Policies

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 11 months ago)

99 views

FIREWALLS & NETWORK SECURITY with
Intrusion Detection and VPNs, 2
nd

ed.

3

Security Policies,
Standards, and Planning

By Whitman, Mattord, & Austin


© 2008 Course Technology

Learning Objectives


Upon completion of this material, you should be
able to:


Define management’s role in the development,
maintenance, and enforcement of information
security policy, standards, practices, procedures, and
guidelines


Describe an information security blueprint, identify its
major components, and explain how it is used to
support a network security program


Discuss how an organization institutionalizes policies,
standards, and practices using education, training,
and awareness programs


Explain contingency planning and describe the
relationships among incident response planning,
disaster recovery planning, business continuity
planning, and contingency planning


Slide
2

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Introduction


To secure its network environment, organization
must establish a functional and well
-
designed
information security program


Information security program begins with
creation or review of organization’s information
security policies, standards, and practices


Selection or creation of information security
architecture and development and use of
detailed information security blueprint will create
plan for future success


Without policy, blueprints, and planning,
organization’s security needs will not be met


Slide
3

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Information Security Policy, Standards,
and Practices


Management must consider policies as basis for
all

information security efforts


Policies direct how issues should be addressed
and technologies used


Security policies are the least expensive control
to execute but the most difficult to implement


Shaping policy is difficult because policy must:


Never conflict with laws


Stand up in court, if challenged


Be properly administered through dissemination
and documented acceptance


Slide
4

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Information Security Policy, Standards,
and Practices (continued)

For a policy to be considered effective and legally
enforceable:


Dissemination (distribution): organization must be
able to demonstrate that relevant policy has been
made readily available for review by employee


Review (reading): organization must be able to
demonstrate that it disseminated document in
intelligible form, including versions for illiterate,
non
-
English reading, and reading
-
impaired
employees


Slide
5

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Information Security Policy, Standards
and Practices (continued)

For a policy to be considered effective and legally
enforceable: (continued)


Comprehension (understanding): organization
must be able to demonstrate that employees
understand requirements and content of policy


Compliance (agreement): organization must be
able to demonstrate that employees agree to
comply with policy through act or affirmation


Uniform enforcement: organization must be able
to demonstrate policy has been uniformly
enforced


Slide
6

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Definitions


Policy is set of guidelines or instructions an
organization’s senior management implements to
regulate activities of members of organization
who make decisions, take actions, and perform
other duties


Policies are organizational laws


Standards, on the other hand, are more detailed
statements of what must be done to comply with
policy


Practices, procedures, and guidelines effectively
explain how to comply with policy


Slide
7

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Figure 3
-
1 Policies, Standards, &
Practices


Slide
8

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Enterprise Information Security Policy
(EISP)


EISP is also known as general security policy,
IT security policy, or information security policy


Sets strategic direction, scope, and tone for all
security efforts within the organization


Executive
-
level document, usually drafted by or
with CIO of the organization and usually 2 to 10
pages long


Slide
9

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Enterprise Information Security Policy
(EISP) (continued)


Typically addresses compliance in two areas:


General compliance to ensure meeting
requirements to establish program and
responsibilities assigned therein to various
organizational components


Use of specified penalties and disciplinary action


Slide
10

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Enterprise Information Security Policy
(EISP) Elements


Overview of corporate philosophy on security


Information on structure of information security
organization and individuals who fulfill the
information security role


Fully articulated security responsibilities that are
shared by all members of the organization
(employees, contractors, consultants, partners,
and visitors)


Fully articulated security responsibilities that are
unique to each role within the organization


Slide
11

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Issue
-
Specific Security Policy (ISSP)


Guidelines needed to use various technologies
and processes properly


The ISSP:


Addresses specific areas of technology


Requires frequent updates


Contains issue statement on the organization’s
position on an issue


Three approaches:


Create several independent ISSP documents


Create a single comprehensive ISSP document


Create a modular ISSP document


Slide
12

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Components of An Effective ISSP

1. Statement of policy

a. Scope and applicability

b. Definition of technology
addressed

c. Responsibilities

2. Authorized access and usage

a. User access

b. Fair and responsible use

c. Protection of privacy

3. Prohibited usage

a. Disruptive use or misuse

b. Criminal use

c. Offensive or harassing materials

d. Copyrighted, licensed, or other
intellectual property

e. Other restrictions


4. Systems management


a. Management of stored
materials


b. Employer monitoring


c. Virus protection


d. Physical security


e. Encryption

5. Violations of policy


a. Procedures for reporting
violations


b. Penalties for violations

6. Policy review and modification


a. Scheduled review of policy and
procedures for modification

7. Limitations of liability


a. Statements of liability or
disclaimers




Slide
13

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Systems
-
Specific Policy (SysSP)


