An enormous amount of a company's most crucial information, including financial data, personnel records, customer information, and trade secrets, is concentrated in one virtual “place”: the organization's network. This location renders this information vulnerable to unauthorized access and accidental or intentional destruction, both from within and (assuming the local network is connected to the Internet, as most today are) from outside intruders. Implementation of security measures, to be effective, must be based on an organized plan that takes into account all aspects of the organization's security needs. There must be rules and guidelines governing how the plan is put into action. These are disseminated throughout the organization as policies.
Understanding Policy-Based Security
Those of us in the security field often stress the need for detailed policies that are customized to fit the needs of each particular organization—sometimes to the point of sounding like a broken record. However, there's a good reason for this: The security policy is the foundation of an organization's security plan. It is the governing document, much like a police department's general orders, a city's charter, or a corporate board's mission statement. The following sections discuss the purpose and function of an IT security policy and the process of evaluating and defining security needs, developing the policy, and implementing it throughout the organization.
What Is a Security Policy?
A
security policy, as the term is used here, refers to a written document that defines an organization's approach to security or a specific security area (in this case, computer and network security) and lays down a set of rules to be followed in implementing the organization's security philosophy.
Note
Guidelines usually function as recommended procedures rather than hard-and-fast rules. Guidelines can supplement policies, but they do not replace them.
Organizations may establish both written and unwritten rules pertaining to security matters and may issue a number of different types of documents dealing with these issues. How does the security policy differ from security-related memoranda and directives, standards, specifications, guidelines, and procedural documents?
Security Memoranda
Generally, a
security memorandum or freestanding
security directive is issued in response to a particular incident and may be used as a way to establish a rule that is not covered in the policy. If the rule applies only to a specific one-time situation or will be in effect for only a limited time, a memora-ndum might be all that's needed. If the rule will be permanent or long-term and is applicable to a broader spectrum of situations, it should be incorporated into the organization's formal policy as soon as possible. A memorandum can also be informational only, its purpose to make users aware of security considerations without laying out specific rules or guidelines.
Security Standards and Specifications
Standards and specifications are generally requirements that are to be met in implementing system-specific security procedures and may be used to measure or rate the overall reliability, compatibility, or other characteristics of the system. The Common Criteria for Information Technology Security Evaluation (which is commonly called the Common Criteria) is an international standard for computer security, which is outlined under ISO/IEC 15408. It is a framework that outlines the evaluation criteria for IT security. It evolved from the government standards used by several countries, and it provides a framework that is used by users, vendors, and testing laboratories to specify, implement, and test IT security.
Security Procedures
Procedural documents supplement the policy and may be incorporated into it as part of a policies and procedures manual. The procedural document gives step-by-step technical instructions for tasks that are required to implement the policies. For example, if the policy states that users must change their passwords every 30 days, you might have two associated procedural documents: one directed to network administrators that details how to set password requirements on the Windows domain controller to force users to change passwords at 30-day intervals, and another directed to users detailing how to change their passwords. When contained in separate documents, the policy section and associated procedural document(s) should reference one another.
Why This Information Matters to the Investigator
Investigators responding to cybercrimes that involve a corporate network need to have a thorough understanding of how security is implemented within the organization, just as an investigator responding to a home invasion needs to know the layout of the house, how and where commercial security devices are in place, what the family's security philosophy is, and so forth. Unlike most residential situations, corporations will often have formal, written documentation that lays out all the guidelines followed in implementing the security plan.
However, these documents aren't always easy to understand—unless you also understand the process by which they're created, adopted, and implemented. In the following sections, we provide an overview of that process: how organizations assess their security needs based on known risk factors, threat levels, and other factors that determine how much and what types of security will be implemented; how policy areas are defined; and how the document itself is developed (usually by a policy development team).
This background will make it easier for investigators to come into an organization and analyze its role as the victim or source of cybercrimes based on information contained in the policy document. For example, if an examination of the policies shows that the organization has an extremely strong password policy, and further investigative techniques such as interviewing employees reveal that the policies are universally enforced, this could indicate that intruders used techniques other than password cracking to gain access, or it could indicate that there is a “leak” inside the organization. In other words, understanding the policies can help to narrow the focus of the investigation. This is often one of the most difficult and most vital steps in the investigative process.
