1. کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388 1

2. 2 Objectives  Describe the concepts of security policies.  Examine the standards of Security Policy Design.  Describe the individual policies in a security policy.  Examine a detailed complete policy template.  Describe the policy procedures for Incident Handling and Escalation.

3. 3 Concepts of Security Policies  A security policy is nothing more than a well- written strategy on protecting and maintaining availability to your network and it’s resources.  Most organizations do not have a security policy  Excuses are rampant!

4. 4 Policy Benefits  Categories  They lower the legal liability to employees and 3rd party users of resources  They prevent waste on resources  They protect proprietary and confidential information from theft, unauthorized access or modification, or internal misuse of resources

5. 5 How to Start  Policy Design  policy committee works together to develop an overall strategy for the policy  Enforcement  mechanisms to ensure the policy is enforced  Monitoring  tracking the performance of the policy and its effectiveness, or lack thereof

6. 6 A graphical representation of the components of the security policy.

7. 7 A Question of Trust  The level of trust varies by the organization  Balancing is the key  too little trust impacts functionality  too much trust affects security

8. 8 Trust Options  Trust all the people all the time  Trust none of the people none of the time  Trust some of the people some of the time

9. 9 Policy Committee  Security Policy Committee  Upper & Middle Management  Local & Remote Users  Human Resources  Legal Professionals  Security Professionals  IT Users

10. 10 Security Policy Scenario  Organization Overview  Physical Building Overview  Network & Computer Overview  Extranet Overview

11. 11 Are Policies Political?  Resistance  A person who doesn’t like change  A person who is convinced the policy will hinder their work performance  A person who believes the organization is akin to “big-brother”

12. 12

13. 13 The Policy Design  Choosing a leader  strong project management skills  excellent communicator  Goals  Formulating the policy

14. 14 Policy Standards  BS7799  www.securityauditor.net  ISO17799  www.iso.ch .ch = Switzerland.  (Switzerland is also known as ‘Confoederatio Helvetica’, hence ‘ch’)

15. 15 BS7799  Business continuity planning  System access control  System development and maintenance  Physical and environmental security  Compliance

16. 16 BS7799  Personnel security  Security Organization  Computer and network management  Asset classification and control  Security policy

17. 17 ISO17799  Sections  Business Continuity Planning  System Access Control  System Development and Maintenance  Physical and Environmental Security  Compliance  Personnel Security  Security Organization

18. 18 ISO17799  Computer and Network Management  Asset Classification and Control  Security Polilcy

19. 19 Important RFCs  RFC 2196: The Site Security Handbook  RFC 2504: The User’s Security Handbook

20. 20

21. 21 The Policies  The Acceptable Use Policy  The User Account Policy  The Remote Access Policy  The Information Protection Policy  The Network Connection Policy  The Strategic Partner Policy  The Privileged Access Policy

22. 22 The Policies  The Password Policy  The Internet Policy  Individual policies per technology  i.e. firewall policy or IDS policy

23. 23 The Acceptable Use Policy  Considerations  Are users allowed to share user accounts?  Are users allowed to install software without approval?  Are users allowed to copy software for archive or other purposes?  Are users allowed to read and/or copy files that they do not own. but have access to?

24. 24 The Acceptable Use Policy  Are users allowed to make copies of any OS files  Are users allowed to modify files they do not own, but have write abilities?  Are users required to use password-protected screensavers?

25. 25 The User Account Policy  Considerations  Are users allowed to share their user accounts with coworkers?  Are users allowed to share their user accounts with family members or friends?  Are users allowed to have multiple accounts on a computer?  Are users allowed to have multiple accounts in the network?

26. 26 The User Account Policy  Considerations  Who in the organization has the right to approve requests for new user accounts?  How long are accounts to remain inactive befor they are disabled?

27. 27 The Remote Access Policy  Considerations  Which users in the organization are authorized for remote access?  What is the process for becoming authorized for remote access?  What methods of remote access are allowed?  Is the entire network accessible remotely?

