Xem mẫu
- Basic Security Policy
Security Essentials
The SANS Institute
Information Assurance Foundations - SANS ©2001 1
CONTRIBUTING AUTHORS:
Doug Austin Dyncorp Information Systems, LLC
Alexander Bryce Alexander, Ltd.
Rob Dinehart IBJ Whitelhall Financial Group
Brian M. Estep Adelphia
Stephen Joyce bitLab, LLC
Carol Kramer SANS Institute
Randy Marchany Virginia Tech Computing Center
Stephen Northcutt Global Incident Analysis Center
John Ritter Intecs International, Inc.
Matt Scarborough IC
Arrigo Triulzi Albourne Parners, Ltd.
Eric Cole SANS Institute
2-1
- Preface
I never cease to be amazed by the fact that you can’t take a class
in Information Security without being told to do this or that in
accordance with “your security policy”, but nobody ever
explains what the policy is, let alone how to write or
evaluate it.
That is why we undertook this research and education project into
basic security policy. We hope you will find this module useful and
that you will participate in its evolution. Consensus is a powerful
tool. We need the ideas and criticisms from the information
security community in order to make this, The Roadmap, a usable,
and effective policy. Thank you!
Stephen Northcutt
Basic Security Policy - SANS ©2001 2
I never cease to be amazed by the fact that you can’t take a class in Information Security without
being told to do this or that in accordance with “your security policy”, but nobody ever explains
what the policy is, let alone how to write or evaluate it.
That is why we undertook this research and education project into basic security policy. We hope
you will find this module useful and that you will participate in its evolution. Consensus is a
powerful tool. We need the ideas and criticisms from the information security community in order to
make this, The Roadmap, a usable and effective policy. Thank you!
Stephen Northcutt
2-2
- Objectives
• Defining Security Policy
• Using Security Policy to Manage Risk
• Identifying Security Policy
• Evaluating Security Policy
• Issue-specific Security Policy
• Exercise: Writing a Personal Security
Policy
Basic Security Policy - SANS ©2001 3
This page intentionally left blank.
2-3
- Defining a Policy
• Policies direct the accomplishment of
objectives
– Program Policy
– Issue-specific Policy
– System-specific Policy
An effective and realistic Security
Policy is the key to effective and
achievable security.
Basic Security Policy - SANS ©2001 4
A policy is a guideline or directive which indicates a conscious decision to follow a path towards an
objective defined in the policy. Often a policy may institute, empower resources, or direct action by
providing procedures or actions to be carried out. With that in mind, this course will attempt to
provide guidance towards the goal of developing a Basic Security Policy for an organization, or
better defining the existing one. The policy itself should be both effective and realistic with
achievable security goals.
Without a security policy, any organization can be left exposed to the world. In order to determine
your policy needs, a risk assessment must first be conducted. This may require an organization to
define levels of sensitivity with regard to information, processes, procedures, and systems.
During this presentation three references to policy types will be made. It may be inferred that the
policy being described when not specified is that of a program policy. Issue-specific polices will also
be covered, as well as system-specific policies. Let’s define these policy types before we get started.
Program Policy: This high-level policy sets the overall tone of an organization’s security approach.
Typically guidance is provided with this policy to enact the other types of policies and specify who is
responsible. This policy may provide direction for compliance with industry standards such as ISO,
QS, BS, AS, etc.
Issue-specific Policy: These policies are intended to address specific needs within an organization.
This may include password procedures, Internet usage guidelines, etc. This is not as broad a policy
category as the program policy; however, it is broader than the system-specific policy.
System-specific Policy: For a given organization there may be several systems that perform various
functions, where the use of one policy governing all of them may not be appropriate. It may be
necessary to develop a policy directed toward each system individually. This is a system-specific
policy.
2-4
- Defining a Policy (2)
• What makes up a policy?
– Purpose
– Related documents
– Cancellation
– Background
– Scope
– Policy statement
– Action
– Responsibility
Basic Security Policy - SANS ©2001 5
Most organizations have a guide which dictates the makeup of all company policies. This guide
likely contains some or all of the following:
Purpose - the reason for the policy.
Related documents - lists any documents (or other policies) that affect the contents of this policy.
Cancellation - identifies any existing policy that is cancelled when this policy becomes effective.
