GIAC Basic Security Policy

1 GIAC Basic Security Policy Version 1.4 February 27, 2001 I keep six honest serving men (They taught me all I knew); Their names are What and Why and When And How and Where and Who. --Rudyard Kipling CONTRIBUTING AUTHORS: Doug Austin Alexander Bryce Rob Dinehart Stephen Joyce Carol Kramer Randy Marchany Stephen Northcutt John Ritter Matt Scarborough Arrigo Triulzi EDITED BY: Dyncorp Information Systems, LLC Alexander, Ltd. IBJ Whitelhall Financial Group bitLab, LLC SANS Institute Virginia Tech Computing Center Global Incident Analysis Center Intecs International, Inc. IC Albourne Parners, Ltd. Carol Kramer, Stephen Northcutt, Fred Kerby If you have corrections or additions or would like to be involved in enhancing this project, please send email to: giactc@sans.org 2 A note from the director of GIAC Training and Certification: I have never ceased to be amazed by the fact that you can’t take a class in information security without being told to do this or the other thing in accordance with “your security policy”. But nobody ever explains what policy is, or how to write or evaluate it. This is why we have begun this research and educational project into security policy. We hope you find this booklet useful, and even more, that you will get involved and help. Consensus is a powerful tool and we need the ideas and criticisms of the information security community to make this the roadmap for usable, effective policy. Thank you! Stephen Northcutt CONTENTS 1. PREFACE 2. USING SECURITY POLICY TO MANAGE RISK 3. DEFINING SECURITY POLICY 4. IDENTIFYING SECURITY POLICY 5. SECURITY POLICY WORKSHEET 6. EVALUATING SECURITY POLICY 7. ISSUE-SPECIFIC SECURITY POLICY 7.1 Anti-Virus 7.2 Password Assessment 7.3 Backups 7.4 Incident Handling 7.5 Proprietary Information 8. WRITING A PERSONAL SECURITY POLICY 9. EXERCISES APPENDIX A - Policy Templates APPENDIX B - Sample Non-Disclosure Agreement 3 1. PREFACE Security policy protects both people and information. Safeguarding information is challenging when records are created and stored on computers. We live in a world where computers are globally linked and accessible, making digitized information especially vulnerable to theft, manipulation, and destruction. Security breaches are inevitable. Crucial decisions and defensive action must be prompt and precise. A security policy establishes what must be done to protect information stored on computers. A well-written policy contains sufficient definition of “what” to do so that the “how” can be identified and measured or evaluated. An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where information is at risk incurs personal risk as well. A security policy allows people to take necessary actions without fear of reprisal. Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for employees. Please take a minute and turn to the back of this book and examine the non-disclosure agreement in Appendix A. This is one of two examples in the book that is not written in plain English. This legal document is based on the actual non-disclosure agreement that GIAC uses when disclosing proprietary information. Despite the lawyer language of the document, it doesn’t take long to see that the purpose of this is to protect information. It carefully spells out the procedures, the who, what, where, when and how for the case where an organization has sensitive information that it is going to disclose to an individual. As we learn more about policies, we will find that many aspects of a policy can be found in a document like this. In fact, an organization’s policy might reference a document like this. For instance, an organization may have a policy that says, "sensitive information shall only be released to individuals who have signed a non-disclosure agreement that is on file with the corporate legal office". Now that we have an example of a policy that protects information, I would like to show an example of a policy that protected an individual - in this case, me. Sinking a Warship I was scanning our entire Navy lab, one subnet at a time (the recommended approach), fixing problems as I found them. I was running the scanner on low power when I hit a network and received a phone call from a friend. "Stephen, the net is down, we think you killed it". 4 "It" was a mock up of a real Navy warship. All of the communications on the model were the same as the one on the real ship. When its networking hardware received a packet (from me) on a certain port, it died. Its FDDI ring came to a complete stop. The people in this little lab were furious with me. They formed an investigative panel and called me in. I could see by the grim looks all around the table that this was not going to be pleasant. The sparks flew; one fellow in particular wanted to do me harm. He continues to be angry with me to this day! Finally someone asked whether could happen in real life. The answer was “yes”. The next question was, “then shouldn’t we get it fixed”? The point is, my network scan made these people angry enough that my job would have been in jeopardy if I’d not had my ducks in a row. I’d received permission to run the scan prior to doing so. So should you! Stephen Northcutt 5 2. USING SECURITY POLICY TO MANAGE RISK PROBLEM: The only secure computer is one that is not connected to a network and is powered off. Use of computers to process information has associated risks. You need a methodology to validate that the organization is responsible and accountable for managing that risk. ACTION: Step 1: Learn how to manage risks related to your job. Identify risks. Determine how your organization uses computers and networks in the conduct of business, both routinely and under emergency circumstances. This will provide insight into the risks that you face. Examples of some things that can pose risks include: using the Internet, not using anti-virus software on desktop computers, permitting customers/suppliers/partners to bypass the protection afforded by your firewall, permitting personal use of corporate computers and networks. Step 2: Communicate your findings. Identifying risks is necessary, but not sufficient. Decision-makers need to know what the risks are, as well as options for managing those risks. Be sure you have adequately communicated the situation in writing to folks who can make a difference. Step 3: Update the security policy as needed. If there is no written policy in place, write it and get it signed by upper level management. A well-written policy, signed by top executives, will identify the corporation’s values and demonstrate that senior management supports the information security activities required by the policy. Step 4: Develop and refine methods to measure compliance with the policy. If you cannot measure compliance (conformance), the policy is unenforceable. Where is it written…? The decisions we make must stand the test of reasonableness: given the situation, could a reasonable person be expected to make the same decision? It’s amazing to hear people who have been practicing computer security for more than a decade, ask, “What instruction requires that we do it that way? (or at all)". Having a written and dated policy signed by upper management can help move these folks to where they need to be. ... - tailieumienphi.vn