Evaluating Security Needs
If we accept the stated definition of security policy, it becomes obvious that there is not and cannot be a one-size-fits-all IT security policy that will work equally well for all organizations. Security needs differ, based on:
▪ The perceived and actual threat levels
▪ Organizational vulnerabilities
▪ The organization's philosophy (open versus closed system)
It is important to analyze all of these factors carefully when developing a policy that offers both adequate protection and a desirable level of access.
Components of an Organizational Security Plan
Security features are now built into operating system software; Windows XP, Vista, Server 2003, and Server 2008 include numerous security features. UNIX and Linux distributions as well as Mac OS X also come with built-in security features. IT security products, both hardware and software, abound. Security training and numerous security certifications are available, and IT professionals are seeking them out. These are all important components of an organization's overall security plan, but they are not enough. Effective coordination and interaction of all these parts require one more thing: a comprehensive security policy.
Defining Areas of Responsibility
To assess security needs accurately, someone should review the company's infrastructure, processes, and procedures and involve personnel at all levels of the organization and from as many different departments as possible. Ideally, the following tasks will be performed by a carefully selected team that includes, at a minimum, members of management, IT personnel, and a company legal representative. Each team member should be assigned specific areas of responsibility, and deadlines for completion should be provided.
Responsibility for Developing the Security Plan and Policies
The initial creation of a good security plan requires a great deal of thought and effort. The policy will impact those at all levels of the organization, and it is desirable to solicit input from as many representatives of different departments and job descriptions as is practical. An effective approach is to form a committee consisting of people from several areas of the organization to be involved in creating and reviewing the security plan and policies. A security planning committee of this type might include some or all of the following:
▪ The network administrator and one or more assistant administrators
▪ The site's security administrator
▪ Department heads of various company departments or their representatives
▪ Representatives of user groups that will be impacted by the security policies (for example, the secretarial staff, the data processing center)
▪ A member of the legal department who specializes in computer and technology law
▪ A member of the finance or budget department
▪ A member of upper management
Responsibility for Implementing and Enforcing the Security Plan and Policies
Security policies will generally be implemented and enforced by network administrators and members of the IT staff. Job descriptions and policies should designate exactly who is responsible for the implementation of which parts of the plan. There should be a clear-cut chain of command that specifies whose decision prevails in case of conflict. In some cases—such as physical penetration of the network—the company security staff will become involved. Written, clearly formulated policies should be in place, which stipulate which department has responsibility for which tasks in such situations.
The security plan should also address the procedures for reporting security breaches, both internally and if the police or other outside agencies are to be brought in. In addition, it should be specified who is responsible for or has the authority to call in outside agents.
As we mentioned in
Chapter 5 when we discussed the investigation of policy violations, one of the most important factors in a good security policy is that it must be enforceable. If the policy can be enforced through security tools, this method is preferred. If the policies must be enforced through reprimand or other actions against employees who violate them, there should be clearly worded, universally distributed written documentation of what constitutes a violation and what sanctions will result, as well as who is responsible for imposing such sanctions.
Analyzing Risk Factors
Before the policy development team can set policies, they need to determine both the nature and the level of the security risks to the organization. Traditionally, risk analysis involves:
▪
Determining to what types of security breaches the organization is vulnerable
▪ For each type, determining the probability of such a breach occurring
▪ For each type, determining the extent of the loss that would be suffered if the breach did occur
This process is known as quantitative risk analysis. Another type of risk analysis, qualitative risk analysis, disregards the probability element and instead focuses on potential threats and the characteristics of the system or network that make it vulnerable to these threats. Then methods are developed for preventing or reducing the likelihood of breaches, detecting when breaches do occur, and decreasing and repairing the damage done if a breach does occur. To help identify threats and vulnerabilities, rate the threat level, estimate the impact on the organization, and recommend solutions, risk assessment tools may be used.
Why is a risk analysis necessary? There are several reasons, including the following:
▪ From the IT professional's point of view, a detailed risk analysis is the first and perhaps most important step in justifying to management the cost to implement needed security measures.
▪ From the business manager's point of view, the risk analysis document provides a solid, objective basis for making budgetary and personnel-impacting decisions.
▪ Data collected during the risk analysis process forces both IT and management to face and acknowledge threats and vulnerabilities of which they might not have been aware or which they previously might have been able to ignore.
▪ Risk analysis allows the organization to focus resources on the existing threats and vulnerabilities and avoid wasting time and funds on unnecessary measures.
