Basic Security Policy

I never cease to be amazed by the fact that you can’t take a class in Information Security withoutbeing told to do this or that in accordance with “your security policy”, but nobody ever explainswhat the policy is let alone how to write or evaluate it.That is why we undertook this research and education project into basic security policy. Wehope you will find this module useful and that you will participate in its evolution. Consensus isa powerful tool. We need the ideas and criticisms from the information security community inorder to make this The Roadmap for usable, effective policy....
Nội dung trích xuất từ tài liệu:
Basic Security Policy Basic Security Policy Version 1.7 - July 5, 2001 I keep six honest serving men (They taught me all I knew); Their names are What and Why and When And How and Where and Who. --Rudyard KiplingCONTRIBUTING AUTHORS:Doug Austin Dyncorp Information Systems, LLCAlexander Bryce Alexander, Ltd.Rob Dinehart IBJ Whitelhall Financial GroupBrian M. Estep Adelphia Business SolutionsRobert Ishimoto Robert Ishimoto ConsultingStephen Joyce bitLab, LLCCarol Kramer SANS InstituteRandy Marchany Virginia Tech Computing CenterStephen Northcutt SANS InstituteJohn Ritter Intecs International, Inc.Matt Scarborough ICArrigo Triulzi Albourne Parners, Ltd.EDITED BY: Carol Kramer, Stephen Northcutt, Fred KerbyIf you have corrections or additions or would like to be involved inenhancing this project, please send email to: giactc@sans.org 2 - 1AA note from Stephen Northcutt:I never cease to be amazed by the fact that you can’t take a class in Information Security withoutbeing told to do this or that in accordance with “your security policy”, but nobody ever explainswhat the policy is let alone how to write or evaluate it.That is why we undertook this research and education project into basic security policy. Wehope you will find this module useful and that you will participate in its evolution. Consensus isa powerful tool. We need the ideas and criticisms from the information security community inorder to make this The Roadmap for usable, effective policy.Thank you! Stephen Northcutt 2 - 2ACONTENTS1. PREFACE2. DEFINING SECURITY POLICY3. USING SECURITY POLICY TO MANAGE RISK4. IDENTIFYING SECURITY POLICY5. SECURITY POLICY WORKSHEET6. EVALUATING SECURITY POLICY7. ISSUE-SPECIFIC SECURITY POLICY 7.1 Anti-Virus 7.2 Password Assessment 7.3 Backups 7.4 Incident Handling 7.5 Proprietary Information 7.6 Personal Data Assistants8. WRITING A PERSONAL SECURITY POLICY9. EXERCISESAPPENDIX A - Policy TemplatesAPPENDIX B - Sample Non-Disclosure AgreementAPPENDIX C – References 2 - 3A1. PREFACESecurity policy protects both people and information.Safeguarding information is challenging when records are created and stored oncomputers. We live in a world where computers are globally linked and accessible,making digitized information especially vulnerable to theft, manipulation, anddestruction. Security breaches are inevitable. Crucial decisions and defensive actionmust be prompt and precise.A security policy establishes what must be done to protect information stored oncomputers. A well-written policy contains sufficient definition of “what” to do so thatthe “how” can be identified and measured or evaluated.An effective security policy also protects people. Anyone who makes decisions or takesaction in a situation where information is at risk incurs personal risk as well. A securitypolicy allows people to take necessary actions without fear of reprisal. Security policycompels the safeguarding of information, while it eliminates, or at least reduces,personal liability for employees.Please take a minute and turn to the back of this book and examine the non-disclosureagreement in Appendix A.This is one of two examples in the book that is not written in plain English. This legaldocument is based on the actual non-disclosure agreement that GIAC uses whendisclosing proprietary information. Despite the lawyer language of the document, itdoesn’t take long to see that the purpose of this is to protect information. It carefullyspells out the procedures, the who, what, where, when and how for the case where anorganization has sensitive information that it is going to disclose to an individual. Aswe learn more about policies, we will find that many aspects of a policy can be found ina document like this. In fact, an organization’s policy might reference a document likethis. For instance, an organization may have a policy that says, sensitive informationshall only be released to individuals who have signed a non-disclosure agreement thatis on file with the corporate legal office. Now that we have an example of a policy thatprotects information, I would like to show an example of a policy that protected anindividual - in this case, me.Sinking a Warship I was scanning our entire Navy lab, one subnet at a time (the recommended approach),fixing problems as I found them. I was running the scanner on low power when I hit a networkand received a phone call from a friend. Step ...