1. How To Build A Successful Security Infrastructure Policies and Procedures u Trust Models u Security Policy Basics u Policy Design Process u Key Security Policies u Key Security Procedures 3

2. How To Build A Successful Security Infrastructure Security Policies - Why use them? u Without security policies, you have no general security framework. u Policies define what behavior is and is not allowed. u Policies will often set the stage in terms of what tools and procedures are needed for the organization. u Policies communicate consensus among a group of governing people. u Computer security is now a global issue and computing sites are expected to follow the good neighbor philosophy.

3. How To Build A Successful Security Infrastructure Who and What to Trust u Trust is a major principle underlying the development of security policies. u Initial step is to determine who gets access. çuse principle of least access u Deciding on level of trust is a delicate balancing act. çtoo much -> eventual security problems çtoo little -> difficult to find and keep satisfied employees u How much should you trust resources? u How much should you trust people?

4. How To Build A Successful Security Infrastructure Possible Trust Models u Trust everyone all of the time çeasiest to enforce, but impractical çone bad apple can ruin the whole barrel u Trust no one at no time çmost restrictive, but also impractical çimpossible to find employees to work under such conditions u Trust some people some of the time çexercise caution in amount of trust placed in employees çaccess is given out as needed çtechnical controls are needed to ensure trust is not violated

5. How To Build A Successful Security Infrastructure Section Three: Policies and Procedures u Trust Models u Security Policy Basics u Policy Design Process u Key Security Policies u Key Security Procedures 3

6. How To Build A Successful Security Infrastructure Why the Political Turmoil? u People view policies as: çan impediment to productivity çmeasures to control behavior u People have different views about the need for security controls. u People fear policies will be difficult to follow and implement. u Policies affect everyone within the organization çmost people resist measures which impede productivity çsome people strongly resist change çsome people strongly resist the big brother syndrome çsome people just like to rock the boat

7. How To Build A Successful Security Infrastructure Who Should be Concerned? u Users - policies will affect them the most. u System support personnel - they will be required to implement and support the policies. u Managers - concerned about protection of data and the associated cost of the policy. u Business lawyers and auditors - are concerned about company reputation, responsibility to clients/customers.

8. How To Build A Successful Security Infrastructure Section Three: Policies and Procedures u Trust Models u Security Policy Basics u Policy Design Process u Key Security Policies u Key Security Procedures 3

9. How To Build A Successful Security Infrastructure The Policy Design Process u Choose the policy development team. u Designate a person or body to serve as the official policy interpreter. u Decide on the scope and goals of the policy. çscope should be a statement about who is covered by the policy. u Decide on how specific to make the policy çnot a detailed implementation plan çdont include facts which change frequently

10. How To Build A Successful Security Infrastructure The Policy Design Process u All people affected by the policy should be provided an opportunity to review and comment on the policy before it becomes official. çvery unrealistic for large organizations çoften difficult to get the information out and ensure people read it. u Incorporate policy awareness as a part of employee orientation. u Provide refresher overview course on policies once or twice a year.

11. How To Build A Successful Security Infrastructure Basic Requirements u Policies must: çbe implementable and enforceable çbe concise and easy to understand çbalance protection with productivity çbe updated regularly to reflect the evolution of the organization u Policies should: çstate reasons why policy is needed çdescribe what is covered by the policies - whom, what, and where çdefine contacts and responsibilities to outside agencies çdiscuss how violations will be handled

12. How To Build A Successful Security Infrastructure Determining Level of Control u Security needs and culture play major role. u Security policies MUST balance level of control with level of productivity. u If policies are too restrictive, people will find ways to circumvent controls. u Technical controls are not always possible. u Must have management commitment on level of control.