▪ Because the risk analysis process involves personnel throughout the organization, it can raise security awareness and help make appropriate security practices the responsibility of everyone who uses the computers and network. This is a basic tenet of crime prevention.
Assessing Threats and Threat Levels
The dictionary defines a
threat as “somebody or something likely to cause harm.” The threat assessment portion of the risk analysis should include:
▪ Sources of potential threats
▪ The nature of potential threats
▪ The likelihood of occurrence of each potential threat type
▪ The estimated impact of each potential threat type
Sources of potential threats can be divided into internal and external categories. Although many security policies focus on the threat of a security breach from outside the network or organization (across the Internet), in actuality many organizations find that their biggest potential losses come from inside—the deliberate or unintentional actions of employees, contractors, and others who have legitimate access to the network. It is important to address both categories when performing a threat assessment.
Defining threat sources further requires that the assessment team determine both
who and
what could pose a threat to the network. For example, people who could pose a threat include most of the cybercriminal types discussed in
Chapter 3. The nature of possible threats is the
what in this equation. Any of these people could initiate threats of one or more of the following natures:
▪ Unauthorized access to data
▪ Unauthorized disclosure of information
▪ Modification or corruption of data
▪ Introduction of viruses, worms, or Trojans
▪ Denial or interruption of service or network congestion/slowdown
Note
A thorough threat assessment program will not overlook the threats posed by events such as fire, flood, and power loss as well as those caused by human agents.
The next step in threat analysis consists of assigning a likelihood or probability to each type of threat event. A high probability indicates that the threat event is more likely than not to occur, as when there is a history of its occurrence in the past. A medium probability indicates that the threat event might or might not occur. A low probability indicates that the threat event is not likely to occur, although it is possible. Finally, the assessment team must evaluate the probable impact on the organization for each potential threat event. For example:
▪ If the company's customer database were destroyed, how would this affect such activities as sales, billing, and so on?
▪ If the company network were down for one day, what is the potential cost to the company in lost sales, lost employee productivity, and the like?
▪ If the company's client records were made public, what is the potential loss in terms of lawsuits, withdrawal of client business, or similar actions?
Once all of these questions have been asked and answered, it is a relatively simple matter to construct a threat assessment matrix that will put this information into perspective and help the policy development team focus the company's security policies on the threat areas of highest likelihood and most significant impact.
Analyzing Organizational and Network Vulnerabilities
In previous chapters, we discussed how to analyze a network's
technical vulnerabilities. These vulnerabilities are those characteristics or configurations that an attacker can exploit to gain unauthorized
access or misuse your network and its resources. Network vulnerabilities are often referred to as
security holes. Security holes should be identified as part of the policy development process. These vulnerabilities can be caused by a programming characteristic or (mis)configuration of the operating system, a protocol or service, or an application. Examples might include:
▪ Operating system code that allows hackers to crash a computer by accessing a file whose path contains certain reserved words
▪ Unnecessarily open TCP/UDP ports that hackers can use to get into or obtain information about the system
▪ A Web browser's handling of scripts which allow malicious code to execute unwanted commands
The network's connections to the Internet and other networks obviously affect vulnerability. Data on a network that is connected 24/7 via a high-speed link is more vulnerable than data on a network that is only intermittently connected to the outside. A network that allows multiple outside connections (such as modems and phone lines on a number of different computers) increases vulnerability to outside attack. Dial-up modem connections merit special consideration. Although a dial-up connection is less open to intrusion than a full-time dedicated connection—both because it is connected to the outside for a shorter time period, reducing the window of opportunity for intrusion, and because it usually has a dynamic IP address, making it harder for an intruder to locate it on multiple occasions—allowing workstations on the network to have modems and phone lines can create a huge security risk.
If improperly configured, a computer with a dial-up connection to the Internet that is also cabled to the internal network can act as a router, allowing outside intruders to access not just the workstation connected to the modem, but also other computers on the LAN. One reason for allowing modems at individual workstations is to allow users to dial up connections to other private networks. A more secure way to do this is to remove (or in the case of laptops, disable) the modems and have the users establish a VPN connection with the other private network through the LAN's Internet connection. The best security policy is to have as few connections from the internal network to the outside as possible and to control access at those entry points (the
network perimeter).
Note
Third-party software tools known as vulnerability scanners are designed to discover the vulnerabilities on a network, using a database of known commonly exploited weaknesses and probing for those weaknesses on your network.