SysSPs frequently codified as standards and
procedures used when configuring or maintaining
systems


SysSPs fall into two groups:


Managerial guidance SysSPs: created by
management to guide implementation and
configuration of technology as well as to regulate
behavior of people in the organization


Technical specifications SysSPs: technical policy
or set of configurations to implement managerial
policy


Slide
14

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Systems
-
Specific Policy (SysSP)
(continued)


Technical SysSPs are further divided into:


Access control lists (ACLs) consist of access
control lists, matrices, and capability tables
governing rights and privileges of a particular
user to a particular system


Configuration rule policies comprise specific
configuration codes entered into security
systems to guide execution of the system

Firewalls & Network Security, 2nd ed.
-

Chapter 3


Slide
15

Policy Management


Policies are living documents that must be
managed and are constantly changing


Special considerations should be made for
organizations undergoing mergers, takeovers,
and partnerships


To remain viable, security policies must have:


An individual responsible for reviews


A schedule of reviews


A specific policy issuance and revision date


Slide
16

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Frameworks and Industry Standards


With general idea of vulnerabilities in IT systems,
security team develops security blueprint, which
is used to implement security program


Security

blueprint

is basis for design, selection,
and implementation of all security program
elements including policy implementation,
ongoing policy management, risk management
programs, education and training programs,
technological controls, and maintenance of
security program

Firewalls & Network Security, 2nd ed.
-

Chapter 3


Slide
17

Frameworks and Industry Standards
(continued)


Security

framework is outline of overall
information security strategy and roadmap for
planned changes to the organization’s
information security environment


Number of published information security
frameworks, including ones from government
sources


Because each information security environment
is unique, security team may need to modify or
adapt pieces from several frameworks

Firewalls & Network Security, 2nd ed.
-

Chapter 3


Slide
18

ISO 27000 Series


One of the most widely referenced security
models is Information Technology


Code of
Practice for Information Security Management,
originally published as British Standard 7799


This Code of Practice was adopted as
international standard ISO/IEC 17799 in 2000
and renumbered to ISO/IEC 27002 in 2007


Stated purpose of ISO/IEC 27002 is to “give
recommendations for information security
management for use by those who are
responsible for initiating, implementing, or
maintaining security in their organization”

Slide
19

Firewalls & Network Security, 2nd ed.
-

Chapter 3

ISO 27000 Series Current and Planned
Standards

Firewalls & Network Security, 2nd ed.
-

Chapter 3


Slide
20

Figure 3
-
2 BS7799:2


Slide
21

Firewalls & Network Security, 2nd ed.
-

Chapter 3

NIST Security Models


Another approach available is described in
documents available from csrc.nist.gov:


SP 800
-
12: An Introduction to Computer Security:
The NIST Handbook


SP 800
-
14: Generally Accepted Security Principles
and Practices for Securing Information Technology
Systems


SP 800
-
18 Rev 1: The Guide for Developing
Security Plans for Federal Information Systems


SP 800
-
26: Security Self
-
Assessment Guide for
Information Technology Systems


SP 800
-
30: Risk Management for Information
Technology Systems


Slide
22

Firewalls & Network Security, 2nd ed.
-

Chapter 3

IETF Security Architecture


While no specific architecture is promoted
through the Internet Engineering Task Force,
Security Area Working Group acts as advisory
board for protocols and areas developed and
promoted through the Internet Society


RFC 2196: Site Security Handbook provides an
overview of five basic areas of security with
detailed discussions on development and
implementation


Chapters on such important topics as security
policies, security technical architecture, security
services, and security incident handling


Slide
23

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Benchmarking and Best Practices


Benchmarking and best practices are reliable
methods used by some organizations to assess
security practices


Possible to gain information by benchmarking
and using best practices and thus work
backwards to effective design


Federal Agency Security Practices Site
(fasp.nist.gov) designed to provide best
practices for public agencies and is adapted
easily to private organizations


Slide
24

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Figure 3
-
4 Spheres of Security


Slide
25

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Design of Security Architecture


Defense in depth


One of the foundations of security architectures
is requirement to implement security in layers


Requires that the organization establish sufficient
security controls and safeguards so an intruder
faces multiple layers of controls


Security perimeter


Point at which an organization’s security
protection ends and the outside world begins


Unfortunately, perimeter does not apply to
internal attacks from employee threats or on
-
site
physical threats


