit the use of organizational machines from being configured to access personal Internet Service Provider accounts.

Auditing - All security programs should be audited on a routine and random basis to assess their effectiveness. The security officer must be given the authority, in writing, by the head of the organization to conduct audits of the program. If not, he or she could be subject to legal action for malicious conduct. Random and scheduled audits should be conducted and may include:

• Password auditing using password cracking utilities such as LC3 (Windows) and PWDump (Unix and Windows);

• Auditing user accounts database for active old accounts (persons who left the agency)

• Penetration testing to check for vulnerabilities using technical assessment tools such as ISS and Nessus;

• Social Engineering techniques to determine if you can get a username or password from a staff member;

• Simulate (off hours) network failure and evaluate your incident response team’s performance and readiness;

• Test your back-up recovery procedures;

• Use Tripwire or similar product to monitor your critical binary files;

• Configure your Server OS to audit all events and monitor several times a day for suspicious activity;

• Use a port scanner (Nmap, Nessus, etc.) within your network to determine if your system administrators catch the traffic and take appropriate action.

These are just a few examples of the things to audit. The extent of your auditing will depend on the level of your security program.

Awareness Training - Security Awareness training for organizational staff must be performed to ensure a successful program. Training should be provided at different levels for staff, executives, system administrators, and security officers. Additionally, staff should be retrained on a periodic basis (e.g., every two years). A process should be in place for training newly hired staff within a certain time period. Staff completing training should be required to sign a written certification statement. This signed statement helps the security officer and management enforce the organization’s security policies.

Trained staff can help alleviate some of the security burden from security officers. Trained staff can and often do provide advanced notification of suspicious events encountered on their machines which could prevent a worm or other Trojan from propagating throughout the entire network.

Conclusion

I hope this paper provides you with a better understanding of the importance of an effective IT Security policy. Security polices are crucial to ensuring the protection of organizational assets. From polices, standards and procedures are developed that are enforceable. Without formal policy, standards and procedures will be ad-hoc and staff will have no accountability.

There are standards published by the National Institute of Standards and Technology (NIST) and the International Service Organization (ISO) that should be followed when developing a security policy. This will ensure your policy is in alignment with current standards. Lastly, your policy should not be placed on a shelf collecting dust. They should be living breathing documents that all staff are aware of and follow.

References

[1] Fraiser, B, “Site Security Handbook”, September 2000.

http://www.cis.ohio-state.edu/cgi-bin/rfc2196.html

[2] Information Security and Disaster Recovery, IT Security Policy and Implementation

http://www.network-and-it-security-policies.com/

[3] International Standards Organization, ISO/IEC 17799:2000(E), Information Technology, Code of Practice for Information Security Management, 2000

[4] Wreski, Dave and Pallack, Christopher, Network Intrusion Detection Using Snort, June, 2000

http://www.linuxsecurity.com/feature_stories/feature_story-49.html

[5] Goncalves, Marcus and Brown, Steven, Check Point Firewall 1, “Administration Guide, 2000.

[6] SANS Institute, Basic Security Policy, Security Essentials, Network Security, Vol. 1.2

[7] Bowden, Joel, “Security Policy: What it is and Why – The Basics”, August 14, 2001

http://rr.sans.org/policy/sec_policy.php

[8] Bug Traq: FAQ http://www.securityfocus.com/frames/?content=/forums/bugtraq/faq/faq.html

[9] Microsoft Windows Security, http://www.microsoft.com/security/default.asp

[10] NT Security, http://www.ntsecurity.com/security-news.asp

[11] SANS Institute, http://www.incidents.org

[12] Zone Alarm, http://www.zonealarm.com

What makes a good security policy and why is one necessary?

Table of Contents

What makes a good security policy and why is one necessary? 1

Introduction 3

Why have a security policy? 3

What Makes a Good Security Policy? 4

What Is Included in a Security Policy 6

First Section – Parameters 6

Second Section – Risk Assessment 7

Third Section - The Actual Policies 8

Conclusion 11

References 12

Introduction

With the advent of the Internet and networking, there has been a huge potential for expanding the way that businesses communicate and share data, provide services to clients and process information to increase their efficiency and lower production costs. It is now possible to interconnect two partner companies in order to share data in real time, hold conferences with people who are geographically separated and to place orders and update inventory in real-time. However, this broad access has also brought with it the possibility for data theft, liability through disclosure of private information, loss of credibility and reputation. The threat comes from people both internal and external to a company. There are many individuals with the potential to create havoc and disrupt businesses, maliciously or unintentionally, creating financial loss and impeding production. It is now possible for “hackers” to write code that will delete all the data on a system, steal sensitive or critical information and bring a company to its knees through denial of service attacks.