Organizational vulnerabilities are those areas and data that are open to danger or harm if exposed to an attack. To determine these vulnerabilities, the policy team should first identify the assets that could be exposed to the types of threats previously identified. These could include financial records, trade secrets, personal information (including customer/client information), intellectual property, and marketing and strategy documents.
You should consider a number of factors when you are assessing vulnerabilities, including the nature of the data that goes through the organization's network. The vulnerability of data that is highly confidential (such as trade secrets) or irreplaceable (such as original artwork or writing) should be of highest priority. Vulnerability is also affected by the size of the organization and network. A larger number of people who have access to the network indicates a greater chance of exposure to someone who will want to do harm.
Analyzing Organizational Factors
The next step in evaluating security needs is to determine the philosophy of the organization's mana-gement regarding security versus accessibility. It is important to remember that the two are conflicting characteristics; the more of one that a system has, the less of the other it will have. The organizational philosophy determines where on the security-access continuum a particular network falls (and thus determines its policies).
Some companies institute a highly structured, formal management style. Employees are expected to respect a strict chain of command, and information is generally disseminated on a “need to know” basis. Government agencies, especially those related to law enforcement such as police departments and investigative agencies often follow this philosophy, sometimes referred to as the paramilitary model.
Other companies, particularly those in “creative” industries and other fields that are subject to little state regulation, are built on the opposite premise: that all employees should have as much information and input as possible, that managers should function as “team leaders” rather than authoritarian supervisors, and that restrictions on employee actions should be imposed only when necessary for the efficiency and productivity of the organization. This is sometimes called the “one big happy family” model. Creativity is valued more than “going by the book,” and job satisfaction is considered to be an important aspect of enhancing employee performance and productivity.
In business management circles, these two diametrically opposed models are called Theory X (traditional paramilitary style) and Theory Y (modern, team-oriented approach). Although numerous other management models have been popularized in recent years, such as management by objective (MBO) and total quality management (TQM), each company's management style falls somewhere on the continuum between Theory X and Theory Y. The management model is based on the personal philosophies of the company's top decision makers regarding the relationship between management and employees.
The management model can have a profound influence on what is or isn't acceptable in planning security for the network. A “deny all access”-based security policy that is viewed as appropriate in a Theory X organization could meet with so much resentment and employee dissatisfaction in a Theory Y company that it disrupts business operations. Policy makers must always consider the company “atmosphere” as part of security planning. If there are good reasons to implement strict security in a Theory Y atmosphere, the restrictions will probably have to be justified to management and “sold” to employees, whereas those same restrictions might be accepted without question in a more traditional organization.
Considering Legal Factors
Security needs not only depend on the wishes of company managers, but they may also be dictated or at least guided by the criminal and civil laws in a particular jurisdiction. If the company's industry
is subject to government regulations, the information on its network falls under privacy protection acts, or company contracts prohibit disclosure of information on the company network, these are legal factors that must be considered in establishing security policies.
It is important to protect the company from liability that might be incurred if employees or others using the network violate laws. For this reason, it is essential that the security policy development team include one or more attorneys who are well versed in applicable laws, and who are familiar with the terms of the company's contracts with partners, vendors, clients, and others.
Analyzing Cost Factors
Finally, but rarely of least concern, the needs evaluation must take into account the monetary cost of implementing heightened security. Determining the funds available for security upgrades will affect security policies by forcing the development team to differentiate the organization's security needs from security wants.
Cost factors can also force the team to prioritize security needs so that those threats that are most likely or most imminent can be addressed, those assets that are most important can be protected, and those vulnerabilities that are most egregious can be closed first.
Assessing Security Solutions
Once the company has identified and documented its security needs and established a working budget for addressing those needs, it is possible to assess solutions and determine which one(s) meet those needs within that budget. Network security solutions can generally be divided into three broad categories: hardware, software, and policy-only solutions.
Hardware Solutions
Hardware-based security solutions involve adding some physical device such as a dedicated firewall to protect the network or a smart card reader for logon authentication. Removal of diskette and CD/DVD drives from desktop computers to prevent unauthorized copying of files to removable media or introduction of viruses is also a hardware-based solution. Other security hardware devices include:
▪ Keystroke capture devices for monitoring computer use
▪ Hardware tokens for storing security keys
▪ Cryptographic hardware devices for offloading the processing of crypto operations
▪ Biometric authentication devices such as fingerprint or retina scanners
Hardware solutions can be more costly than software-only solutions, but they offer several advantages. Hardware security is usually more secure because there is less exposure of security information such as private keys, and it is more difficult to tamper with hardware than software. Hardware solutions also often offer faster performance.