13. How To Build A Successful Security Infrastructure Choosing A Policy Structure u Dependent on company size and goals. u One large document or several small ones? çsmaller documents are easier to maintain and update u Some policies appropriate for every site, others are specific to certain environments. u Some key policies: çAcceptable Use çUser Account çRemote Access çInformation Protection

14. How To Build A Successful Security Infrastructure Section Three: Policies and Procedures u Trust Models u Security Policy Basics u Policy Design Process u Key Security Policies u Key Security Procedures 3

15. How To Build A Successful Security Infrastructure The Acceptable Use Policy u Discusses and defines the appropriate use of the computing resources. u Users should be required to read and sign AU policy as part of the account request process. u Many examples of AU policies can be found on: ç http://www.eff.org/pub/CAF/policies/

16. How To Build A Successful Security Infrastructure Some Elements of the Acceptable Use Policy u Should state responsibility of users in terms of protecting information stored on their accounts. u Should state if users can read and copy files that are not their own, but are accessible to them. u Should state if users can modify files that are not their own, but for which they have write access. u Should state if users are allowed to make copies of systems configuration files (e.g., /etc/passwd) for their personal use, or to provide to other people.

17. How To Build A Successful Security Infrastructure Acceptable Use Policy u Should state if users are allowed to use.rhosts files and what types of entries are acceptable. u Should state if users can share accounts. u Should state if users can make copies of copyrighted software? u Should state level of acceptable usage for electronic mail, Internet news and web access.

18. How To Build A Successful Security Infrastructure User Account Policy u Outlines the requirements for requesting and maintaining an account on the systems. u Very important for large sites where users typically have accounts on many systems. u Some sites have users read and sign an Account Policy as part of the account request process. u Example User Account Policies are also available on the CAF archive along with the Acceptable Use Policies. çhttp://www.eff.org/pub/CAF/policies/

19. How To Build A Successful Security Infrastructure Elements of a User Account Policy u Should state who has the authority to approve account requests. u Should state who is allowed to use the resources (e.g., employees or students only) u Should state any citizenship/resident requirements. u Should state if users are allowed to share accounts or if users are allowed to have multiple accounts on a single host. u Should state the users rights and responsibilities.

20. How To Build A Successful Security Infrastructure Elements of User Account Policy u Should state when the account should be disabled and archived. u Should state how long the account can remain inactive before it is disabled. u Should state password construction and aging rules.

21. How To Build A Successful Security Infrastructure Remote Access Policy u Outlines and defines acceptable methods of remotely connecting to the internal network. u Essential in large organization where networks are geographically dispersed and even extend into the homes. u Should cover all available methods to remotely access internal resources: çdial-in (SLIP, PPP) çISDN/Frame Relay çtelnet access from Internet çCable modem

22. How To Build A Successful Security Infrastructure Elements of Remote Access Policy u Should define who is allowed to have remote access capabilities. u Should define what methods are allowed for remote access. u Should discuss if dial-out modems are allowed. u Should discuss who is allowed to have high-speed remote access such as ISDN, Frame Relay or cable modem. çwhat extra requirements are there? çcan other members of household use network?

23. How To Build A Successful Security Infrastructure Elements of Remote Access Policy u Should discuss any restrictions on data that can be accessed remotely. u If partners connections are commonplace, should discuss requirements and methods.

24. How To Build A Successful Security Infrastructure Information Protection Policy u Provides guidelines to users on the processing, storage and transmission of sensitive information. u Main goal is to ensure information is appropriately protected from modification or disclosure. u May be appropriate to have new employees sign policy as part of their initial orientation. u Should define sensitivity levels of information.

25. How To Build A Successful Security Infrastructure Key Elements of Information Protection Policy u Should define who can have access to sensitive information. çspecial circumstances çnon-disclosure agreements u Should define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc). u Should define on which systems sensitive information can be stored. u Should discuss what levels of sensitive information can be printed on physically insecure printers.

26. How To Build A Successful Security Infrastructure Key Elements of Information Protection Policy u Should define how sensitive information is removed from systems and storage devices. çdegaussing of storage media çscrubbing of hard drives çshredding of hardcopy output u Should discuss any default file and directory permissions defined in system-wide configuration files.

27. How To Build A Successful Security Infrastructure Firewall Management Policy u Describes how firewall hardware and software is managed and how changes are requested and approved. u Should discuss who can obtain privileged access to firewall systems. u Should discuss the procedure to request a firewall configuration change and how the request is approved. u Should discuss who is allowed to obtain information regarding the firewall configuration and access lists. u Should discuss review cycles for firewall system configurations.