As these threats have increased, security has become a priority for companies. Securing systems from internal or external threats can protect companies from the potential liability arising from any type of network compromise. However, there are no quick fixes when it comes to network security. Security does not come from automated applications, rather it is compromised of security applications or systems, processes and procedures and the personnel to implement both the systems and processes. In order to properly address security, the most fundamental item necessary is a security policy.

The Merriam-Webster definition of a policy is “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions” or “ a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body”. A security policy states the corporation’s vision and commitment to security, and lays out its standards and guidelines regarding what is considered acceptable when working on or using company property and systems. A good security policy is compromised of many sections and addresses all applicable areas or functions within an organization.

Why have a security policy?

Having a security policy is instrumental in creating a secure organization. This is because without one, a company cannot begin to know where or what to purchase or what processes to follow in order to secure their environment. The policy lays out, in detail, what the company’s goal is for security. In other words, a security policy establishes standards for what is permitted or denied within the framework of the company. Standards are created for protecting the network resources and for assigning program management responsibilities and providing basic rules, guidelines, and definitions for everyone in the organization. Before you can implement a firewall, for example, you need to know a company’s security policy on Internet usage and what is permissible.

Security policies help to create consistent standards across the organization. In this way, risks are avoided and penalties are outlined for failure to adhere to the regulations within the policy. A policy also identifies the roles and responsibilities of everyone within the company in ensuring security. Hopefully, a policy will be clear enough and inclusive enough to be easily implemented and followed. It is also important that the policy be flexible enough to encompass and accommodate a wide range of data and many different systems, activities, and resources.

A security policy is also another way of establishing the importance of security within the organization. A security policy is usually published and includes endorsement by upper management. In this manner upper management provides tacit acknowledgement of security as a company priority. This helps to establish the cooperation of an organization’s personnel.

What Makes a Good Security Policy?

A good security policy is compromised of several factors. The most important factor is that it must be usable. A security policy is of no use to an organization or the individuals within an organization if they cannot implement the guidelines or regulations within the policy. It should be concise, clearly written and as detailed as possible in order to provide the information necessary to implement the regulation. It should be versioned and dated in order to easily identify the most current document, and should be structured internally in such a way that pertinent or required information is identified and located easily within the document for reference.

A good security policy also takes into account the existing or implicit rules in use. Business processes evolve over time within organizations as personnel learn more efficient ways of processing information. A security policy should in no way impede or interfere with the business. Rather, it should enhance the process, providing confidence in the security of the day – to – day operations.

It must be enforceable with security tools where appropriate, and with sanctions where actual prevention is not technically feasible. Firewalls, intrusion detection systems, anti-virus applications are some of the tools that can be used to apply the policies in the business environment. However, manual processes should be laid out within the policy, as not every security policy is enforceable via an automated system or application. One of the most common misconceptions is that security policies are driven only by security systems. In actuality, it is the processes outlined within the security policy, and the people who carry out the required policies that create a secure environment.

Local, state and federal laws should also be considered when creating the security policy. There are many statutes and laws governing the privacy of certain records, dealings with outside parties and access violations. Those responsible for writing the policy should become familiar with the laws in their particular industry and location, and strive to have the security policy conform to them.

In a similar vein, a security policy should also specify what auditing processes will be put in place to verify compliance, and the punitive actions that may be taken in the even of non-compliance of any of the stipulated regulations.

The interests of employees, third companies and the business goals of the company should always be considered in a security policy. For instance, security policies that make provisions for the privacy of personnel information take into account the sensitivity and importance of safeguarding their employees. It is just as important to take into account safeguarding the assets of any partner companies.

When creating a security policy, it is a good approach to have drafts reviewed by representatives from different departments, such as IT managers, legal and human resources personnel and executives. This will create a document that is a representation and addresses the concerns of all interests within the organization.

Purchasing decisions can be influenced by security policies, as products will need to address security as outlined within the document. Therefore, a good security policy will help to create standards for software, hardware and other supporting network equipment.

Security policies will also help to clarify what actions should be taken, and the people to be notified, in specific situations. This aids in prompting users to take actions sooner and hopefully to prevent or lessen the impact of any security violations. The policy should also detail what corrective actions should be taken after the breach, and any legal or criminal penalties that may be pursued in certain situations.

Security policies that are well thought out and inclusive will always help in providing guidance and directives for policies in other areas. Privacy is an area that should be addressed not only by security but also, legal, human resources and management.

Finally, a security policy is a living document, and as such, in order to be effective should be reviewed and updated on a periodic and regulated basis to ensure that it is up to date and covers all applicable situations, environments and systems within the organization.