Software Solutions
Software solutions include IDSes, packet/circuit/application filtering software, and security auditing software, as well as software firewall packages such as Microsoft's Internet Security and Acceleration
(ISA) Server, which combine these functions. Other software security solutions are antivirus (AV) programs such as those made by Symantec, “spyware” used to monitor how computers are being used (including packet sniffer software that can capture and analyze network traffic), and network management packages that incorporate security features. Operating system and application “fixes” that patch security holes can also be placed in this category.
Policy Solutions
Most hardware and software security measures have accompanying policies that prescribe when and how they are to be deployed and used, but many security measures consist of policies only. For example:
▪ Policies that prohibit users from disclosing their passwords to anyone else
▪ Policies that require users to lock their workstations when they leave their desks
▪ Policies that require users to get permission before installing any software on their machines
▪ Policies that prohibit users from allowing anyone else to use the computer after they've logged on
Of course, in many cases policies will be enforced via software or hardware. For example, a policy that prohibits users from copying network files to their local disks can be enforced by permissions that allow read-only access. A policy that requires users to change their passwords every 30 days can be enforced by setting passwords to expire after that time period.
Complying with Security Standards
The security policy document should lay out standards regarding such issues as confidentiality and integrity of data, authorization and authentication, access, appropriate use of network resources, and employee privacy issues. If compliance with federal standards (such as a C2 rating) or industry-specific standards (such as HIPAA for healthcare organizations) is required, the specifications should be included and mandated in the policy document.
Policies should be reviewed for compliance with international standards such as ISO 17799. You might want to reference related sections of ISO 17799 in individual policies similarly to the reference to related policies.
Government Security Ratings
Security ratings might be of interest in the development of a company's security policy, although they are not likely to be important unless the organization works under government contract requiring a specified level of security. An international standard for computer security is ISO/IEC 15408, which was based on TCSEC (United States, CTCPEC (Canada), and ITSEC (Western Europe). As we discussed earlier, this standard is called the Common Criteria for Information Technology Security Evaluation (or Common Criteria for short). Your security policy might specify adherence to this particular set of standards or specifications.
Utilizing Model Policies
Model security policies can be used to guide the policy development team in preparing a comprehensive policy document. Policy templates can be purchased from various sources (for example, RUSecure Information Security Policies), and sample policies are available for download from such organizations as the SANS Institute.
An advantage is that purchased model policies may be guaranteed to be compliant with ISO standards, HIPAA, or the like. However, policy makers should beware of simply copying a sample policy without an extensive review to ensure that the policies fit the organization's philosophy, budget, and business model. Sample policies are usually “sanitized”—that is, organization-specific issues have been removed to provide a generic policy that is designed to serve as a starting point in creating customized policies.
Common Policy Areas
In creating policies for an organization, a number of policy areas often need to be addressed. These include the following:
▪
Password Policies define the length and complexity of passwords, how often they must be changed, and other important qualities that we discussed in
Chapter 11.
▪ Server and workstation security policies define rules governing physical security of network-connected computers, mandating logoff or password-protected screensavers when leaving a station unattended, system shutdown policies, sharing of workstations, and so forth.
▪ Encryption policies define when encryption should or shouldn't be used and the encryption technologies or algorithms that are acceptable. For example, a policy might mandate that specific proven algorithms such as 3DES, RSA, or IDEA be used and prohibit use of proprietary or nonstandard algorithms.
▪ E-mail policies govern such matters as opening e-mail attachments, using e-mail clients configured to display Hypertext Markup Language (HTML) mail, forwarding internal e-mail to people outside the organization, and so forth.
▪ Remote access policies define rules for connecting to the company network from outside using dial-in or VPN connections, specify what remote authentication methods can be used, prohibit “dual homing” (being connected to another network while simultaneously being connected to the company network), and so forth.
▪ Wireless access policies set forth standards for connecting to the corporate network using wireless equipment, requiring use of Wireless Equivalent Privacy (WEP) or other encryption technologies, prohibiting connection of unauthorized wireless access points to the network, and so forth.
▪
Acceptable use policies define what users are allowed to do or are prohibited from doing on the network, governing personal use (such as Web surfing, sending personal e-mail), downloading files, posting to newsgroups, prohibiting installation of unauthorized software applications, and so forth. We discussed this type of policy in
Chapter 5.