Background - provides amplifying information on the need for the policy.
Scope - states the range of coverage for the policy (to whom or what does the policy apply).
Policy statement - identifies the actual guiding principles or what is to be done. The statements are
designed to influence and determine decisions and actions within the scope of coverage. The
statements should be prudent, expedient, and/or advantageous to the organization.
Action - specifies what actions are necessary and when they are to be accomplished.
Responsibility - states who is responsible for what. Subsections might identify who will develop
additional detailed guidance and when the policy will be reviewed and updated.
2-5
- Defining a Policy (3)
• Who can sign the policy?
• What process is used to:
– draft a policy
– approve a policy
– implement a policy
Basic Security Policy - SANS ©2001 6
In addition, some organizations further define:
Who can sign the policy.
If you are part of a Department of Defense organization, the authority may be reserved for the senior
military officer. In other cases, it may be a senior vice president or a CIO or other manager. In any
case, the policy must be signed by someone with sufficient authority and credibility that it is
accepted by members of the organization to which it applies.
The process used to get policy drafted, signed, and implemented.
Once you’ve identified what should be in the policy and who will sign it, you need to identify the
folks who will help develop and review the policy before you submit it for signature. Typical
participants (in addition to the security staff) can include members of the legal and human resources
staff, as well as a representative from one or more collective bargaining units.
2-6
- Security Policy Protects
Information
Safeguarding information is
challenging when records are created
and stored on computers.
Basic Security Policy - SANS ©2001 7
We live in a world where computers are globally linked and accessible, making digitized information
especially vulnerable to theft, manipulation, and destruction. Security breaches are inevitable.
Crucial decisions and defensive action must be prompt and precise.
A security policy establishes what must be done to protect information stored on computers. A well-
written policy contains sufficient definition of “what” to do so that the “how” can be identified and
measured or evaluated.
2-7
- Objectives
• Defining Security Policy
• Using Security Policy to Manage
Risk
• Identifying Security Policy
• Evaluating Security Policy
• Issue-specific Security Policy
• Exercise: Writing a Personal Security
Policy
Basic Security Policy - SANS ©2001 8
This page intentionally left blank.
2-8
- Managing Risks in Your Job
• Identify risks
• Communicate your findings
• Update (create) policy as needed
• Develop metrics to measure
compliance
Basic Security Policy - SANS ©2001 9
PROBLEM: The only secure computer is one that is not connected to a network and is powered off.
Use of computers to process information has associated risks. You need a methodology to validate
that the organization is responsible and accountable for managing that risk.
ACTION: Learn how to manage risks related to your job.
Step 1: Identify risks.
Determine how your organization uses computers and networks in the conduct of business, both
routinely and under emergency circumstances. This will provide insight into the risks that you face.
Examples of some things that can pose risks include: using the Internet, not using anti-virus software
on desktop computers, permitting customers/suppliers/partners to bypass the protection afforded by
your firewall, and permitting personal use of corporate computers and networks.
Step 2: Communicate your findings.
Identifying risks is necessary, but not sufficient. Decision-makers need to know what the risks are,
as well as options for managing those risks. Be sure you have adequately communicated the
situation in writing to folks who can make a difference.
Step 3: Update (create) policy as needed.
If there is no written policy in place, write it and get it signed by upper level management. A well-
written policy, signed by top executives, will identify the corporation’s values and demonstrate that
senior management supports the information security activities required by the policy.
Step 4: Develop metrics to measure compliance.
If you cannot measure compliance (conformance), the policy is unenforceable.
2-9
- Risk Assessment
• What do you do?
– The “important bid” story
– When is it okay to violate or change
policy?
– Who has the authority to do it?
– What are the risks involved?
Basic Security Policy - SANS ©2001 10
It’s 2:00 a.m. on a Saturday morning. Your team is trying to finish a time-critical project - an
important bid - by sending a file. There are problems getting through the firewall. The obvious
solution is to modify the firewall, but this is prohibited by the security policy. The team faces a
dilemma. If they don’t act, they will not meet the deadline. If they do act, they risk the consequences
of violating a written security policy.
What do they do?
What policy may provide guidance on this subject?
What risks are involved in doing this?