What Is Included in a Security Policy

A security policy contains many sections but these can usually be grouped into three categories. The first category outlines the parameters that are used within the policy. This section can have many subsections. The second area usually defines a risk assessment, or accreditation, process and the last area is the one with the rules and guidelines formed using the information from the second section.

First Section – Parameters

Introduction

The introduction at the beginning of the document usually explains why the security policy is being implemented at the site. Basically this is a summary of why the policy was created, whose authority was used to create the policy and what the policy addresses.

Audience

The second part of the parameters section addresses the intended audience, who the policy was written for, usually the general population of a company, including regular users, IT personnel, managers, etc. Along with whom it is intended for, the Audience section also addresses what part of the policy is applicable to each audience group.

Definitions

In order to ensure that everyone who reads the security policy comes away with the same understanding of the stated rules and regulations, including a definition of the terms used within the policy is essential. This avoids any misunderstandings, unintentional misrepresentations or lack of comprehension of policy because of lack of comprehension of terms used within the policy.

Second Section – Risk Assessment

Including a risk assessment of resources serves a few purposes. The most important and most obvious reason for a risk assessment is in order to quantify the risk associated with the systems. There is a cost associated with applying security to an organizations assets; money is spent on security tools, appliances and applications. What a risk assessment does is to make sure that money is not spent inappropriately, on systems that do not warrant the spenditure. An inventory of systems is usually performed in conjunction with a risk assessment. A risk assessment will determine what threats exist for systems within an organization and how high the risks are for those systems. The results will help to prioritize systems from those of highest threat to areas of minimal exposure and vulnerability. This will aid in identifying those areas where the highest level of security should be focused and how those areas should be protected. The goals of securing assets are to provide the maximum levels of availability, integrity and confidentiality, and a risk assessment should always judge threats and exposures with regard to how these three areas will be affected by them.

It is unusual to go in depth into the subject of risk assessment within a security policy. Rather, a security policy is used to state system categories and their security classifications. The categories are used to identify the systems within an organization and classification addresses the level of security needed to provide the optimum security protection. Threats to each category of system will usually dictate their security classifications. The classifications will be further defined by listing the threats that are faced. Finally, security measures will be determined based on classifications.

Identifying Assets

Assets are not limited merely to hardware, software and related equipment, such as valuable proprietary information and applications and sensitive data. Company assets will also include the personnel involved in daily business functions, documentation, processes and supplies that are used to support those business functions. The categories that are used within a security policy are usually subjective and determined based upon the priorities of business.

Threats to the Assets

Unauthorized or malicious access or theft or disclosure of sensitive data and denial of services are just a few of the threats faced by company assets. Many companies will have simulated attacks performed on their assets, either by qualified in-house personnel or third party security firms. These simulated attacks are designed to highlight and pinpoint the vulnerabilities within an organizations systems and architecture, including the human component. These simulations serve the added purpose of also identifying the greatest vulnerabilities and most exposed systems to those vulnerabilities. This information can then be used to create the risk assessment guidelines discussed in the introduction to this section.

Third Section - The Actual Policies

There are many sections that come under this heading, but not all will be included in any given security policy. Only those sections, which are pertinent to an organization, are listed within their security policy. Some companies also make their security policies more specific than others. In a distributed and decentralized organization, policies should remain as non-specific as possible, and cover the broadest range of issues without being platform specific. Listed below are the broad headings that cover most of the important items to be incorporated in a security policy, along with general guidelines about what them.

Security Planning and Oversight

Security planning and oversight involves the establishment of a security department as a recognized entity within the business hierarchy. Under this heading the roles and responsibilities of the security department are defined. The responsibility of security planning and incorporation is usually assigned to members of the security department, working closely with the affected business groups. Oversight of security implementation, compliance and policies are also under the governance of the security department.

Security Education, Training and Awareness

It is imperative, if security is to be taken seriously, that an awareness of security be propagated throughout the organization. A security awareness program that incorporates security training and education is the best way to accomplish this goal. Security training raises awareness of the possibility of security breaches and the myriad ways in which breaches can be performed. Training educates users as to how to protect themselves, their environment and ultimately the business. It gives personnel the information necessary for them to prevent, detect and mitigate any violations. It also provides examples so that people can recognize threats when they witness them.

In a large and decentralized environment this training is particularly necessary because those business units not geographically close to the personnel of the security department need to be instructed in whom to contact and what items to include when reporting any suspicious incidents.

Backups and Business Continuity Plans

In the event of a breach, backups are vital in restoring daily operations. Policies should dictate the information to back up, the method used in creating backups, the archival policies and retention period for backups.