28. 28 The Remote Access Policy  Can remote users use remote management to their computers in the office?  Are users family members allowed to access the organization’s network remotely?  Are users allowed to install modems to dial out of the network?  Will the organization place requirements on the software of computers performing remote access?

29. 29 The Information Protection Policy  Considerations  How are the different levels of data classification labeled?  Which users have access to the different levels of data classification?  How are users informed of their levels of access?  What is the default level of access that is to be applied to all information?

30. 30 The Information Protection Policy  Is information that is classified at the top level allowed to be printed on common printers?  Are all computers in the network able to store information that has the top level of classification?  Will computers that do store top-level information require special security controls?  How is information to be disposed of?

31. 31 The Network Connection Policy  Considerations  Are users allowed to install networking hardware into their computers?  Which users are authorized to install networking devices into their computers?  Who in the organization has the authority to approve of networking component installation?

32. 32 The Network Connection Policy  What is the process of documentation for new networking components?  What is the procedure in the event that the network is disabled?  What is the process in the event an unauthorized network component is found on the network or in a computer?

33. 33 The Strategic Partner Policy  Considerations  Are strategic partners required to have written security policies?  Are strategic partners required to provide copied of their policies?  Are strategic partners required to disclose their perimeter and internal security measures?

34. 34 The Strategic Partner Policy  Will strategic partners be allowed to connect via a VPN?  How are those VPNs to be configured?  What type of access shall be granted to Strategic Partners?

35. 35 The Privileged Access Policy  Considerations  Who hires the network administration personnel  Who may be allowed root, or domain administrator, or enterprise administrator access?  What is the process for requesting privileged access?

36. 36 The Privileged Access Policy  Who has the authority to create the privileged access user account?  Are administrators allowed to run network- scanning tools?  Are administrators allowed to access any file on any computer?  What is the process of determining which files administrators do have access to?

37. 37 The Privileged Access Policy  Are administrators allowed to run password checking tools?  Are privileged accounts allowed to access the network remotely?  Can a family member or visitor share a privileged account?

38. 38 The Password Policy  Considerations  Will the Security Administrator have the right to run password-checking tools?  What is the minimum length that users passwords must be?  How often must users change their passwords?  Can a user re-use a password?  What are the restrictions on how a password must be created?

39. 39 The Password Policy  What are the penalties for passwords that do not meet the criteria?  Are passwords required to be of a different strength for privileged accounts?  How many incorrect passwords are required for an account lockout?  What is the process of unlocking a locked account?

40. 40 The Password Policy  Are screen-savers required to be password protected?  Does a user have to log on to the system in order to change a password?

41. 41 The Internet Policy  Considerations  Are all users allowed to access the Internet?  Are all users allowed to access Web sites?  Are users allowed to access remote email servers?  Are there limits on the size of Internet downloads?

42. 42 The Internet Policy  Are there controls in place to restrict access to objectionable Web sites?  Are users aware of the controls on access?  Will the organization monitor users access to Web sites?  Are users allowed to use organizational email resources for personal use?  What level of privacy will users be granted with their email

43. 43 Miscellaneous Policies  Considerations  Are users able to install PDA software on their components?  Who in the organization is going to support the user-installed application?  Will administrators be able to review the content stored on the PDA?

44. 44

45. 45 Sample Escalation Procedures for Security Incidents  Computer security incidents  Loss of personal information  Suspected sharing of User accounts  Unfriendly employee termination  Suspected violations of specials access  Suspected computer break-in or computer virus

46. 46 Sample Escalation Procedures for Security Incidents  Physical Security Incidents  Illegal building access  Property damage or personal theft

47. 47 Incident Handling  The steps of incident handling must be discussed before an incident occurs

48. 48 Sample Incident Handling Procedure  Introduction  General procedures  Specific procedures

49. 49