Policy should also take into account any possible exceptions to the policy, and define:
• what types of exceptions can be made
• who has the authority to make them
• what review process should be followed to evaluate “emergency” exceptions
These considerations protect both the organization’s assets (by defining which changes are
acceptable and which are not) and those people responsible (by defining the responsible parties and
empowering them to make decisions and take action within the scope of the policy).
2 - 10
- Checkpoint: Policy In Action
Finding Policy Wins The Game!
Basic Security Policy - SANS ©2001 11
Think of a football game. Picture the coach at practice sessions, in the locker room before the game.
What is the coach doing? He is presenting, refining, and reworking a plan for winning the game, a
plan that’s practiced over and over until it’s perfect! We can see team captains and players referring
to the plan before each play. What does a game plan have to do with a computer security policy? The
game plan is actually a policy on how to win the game. The team that identifies its capabilities and
limitations, along with the capabilities and limitations of its opponents, will devise the best plan and
the best chance of winning if they follow it.
Risks have been identified and policy has been defined in broad terms. Next we look at concrete
policies.
2 - 11
- Levels of Policy
• Recognize that policies can exist on
different levels
– Enterprise-wide/corporate policy
– Division-wide policy
– Local policy
– Issue-specific policy
– Procedures and checklists
Basic Security Policy - SANS ©2001 12
Unless you are at the top of the organizational hierarchy, there is likely to be a part of the
organization above your level that issues policy that you are expected to implement. A common
hierarchy for policy in an organization might look like this:
Enterprise-wide or Corporate Policy: the highest level (perhaps national); consists of high-level
documents that provide a direction or thrust to be implemented at lower levels in the enterprise.
Division-wide Policy: typically consists of an amplification of enterprise-wide policy as well as
implementation guidance. This level might apply to a particular region of a national corporation.
Local Policy: contains information specific to the local organization or corporate element.
Issue-specific Policy: policy related to specific issues, e.g. firewall or anti-virus policy.
Security Procedures and Checklists: local Standard Operating Procedures (SOPs); derived from the
security policy.
Security policy may exist on some levels and not on others. Documents interact and support one
another, and generally contain many of the same elements. In a typical organization, policy written
to implement higher-level directives may not relieve (waive) any of the requirements or conditions
stipulated at a higher level. Security policy must always be in accordance with local, state, and
federal computer crime laws.
2 - 12
- Objectives
• Defining Security Policy
• Using Security Policy to Manage Risk
• Identifying Security Policy
• Evaluating Security Policy
• Issue-specific Security Policy
• Exercise: Writing a Personal Security
Policy
Basic Security Policy - SANS ©2001 13
This page intentionally left blank.
2 - 13
- Identifying Security Policy
• Who does the procedure?
• What is the procedure?
• When is the procedure done?
• Where is the procedure done?
• Why is the procedure done?
Basic Security Policy - SANS ©2001 14
Given specifics of the anti-virus rollout, how can we construct a policy?
Step 1: Who does the procedure? The network administrator rolls out anti-virus updates to local
desktops.
Why? To protect against virus infections. Certain administrative rights are needed to configure the
push to users’ local drives.
Step 2: What is the procedure? Definitions are unpacked, and placed in a shared directory. Login
scripts download the files, apply the update, and reboot the machines. Machine names are flagged in
the database as having been updated.
Why? Automate the process; create an exception list.
Step 3: When is the procedure done? The procedure is done weekly.
Why? To keep up-to-date with the latest virus attacks. Our vendor rolls out new definitions every
Thursday.
Step 4: Where is the procedure done? The procedure is done from any administrative
workstation. The procedure is applied to all desktops running Windows 9x at any location.
Why? No special location is required to apply the procedure. All desktops need to have the most
current updates.
Step 5: Sample policy derived from procedures outlined in the example above.
To ensure all desktops running Windows 9x are protected from viruses with the most recent updates,
the network administrator at each location will apply the latest virus definition updates biweekly.
Although the process can be automated, checks must be put in place to ensure the updates have been
applied successfully.
We’ve just taken a known and accepted procedure and created a policy for it. This policy may not
have been written and approved, but certainly it was implied and understood before it was written.
2 - 14
- Objectives
• Defining Security Policy
• Using Security Policy to Manage Risk
• Identifying Security Policy
• Evaluating Security Policy
• Issue-specific Security Policy
• Exercise: Writing a Personal Security
Policy
Basic Security Policy - SANS ©2001 15
This page intentionally left blank.
