security policies indu ramachandran. outline general idea/importance of security policies when...
TRANSCRIPT
SECURITY POLICIES
Indu Ramachandran
Outline General idea/Importance of security policies When security policies should be developed Who should be involved in this process Cost of security policies Available resources Security policies in detail Failure of Security policies After Security policy is written
About Security Policies Increased level of threats Organization’s attitude towards security
policies Establishing Standards More than just “Keeping the bad guys out”! Management and Security policy Policies Not Procedures!!
Importance of Security Policies Establishes Standards
Provides basic guidelines
Defines appropriate behavior
Helps against being sued
Aspects of Security
Traditional Ideas of Security
Revised Security aspects Confidentiality
Protect objects from unauthorized release/use of info
Integrity Preserve objects / avoid unauthorized modification
When should Policies be developed Ideal Scenario
Often not the case
After a Security Breach To mitigate Liability For document compliance To demonstrate quality control processes Customers/Clients requirements
Who should be involved Basically EVERYONE!!!!! System users System support personnel Managers Business lawyers
Importance of Involving Management
Funding and Commitment
Leadership
Authority
Responsibility/Support
Do you need Sec. Policies?? Questions to answer this question…
Do workers at your organization handle information that is confidential?
Do workers at your organization access the internet?
Does your organization have trade secrets?
Custom questions to suit you!!
The Security Cost Function
Cost for security Exponential increase Trade off between cost for security and cost of
violations Formula for calculating cost :
Total cost for Violations = Cost for a single Violation X
frequency of the violation
GOOD NEWS!!!! You are not on your own !!!
Internet Resources The SANS institute NIST (National Inst. Of Stds. And
Technology) RFC Universities
Resources (cont’d) Books
Guide for Developing Security Policies for Information Technology Systems
Information Security Policies made easy around 1360+ security templates used by several large organizations
Training Sessions SANS Institute
Types of security policies Administrative Security Policy
Examples of Administrative sec policies: Users must change password each quarter Employees must not use dial out modems from
their desktops.
Technical sec policies Examples
Server will be configured to expire password each quarter
Accounts must initiate a lockout after four unsuccessful attempts to login
What is in a security policy
Three Categories
First category – Parameters Section Introduction Audience Definitions
What is in a security policy (cont’d)
The Second category Risk assessments
When this should be done Benefits Who should do this
Identifying Assets Threats to assets
What is in a security policy (cont’d)
The Third Category Actual Policies
Examples of policies
Physical security
Examples of policies (cont’d)
Authentication
Password policy
Remote Access Policy The Modem Issue
Examples of policies (cont’d) Acceptable Use Policy
Examples of AU Policy at http://www.eff.org/pub/CAF/policies
Other Policies Examples of policies as well as their templates on
the SANS website. http://www.sans.org/resources/policies/
What makes a good security policy Must be usable Must communicate clearly Must not impede/interfere with business Enforceable Update regularly Other factors
Interests Laws
Problems with Sec. Policies
Increase in tension level
Security needs viewed differently
Too restrictive/hard to implement
Impediments productivity
Conflict and Politics Management concentrates on goals for
company
Technical Personnel’s agenda
So what happens???
What do you do???
Information Security Management Committee
Bridge the gap
Committee Composition
Responsibilities of the committee
Real world problems caused by missing policies
At A Government Agency...
At A Local Newspaper...
Why Security Policies Fail
Security is a barrier to Progress Perceived to have zero benefit Obstacles/Impediment productivity
Security is a learned behavior Not instinct Value of assets Not taken seriously
Why Security Policies Fail (cont’d)
Complexity Security work is never finished
Failure to review Other reasons
Lack of stake holder support Organizational Politics
Compliance & Enforcement
Training
Testing and effectiveness of the policy
Monitoring
Taking Action
Review The Policy
Review Committee Good representation
Frequency of review meetings Responsibilities What to Review
References Barham, Scott - Writing information security policies http://dmoz.org/Computers/Security/Policy/Sample_Poli
cies/ http://www.netiq.com/products/pub/ispme_realproblems
.asp http://www.sans.org/rr/policy/policy.php http://www.networknews.co.uk/Features/1138373 http://irm.cit.nih.gov/security/sec_policy.html http://www.cisco.com/warp/public/126/secpol.html