SECURITY POLICIES Indu Ramachandran
Outline • General idea/Importance of security policies • When security policies should be developed • Who should be involved in this process • Cost of security policies • Available resources • Security policies in detail • Failure of Security policies • After Security policy is written
About Security Policies • Increased level of threats • Organization’s attitude towards security policies • Establishing Standards • More than just “Keeping the bad guys out”! • Management and Security policy • Policies Not Procedures!!
Importance of Security Policies • Establishes Standards • Provides basic guidelines • Defines appropriate behavior • Helps against being sued
Aspects of Security • Traditional Ideas of Security • Revised Security aspects • Confidentiality • Protect objects from unauthorized release/use of info • Integrity • Preserve objects / avoid unauthorized modification
When should Policies be developed • Ideal Scenario • Often not the case • After a Security Breach • To mitigate Liability • For document compliance • To demonstrate quality control processes • Customers/Clients requirements
Who should be involved • Basically EVERYONE!!!!! • System users • System support personnel • Managers • Business lawyers
Importance of Involving Management • Funding and Commitment • Leadership • Authority • Responsibility/Support
Do you need Sec. Policies?? Questions to answer this question… • Do workers at your organization handle information that is confidential? • Do workers at your organization access the internet? • Does your organization have trade secrets? Custom questions to suit you!!
The Security Cost Function • Cost for security • Exponential increase • Trade off between cost for security and cost of violations • Formula for calculating cost : Total cost for Violations = Cost for a single Violation X frequency of the violation
GOOD NEWS!!!! You are not on your own !!! • Internet Resources • The SANS institute • NIST (National Inst. Of Stds. And Technology) • RFC • Universities
Resources (cont’d) • Books • Guide for Developing Security Policies for Information Technology Systems • Information Security Policies made easy • around 1360+ security templates • used by several large organizations • Training Sessions • SANS Institute
Types of security policies • Administrative Security Policy • Examples of Administrative sec policies: • Users must change password each quarter • Employees must not use dial out modems from their desktops. • Technical sec policies • Examples • Server will be configured to expire password each quarter • Accounts must initiate a lockout after four unsuccessful attempts to login
What is in a security policy Three Categories First category – Parameters Section • Introduction • Audience • Definitions
What is in a security policy (cont’d) The Second category • Risk assessments • When this should be done • Benefits • Who should do this • Identifying Assets • Threats to assets
What is in a security policy (cont’d) The Third Category • Actual Policies Examples of policies • Physical security
Examples of policies (cont’d) • Authentication • Password policy • Remote Access Policy • The Modem Issue
Examples of policies (cont’d) • Acceptable Use Policy Examples of AU Policy at http://www.eff.org/pub/CAF/policies • Other Policies Examples of policies as well as their templates on the SANS website. http://www.sans.org/resources/policies/
What makes a good security policy • Must be usable • Must communicate clearly • Must not impede/interfere with business • Enforceable • Update regularly • Other factors • Interests • Laws
Problems with Sec. Policies • Increase in tension level • Security needs viewed differently • Too restrictive/hard to implement • Impediments productivity
Conflict and Politics • Management concentrates on goals for company • Technical Personnel’s agenda So what happens??? What do you do???
Information Security Management Committee • Bridge the gap • Committee Composition • Responsibilities of the committee
Real world problems caused by missing policies • At A Government Agency... • At A Local Newspaper...
Why Security Policies Fail • Security is a barrier to Progress • Perceived to have zero benefit • Obstacles/Impediment productivity • Security is a learned behavior • Not instinct • Value of assets • Not taken seriously
Why Security Policies Fail (cont’d) • Complexity • Security work is never finished • Failure to review • Other reasons • Lack of stake holder support • Organizational Politics
Compliance & Enforcement • Training • Testing and effectiveness of the policy • Monitoring • Taking Action
Review The Policy • Review Committee • Good representation • Frequency of review meetings • Responsibilities • What to Review
References • Barham, Scott - Writing information security policies • http://dmoz.org/Computers/Security/Policy/Sample_Policies/ • http://www.netiq.com/products/pub/ispme_realproblems.asp • http://www.sans.org/rr/policy/policy.php • http://www.networknews.co.uk/Features/1138373 • http://irm.cit.nih.gov/security/sec_policy.html • http://www.cisco.com/warp/public/126/secpol.html