2 - 15
- Evaluating Security Policy
• What if your existing policy is
confusing and hard to read?
• What if it doesn’t cover all the
bases?
• Use a checklist to evaluate your
policy.
Basic Security Policy - SANS ©2001 16
Your organization may have a written policy, but it may be confusing and hard to read. It may also
contain ‘gaps’ where some key issues are addressed, but others are not. You can sort through your
policy by using a checklist to identify policy attributes that need improvement and prepare draft
revisions.
2 - 16
- Evaluating Security Policy (2)
• Use a checklist:
– Does it contain the expected
elements?
– Is it clear?
– Is it concise?
– Is it realistic?
– Does it provide sufficient guidance?
Basic Security Policy - SANS ©2001 17
Verify that the security policies contain the most common elements.
Look for the following elements (discussed earlier), and note what is missing: Purpose, Related
documents, Cancellation, Background, Scope, Policy statement, Responsibility, and Action. (Note:
Not all sections are required. If your search for a Policy Development Guide was successful, consult
it to determine required sections. If there is no written guide, use the above template and check with
other folks who have been successful in getting other policies signed and implemented.)
Examine the security policy to see if it is clear.
One simple way to test for clarity is to have one of the individuals identified as being responsible
determine whether he or she understands the responsibility.
Examine the security policy to see if it is concise.
A specific policy topic (e.g. anti-virus signature updates) shouldn’t exceed two pages. Many
organizations limit them to one page.
Examine the policy to see if it is realistic.
Security policy shouldn’t require people to try to implement things that can’t be implemented.
Examine the policy to see if it provides sufficient guidance so that a specific procedure can be
developed from it.
Policies address what is to be done and why. Procedures specify how things are done and are how
policy ultimately gets implemented. For example, if you have an Internet connection policy, you
should be able to use that policy to create step-by-step procedures that allow you to configure your
firewall. Procedures are also the basis for written checklists.
2 - 17
- Evaluating Security Policy (3)
• Checklist, continued…
– Is it consistent?
– Is it forward-looking?
– Are there means to keep it current?
– Is the policy readily available to those
who need it?
Basic Security Policy - SANS ©2001 18
Examine the policy to see if it is consistent with higher-level policy and guidance.
If you discover any discrepancies between the policy you are reviewing and higher-level policy, note
them, as you will need to resolve them for the policy to be meaningful. Security policy must also be
in accordance with local, state, and federal computer crime laws.
Examine the policy to see if it is forward looking.
Security policy should be open to change based on new risks and vulnerabilities, especially following
an incident. It should not be hardware or software-specific.
Examine the policy for provisions to keep it current.
Security policy should be reviewed regularly. Revisions in implementation should reflect lessons
learned from recent incidents and new threats to the organization’s security.
Check to see if the security policy is readily available.
The Policy Development Guide may provide information regarding responsibility for publishing and
making available specific policy documents. Security policy should be incorporated in employee
handbooks and posted for reference. It must be required reading as part of the new employee
orientation process.
2 - 18
- Bad Policy
“The head of a Federal agency may employ
standards for the cost effective security and
privacy of sensitive information in a Federal
computer system within or under the
supervision of that agency that are more
stringent than the standards promulgated by
the Secretary of Commerce, if such standards
contain, at a minimum, the provisions of those
applicable standards made compulsory and
binding by the Secretary of Commerce.”
Basic Security Policy - SANS ©2001 19
What does this policy statement actually say? Is it concise? Could it provide various interpretations?
2 - 19
- Checkpoint:
Procedure Guidance
• Policies address the who, what,
and why.
• Procedures address the how,
where, and when.
Basic Security Policy - SANS ©2001 20
It cannot be stressed enough: policies address what is to be done, who is to do it, and why.
Procedures specify how things are done, where, when, and ultimately how the policy gets
implemented. Procedures are also the basis for written checklists.
There are four key tests of any policy. They are:
• Is it consistent with higher-level policy and guidance?
• Is it forward looking, able to change if needed?
• Does it have a review schedule?
• Is it readily available?
Next we look at policies directed at specific situations. We have termed these Issue-specific Policies.
2 - 20
nguon tai.lieu . vn