Catastrophic events include not only security breaches, but also natural disasters, environmental failure such as fire and bombs, and human tragedy where lives, property or the capability to perform vital business functions are threatened or seriously impacted. After such an occurrence, it is imperative that mission critical systems be brought up, at alternative locations if needed, and put into production in order to prevent the total failure of the business. Emergency response plans should be detailed to include backup operation plans, procedures and responsibilities.

Physical Security

Often overlooked, physical security is part of the security policy. This section should include physical access controls used to restrict or deny entry to sensitive areas. It should detail procedures for admitting visitors entry to business offices and the access provided to personnel employed at the business.

Facility requirements should be included here. Requirements include air regulation, fire safety equipment and measures, temperature and other environmental controls as required for normal business functions.

Access Controls

Access involves much more than simple entry to the facilities. Access permitted to documents, sensitive or otherwise, files and directories, proprietary information or systems are also a large part of access controls. The processes used to approve access to systems and information should be laid out here, including the procedures used in the event of employee termination. Do not forget to include remote access by employees, extranet connections for outside companies, and access to public areas.

Authentication

Authentication is the methodology used to determine that a user is who they state they are, and that they have the required credentials to access certain areas. The standard for authentication should be spelled out, whether it is simple password challenges, two-tiered authentication schemes or the more sophisticated biometrics in use today. Incorporate within the standards the policies governing them, including how many attempts at authentication are permitted before locking access, how robust the specific method used should be (for example, the length and characters used in a password determines how strong it is and the degree of difficulty in guessing it), inactivity logout periods, etc.

Network Security

Network security states how assets on the network will be protected. Assets include, but are not limited to, data whether proprietary or public access, servers, routers, and applications. Security controls used to secure these assets may include firewalls, intrusion detection systems, access controls, authentication methods, network auditing, operating systems used and file system directory structures.

Encryption

As encryption, or the process of converting clear and readable text into undecipherable algorithms in order to protect and ensure privacy, has evolved into a widespread technology. It is used over wide area networks, to create digital signatures verifying user authenticity, and to protect data that travels over the public domain, such as e-mail. In order to prevent a lack of usability and confusion over what type of encryption to use, a standard should be detailed and the configuration used listed.

Acceptable Use Policy

The acceptable use policy states how users are allowed to use company resources. This includes Internet, e-mail, server, data, equipment, and personal use limitations of all resources.

Auditing and Review

Once the policy has been disseminated and implemented, a procedure to check user and equipment compliance should be instituted. The auditing and review policies should lay out the frequency, time frame and methodology to be used in reviewing and auditing compliance. This is useful in identifying and correcting gaps in security before incidents occur. It is also helps to ensure that should a breach be identified the company will have legal or punitive recourse with which to address the involved parties.

Compliance

Compliance explains the enforcement policies for the security policies. It may include the penalties associated with non-compliance and the process used in investigating any suspected non-compliance. This helps by preventing the ignorance excuse that has been presented in the past in order to excuse security transgressions.

Incident Handling and Response

One of the most important areas within the security policy, the Incident Handling and Response section points out and educates personnel about identifying security breaches. The outcome of a security incident can sometimes hinge on the timely detection and notification of the incident, and what steps are taken to mitigate the breach. It can mean the difference between a minor incident and one where major losses, either in production or monetary, are incurred. In here are the processes to follow during specific incidents, including natural and other disasters. Who to notify, what to do, what information to provide, and extenuating circumstances should all be laid out here along with a prioritization of incidents.

Conclusion

Not everything that should be included in a security policy can be detailed in any one document. When creating a security policy, take into account the business function, the corporate culture, the budget and resources at your disposal. Be sure to include all pertinent personnel in the policy creation process in order to include all areas deemed of interest and priority. A good security policy is so much more than just a listing of regulations. It dictates the scope, direction and priority that security within an organization. A good security policy can mean the difference between a comprehensive security posture and a document that is neither regarded nor implemented with any conviction. Security begins with the policies that are enforced within an organization, and a large budget does not ensure success. What does ensure success is a good policy that is descriptive, disseminated and enforced within a company.

References

1. http://csrc.nist.gov/isptg

2. http://www.sans.org/newlook/resources/policies/policies.htm

3. The Internet Security Guidebook: from planning to deployment by Juanita Ellis and Timothy Speed

4. http://downloads.securityfocus.com/library

5. http://www.ietf.org/rfc/rfc2196.txt?number=2196

6. http://secinf.net/info/policy/hk_polic.html

7. http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html

8. http://www.sun.com/software/white-papers/wp-security-devsecpolicy