Many other policy areas could be applicable to specific organizations; defining policy areas to be addressed is an important task for the policy development team. You can view examples of policy documents that cover the areas mentioned (and others) on the SANS Institute's Security Policy Project resource page at
www.sans.org/resources/policies/Developing the Policy Document
The policy development team should ideally be chosen prior to and be involved in the needs evaluation process. The team should comprise management and IT personnel, along with someone from each department within the organization. The team should include a legal advisor. As they begin to solidify and codify your policies, the team members must work closely together to:
▪ Establish security priorities based on the threat assessment matrix.
▪ Consider and incorporate security standards as needed.
▪ Determine the practices and procedures that are necessary to achieve the desired level of security at both the administrative and user levels.
▪ Clearly define both required and prohibited behaviors.
▪ Determine and define consequences for violations.
▪ Determine what policies are enforceable and methods for enforcement.
▪ Policies should represent a consensus as to what is and is not appropriate computer-related behavior.
Establishing Scope and Priorities
The policy development team should determine the scope of the policy document. For example, will policies regarding telephone, mobile phone, and fax use be included in the IT security policy or be part of a separate policy document? Will procedures for purchasing hardware and software be covered, or will this area be addressed in an overall organizational purchasing policy document? The easiest way to create a policy nightmare is to have two policy documents with conflicting directives.
Funds might not be available to address all security needs. Even if enough funds are allocated, most organizations will not be able to implement all security measures simultaneously. Thus, the team must establish priorities to determine which policies will be implemented first. Prioritization will be based on such factors as:
▪ Immediacy of the threat
We discussed immediacy of the threat and potential loss in the threat assessment section. Ease of implementation can also be a factor in prioritizing. Policies that can easily and quickly be implemented can be put in place first, while work begins on those that require more time and effort. Policies generally mandate one or more of the following: physical safeguards, technical
security mechanisms, and/or administrative procedures. It can often be faster and easier to change administrative procedures than to implement physical safeguards (which could require purchase and setup of equipment or modifications to the facilities) or technical mechanisms (which could require purchase of software as well as a learning curve for IT personnel and users).
Policy Development Guidelines
Policies can be divided into different policy types: regulatory policies, which must be implemented to comply with the law or regulatory agency requirements; advisory policies, which are strongly recommended though not mandated; and information policies, which provide information but do not prescribe or proscribe any action.
Security policies can serve a number of secondary purposes in addition to the primary purpose of preventing unauthorized use of the network. For example, the policies can be the basis for personnel action (discipline or termination), can be used in the company's defense (or against it) in a civil lawsuit, and can even be instrumental in building a criminal case for prosecution. Thus, it is imperative that the policies that are finally published be well thought out, reasonable, and clearly articulated.
Policy writers should avoid technical jargon insofar as is possible; the security policies must be understandable to and usable by company managers, human resources personnel, and the users to whom they apply, as well as IT personnel. It's a good idea to include a glossary to define the technical terminology that is unavoidable. It is also important to create accountability; the person(s) responsible for each area of network/computer security and that person's scope of responsibility should be identified in the policy document.
Policies should state what actions are required, recommended, or prohibited. In addition to defining the action, they should give an example of behavior that would constitute that action, or a violation. For example, if the policy states, “Each user is required to protect the secrecy of his or her network logon password,” it should give concrete examples such as, “Users are required to memorize their passwords. Users are prohibited from possessing any written record of their passwords anywhere on company property and are prohibited from divulging their passwords to any other person. If any person asks a user to divulge his or her password, the user is required to report the request to the network administrator immediately.”
Policies should clearly state the consequences for violation. Consequences should be based on the severity of the violation, damage/loss caused, intent or lack thereof, and history of past violations. It's always important to ensure that the policies are consistent—not just with one another within the IT security policy document, but also with other company and departmental policies. Finally, it's imperative to make sure that policies don't conflict with any local, state, or federal laws.