28. How To Build A Successful Security Infrastructure Special Access Policy Special Access Policy u Defines requirements for requesting and using special systems accounts (root, bkup,). u Should discuss how users can obtain special access. u Should discuss how special access accounts are audited. u Should discuss how passwords for special access accounts are set and how often they are changed. u Should discuss reasons why special access is revoked.

29. How To Build A Successful Security Infrastructure Network Connection Policy u Defines requirements for adding new devices to the network. u Well suited for sites with multiple support teams. u Important for sites which are not behind a firewall. u Should discuss: çwho can install new resources on network çwhat approval and notification must be done çhow changes are documented çwhat are the security requirements çhow unsecured devices are treated

30. How To Build A Successful Security Infrastructure Other Important Policies u Policy which addresses forwarding of email to offsite addresses. u Policy which addresses wireless networks. u Policy which addresses baseline lab security standards. u Policy which addresses baseline router configuration parameters.

31. How To Build A Successful Security Infrastructure Section Three: Policies and Procedures u Trust Models u Security Policy Basics u Policy Design Process u Key Security Policies u Key Security Procedures 3

32. How To Build A Successful Security Infrastructure Security Procedures u Policies only define "what" is to be protected. Procedures define "how" to protect resources and are the mechanisms to enforce policy. u Procedures define detailed actions to take for specific incidents. u Procedures provide a quick reference in times of crisis. u Procedures help eliminate the problem of a single point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis).

33. How To Build A Successful Security Infrastructure Configuration Management Procedure u Defines how new hardware/software is tested and installed. u Defines how hardware/software changes are documented. u Defines who must be informed when hardware and software changes occur. u Defines who has authority to make hardware and software configuration changes.

34. How To Build A Successful Security Infrastructure Data Backup and Off-site Storage Procedures u Defines which file systems are backed up. u Defines how often backups are performed. u Defines how often storage media is rotated. u Defines how often backups are stored off-site. u Defines how storage media is labeled and documented.

35. How To Build A Successful Security Infrastructure Security Incident Escalation Procedure u A "cookbook" procedure for frontline support personnel. u Defines who to call and when. u Defines initial steps to take. u Defines initial information to record.

36. How To Build A Successful Security Infrastructure Incident Handling Procedure u Defines how to handle intruder attacks. u Defines areas of responsibilities for members of the response team. u Defines what information to record and track. u Defines who to notify and when. u Defines who can release information and the procedure for releasing the information. u Defines how a follow-up analysis should be performed and who will participate.

37. How To Build A Successful Security Infrastructure Disaster Planning and Response u A disaster is a large scale event which affects major portions of an organization. ça major earthquake, flood, hurricane, or tornado ça major power outage lasting > 48 hours çdestruction of building structures u Main goal of plan is to outline tasks to keep critical resources running and to minimize impact of disaster. u Ensure critical information needed for disaster response is kept off-site and easily accessible after the onset of a disaster.

38. How To Build A Successful Security Infrastructure Disaster Planning and Response u Plan should outline several operating modes based on level of damage to resources. u Determine the need for hot or cold sites. u Disaster preparedness drills should be conducted several times a year.

39. How To Build A Successful Security Infrastructure Resources For Security Policies and Procedures u RFC2196 - The Site Security Procedures Handbook çobsoletes rfc1244 as of 9/97. çhttp://ds.internic.net/rfc/rfc2196.txt u Some useful Web sites: çhttp://www.gatech.edu/itis/policy/usage/contents.html çhttp://csrc.ncsl.nist.gov/secplcy/

40. How To Build A Successful Security Infrastructure Section Three Recap u Ensure policies and procedures are provided to managers, users and support staff. u Ensure polices are in line with the security philosophy and any regulations the organization is required to follow. u Ensure policies are reviewed on a regular basis and are updated as necessary. u Ensure sufficient training is provided on a regular basis.

41. How To Build A Successful Security Infrastructure Three Recap u Important policies every site should have: çAcceptable Use Policy çRemote Access Policy çInformation Protection Policy çFirewall Management Policy u Important Procedures every site should have: çConfiguration Management Procedure çData Backup and Off-site Storage çIncident Handling Procedure çDisaster Recovery Procedure