Basic Security Policy: Security Essentials The SANS Institute

I never cease to be amazed by the fact that you can’t take a class in Information Security without being told to do this or that inaccordance with “your security policy”, but nobody everexplains what the policy is, let alone how to write orevaluate it.
Nội dung trích xuất từ tài liệu:
Basic Security Policy: Security Essentials The SANS Institute Basic Security Policy Security Essentials The SANS Institute Information Assurance Foundations - SANS ©2001 1CONTRIBUTING AUTHORS:Doug Austin Dyncorp Information Systems, LLCAlexander Bryce Alexander, Ltd.Rob Dinehart IBJ Whitelhall Financial GroupBrian M. Estep AdelphiaStephen Joyce bitLab, LLCCarol Kramer SANS InstituteRandy Marchany Virginia Tech Computing CenterStephen Northcutt Global Incident Analysis CenterJohn Ritter Intecs International, Inc.Matt Scarborough ICArrigo Triulzi Albourne Parners, Ltd.Eric Cole SANS Institute 2-1 Preface I never cease to be amazed by the fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy”, but nobody ever explains what the policy is, let alone how to write or evaluate it. That is why we undertook this research and education project into basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, The Roadmap, a usable, and effective policy. Thank you! Stephen Northcutt Basic Security Policy - SANS ©2001 2I never cease to be amazed by the fact that you can’t take a class in Information Security withoutbeing told to do this or that in accordance with “your security policy”, but nobody ever explainswhat the policy is, let alone how to write or evaluate it.That is why we undertook this research and education project into basic security policy. We hopeyou will find this module useful and that you will participate in its evolution. Consensus is apowerful tool. We need the ideas and criticisms from the information security community in order tomake this, The Roadmap, a usable and effective policy. Thank you!Stephen Northcutt 2-2 Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy Basic Security Policy - SANS ©2001 3This page intentionally left blank. 2-3 Defining a Policy • Policies direct the accomplishment of objectives – Program Policy – Issue-specific Policy – System-specific Policy An effective and realistic Security Policy is the key to effective and achievable security. Basic Security Policy - SANS ©2001 4A policy is a guideline or directive which indicates a conscious decision to follow a path towards anobjective defined in the policy. Often a policy may institute, empower resources, or direct action byproviding procedures or actions to be carried out. With that in mind, this course will attempt toprovide guidance towards the goal of developing a Basic Security Policy for an organization, orbetter defining the existing one. The policy itself should be both effective and realistic withachievable security goals.Without a security policy, any organization can be left exposed to the world. In order to determineyour policy needs, a risk assessment must first be conducted. This may require an organization todefine levels of sensitivity with regard to information, processes, procedures, and systems.During this presentation three references to policy types will be made. It may be inferred that thepolicy being described when not specified is that of a program policy. Issue-specific polices will alsobe covered, as well as system-specific policies. Let’s define these policy types before we get started.Program Policy: This high-level policy sets the overall tone of an organization’s security approach.Typically guidance is provided with this policy to enact the other types of policies and specify who isresponsible. This policy may provide direction for compliance with industry standards such as ISO,QS, BS, AS, etc.Issue-specific Poli ...