Slide
26

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Security Education, Training, and
Awareness


As soon as policies exist, policies to implement
security education, training, and awareness
(SETA) should follow


SETA is a control measure designed to reduce
accidental security breaches


Supplement general education and training
programs to educate staff on information
security


Security education and training builds on
general knowledge that employees must
possess to do their jobs, familiarizing them with
the way to do their jobs securely


Slide
27

Firewalls & Network Security, 2nd ed.
-

Chapter 3

SETA Elements


SETA program consists of three elements:


Security education


Security training


Security awareness


Organization may not be capable or willing to
undertake all elements but may outsource them


Purpose of SETA is to enhance security by:


Improving awareness of the need to protect
system resources


Developing skills and knowledge so computer
users can perform their jobs more securely


Building in
-
depth knowledge, as needed, to
design, implement, operate security programs


Slide
28

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Table 3
-
6 Comparative SETA
Framework


Slide
29

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Security Education


Everyone in an organization needs to be trained
and aware of information security, but not every
member of the organization needs a formal
degree or certificate in information security


When formal education for appropriate
individuals in security is needed, an employee
can identify curriculum available from local
institutions of higher learning or continuing
education


A number of universities have formal
coursework in information security


(See, for example, http://infosec.kennesaw.edu)


Slide
30

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Security Training


Involves providing members of the organization
with detailed information and hands
-
on
instruction designed to prepare them to perform
their duties securely


Management of information security can
develop customized in
-
house training or
outsource the training program


Slide
31

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Security Awareness


One of the least frequently implemented but
most beneficial programs is the security
awareness program


Designed to keep information security at
forefront of users’ minds


Need not be complicated or expensive


If program is not actively implemented,
employees begin to ‘tune out,’ and the risk of
employee accidents and failures increases


Slide
32

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Continuity Strategies


Managers must provide strategic planning to
assure continuous information systems
availability when an attack occurs


Plans for events of this type are referred to in a
number of ways:


Business continuity plans (BCPs)


Disaster recovery plans (DRPs)


Incident response plans (IRPs)


Contingency plans


Large organizations may have many types of
plans and small organizations may have one
simple plan, but most have inadequate planning


Slide
33

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Contingency Planning


Contingency Planning (CP):


Incident response planning (IRP)


Disaster recovery planning (DRP)


Business continuity planning (BCP)


Primary functions of these three types:


IRP focuses on immediate response, but if attack
escalates or is disastrous, the process changes
to disaster recovery and BCP


DRP typically focuses on restoring operations at
primary site after disasters occur, and, as such,
is closely associated with BCP


BCP occurs concurrently with DRP when
damage is major or long term, requiring
establishment of operations at alternate site


Slide
34

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Figure 3
-
9 Contingency Planning
Timeline


Slide
35

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Contingency Planning Team


Before any planning begins, a team has to plan
the effort and prepare resulting documents


Champion: high
-
level manager to support,
promote, and endorse findings of the project


Project manager: leads project and makes sure
a sound project planning process is used, a
complete and useful project plan is developed,
and project resources are prudently managed


Team members: should be managers or their
representatives from various communities of
interest (business, IT, and information security)


Slide
36

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Figure 3
-
10 Major Steps in
Contingency Planning


Slide
37

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Business Impact Analysis


Begin with business impact analysis (BIA)


If the attack succeeds, what do we do then?


CP team conducts BIA in the following stages:


Threat attack identification


Business unit analysis


Attack success scenarios


Potential damage assessment


Subordinate plan classification


Slide
38

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Threat Attack Identification and
Prioritization


Update threat list with latest developments and
add the attack profile


Attack profile is the detailed description of
activities during an attack


Must be developed for every serious threat the
organization faces


Used to determine the extent of damage that
could result to business unit if attack were
successful


Slide
39

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Table 3
-
7 Attack Profile


Slide
40

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Business Unit Analysis


Second major task within the BIA is analysis
and prioritization of business functions within
the organization


Identify functional areas of the organization and
prioritize them as to which are most vital


Focus on prioritized list of various functions that
the organization performs


Slide
41

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Attack Success Scenario Development


Next, create series of scenarios depicting the
impact a successful attack from each threat
could have on each prioritized functional area
with:


Details on method of attack


Indicators of attack


Broad consequences


Attack success scenario details are added to
attack profile, including best, worst, and most
likely outcomes


Slide
42

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Potential Damage Assessment


From previously developed attack success
scenarios, BIA planning team must estimate
cost of best, worst, and most likely cases


Costs include actions of response team


This final result is referred to as an attack
scenario end case


Slide
43

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Subordinate Plan Classification