Policy Document Organization
The policy document should not be a hodgepodge collection of security directives. It should be logically organized so that related policies are brought together under broadly defined areas. For example, sections might include:
▪ Physical security (placement of servers, installation of hardware, securing cabling, securing printers, location of backup tapes, and access to rooms/buildings where computer equipment is located)
▪
Local system security (users' responsibilities in regard to securing their own workstations, installation of software, and copying files)
▪ Password security (policies governing length of passwords, complexity of passwords, changing passwords, and protection of passwords)
▪ Network security (policies governing use of firewalls, downloading/uploading of files, Web access, and using instant messaging [IM] software)
▪ Server security (access to servers, protection of Web servers, file servers, DNS servers, and authentication servers)
▪ Remote access security (policies governing telecommuters, on-the-road executives, after-hours access from home, and designated VPN software and configurations)
▪ Data management and document-handling policies (policies that govern transferring and exchanging data, securing databases, modifying directory structures, creating/deleting files, naming files, and classifying data sensitivity)
▪ E-mail security (policies governing sending/receiving attachments, use of HTML mail, and e-mail client configuration settings)
▪ Software development policies (governing security and control over in-house software code)
▪ E-commerce security (governing online sales and purchases)
▪ Wireless communication security (policies governing standards for use of wireless devices on the network)
▪ Intranet and extranet policies (governing terms of access, acceptable use)
▪ Backup policies (scheduling, responsibility, retention, and storage)
▪ Disaster prevention and recovery policies (continuity of service, power backup)
▪ Policies governing security violations (responsibility to report, response handling)
▪ Policies governing employees who leave the company, both on friendly and on hostile terms (e.g., turning over equipment and access cards, deactivation of network accounts)
The policy document should contain a detailed table of contents. Each individual policy should have the following components:
▪ A title that describes clearly what the policy pertains to and a notation of any policy that it supercedes or replaces
▪ The effective date of the policy (and duration or expiration date if the policy is temporary)
▪ Reference to related policies
▪ A section stating the purpose or objective of the policy
▪ A section identifying the threat or vulnerability being addressed
▪
A brief summary of the policy
▪ A section that lays out in detail the policy itself—that is, defining the act or acts that are required or prohibited; this should include identification of people responsible for implementing the policy, to whom the policy applies, and any exceptions to the policy
▪ Signature of the authority issuing the policy
Educating Network Users on Security Issues
The best security policies in the world will be ineffective if the network users are not aware of them or if the policies are so restrictive and place so many inconveniences on users that users go out of their way to attempt to circumvent them. The security plan itself should contain a program for educating network users—not just as to what the policies are, but why they are important and how the users benefit from them. Users should also be instructed in the best ways to comply with the policies and what to do if they are unable to comply or if they observe other users deliberately violating the policies. If users are involved in the planning and policy-making stages, it will be much easier to educate them and gain their support for the policies at the implementation and enforcement stages.
Policy Enforcement
To be effective, policies must be enforceable, and they must be enforced consistently. Policies that are unenforceable (perhaps because you don't have the means to detect violations) or that you are not willing to enforce are worse than useless; their existence undermines the credibility of the rest of the policies. Enforcement must not be selective; if exceptions to the policies are necessary for certain people or in certain circumstances, those exceptions should be laid out in the policy itself.
Enforcement authority should be divided among a number of people to provide a system of checks and balances. Employees should be made aware of who is responsible for policy enforcement, and the enforcement team must be given the authority to carry out the job (for example, the authority to monitor e-mail and Web access). Employees should be informed within the policy document that they may be subject to such monitoring.
Policy Dissemination
Copies of the IT security policy should be distributed to all personnel to whom the policies apply. All employees should be required to sign a statement acknowledging that they have received, have read, and agree to abide by the terms of the policy. Amendments to the policy should be distributed, and the distribution should be documented in the same way. This is important in the event that disciplinary action is taken against an employee for violation of the policy.
Copies of the policy can also be made available to organizational personnel in electronic format. This should be in addition to, not instead of, the procedure recommended earlier. One of the easiest ways to do this is on the intranet in HTML format. This allows the policy maker to create hyperlinks to reference documents and cross-reference related policies, and it makes it easy for users to search the document(s) for keywords and phrases. Security awareness and training policies might also be
included and should specify required training for different levels of personnel (permanent staff members, temporary staff members, contractors, management, technical personnel, users of new systems, and so on).
Ongoing Assessment and Policy Update
The security policy is not a static document. Company business practices and priorities change, and new types of threats emerge as hackers learn new ways of accessing or attacking networks. The policy document should be reviewed on a regular basis and revised when necessary to meet new challenges and adapt to changing circumstances. The document itself should include a policy outlining the schedule for review, the person responsible for conducting the review, and the procedure for amending the document, as well as the procedure for disseminating changes to all affected personnel throughout the organization.