Once potential damage has been assessed,
subordinate plan must be developed or
identified


Subordinate plans will take into account
identification of, reaction to, and recovery from
each attack scenario


Each attack scenario end case is categorized as
disastrous or not


Qualifying difference is whether or not an
organization is able to take effective action
during the event to combat the effect of the
attack


Slide
44

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Incident Response Planning


Incident response planning covers identification
of, classification of, and response to an incident


Incident is attack against an information asset
that poses clear threat to the confidentiality,
integrity, or availability of information resources


Attacks are only classified as incidents if they
have the following characteristics:


Are directed against information assets


Have a realistic chance of success


Could threaten the confidentiality, integrity, or
availability of information resources


IR is more reactive than proactive, with
exception of planning and preparation of IR
teams


Slide
45

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Incident Planning


Predefined responses enable organization to
react quickly and effectively to detected incident


This assumes the organization has an IR team
and can detect the incident


IR team consists of those individuals needed to
handle systems as incident takes place


IR consists of the following four phases:


Planning


Detection


Reaction


Recovery


Slide
46

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Incident or Disaster


When does an incident become a disaster?


The organization is unable to mitigate the impact
of an incident during the incident


The level of damage or destruction is so severe
that the organization is unable to quickly recover


Difference may be subtle


Up to the organization to decide which incidents
are to be classified as disasters and thus
receive the appropriate level of response


Slide
47

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Disaster Recovery Planning


Disaster recovery planning (DRP) is planning
the preparation for and recovery from a disaster


Contingency planning team must decide which
actions constitute disasters and which constitute
incidents


When situations are classified as disasters,
plans change as to how to respond; take action
to secure the system’s most valuable assets to
preserve value for the longer term even at the
risk of more disruption in the immediate term


DRP strives to reestablish operations at the
‘primary’ site


Slide
48

Firewalls & Network Security, 2nd ed.
-

Chapter 3

DRP Steps


There must be a clear establishment of priorities


There must be a clear delegation of roles and
responsibilities


Someone must initiate the alert roster and notify
key personnel


Someone must be tasked with the
documentation of the disaster


If and only if it is possible, some attempts must
be made to mitigate the impact of the disaster
on the operations of the organization


Slide
49

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Crisis Management


Crisis management occurs during and after a
disaster and focuses on the people involved and
addressing the viability of the business


Crisis management team responsible for
managing event from enterprise perspective by:


Supporting personnel and families during crisis


Determining impact on business operations and,
if necessary, making disaster declaration


Keeping public informed


Communicating with major customers, suppliers,
partners, regulatory agencies, industry
organizations, media, other interested parties


Slide
50

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Business Continuity Planning


Business continuity planning outlines
reestablishment of critical business operations
during a disaster that impacts operations


If disaster has rendered the business unusable
for continued operations, there must be a plan
to allow the business to continue to function


BCP is somewhat simpler than an IRP or DRP


Consists primarily of selecting continuity
strategy and integrating off
-
site data storage
and recovery functions into this strategy


Slide
51

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Summary


To effectively secure networks, an organization
must establish functional, well
-
designed
information security program


Information security program creation requires
information security policies, standards, and
practices; an information security architecture;
and a detailed information security blueprint


Management must make policy the basis for all
information security planning, design, and
deployment in order to direct how issues are
addressed and how technologies are used


Slide
52

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Summary (continued)


Policy must never conflict with laws but should
stand up in court if challenged


To be effective and legally enforceable, policy
must be disseminated, reviewed, understood,
complied with, and uniformly enforced


Information security team identifies
vulnerabilities and then develops security
blueprint that is used to implement security
program


Slide
53

Firewalls & Network Security, 2nd ed.
-

Chapter 3

Summary (continued)


Security framework is outline of steps to take to
design and implement information security


Purpose of security education, training, and
awareness (SETA) is to enhance security by
improving awareness of need to protect system
resources and teaching users to perform jobs
more securely, and to build knowledge to
design, implement, or operate security
programs

Firewalls & Network Security, 2nd ed.
-

Chapter 3


Slide
54

Summary (continued)


IT and InfoSec managers must assure
continuous availability of information systems


Achieved with various contingency plans:
incident response (IR), disaster recovery (DR),
business continuity (BC)


IR plan addresses identification, classification,
response, and recovery from incident


DR plan addresses preparation for and recovery
from disaster


BC plan ensures that critical business functions
continue if catastrophic event occurs

Firewalls & Network Security, 2nd ed.
-

Chapter 3


Slide
55