Written Security Policies

Written security policies exist to provide a high-level roadmap of what needs to be done to ensure that the organization has a well-defined and thought-out security strategy
Nội dung trích xuất từ tài liệu:
Written Security PoliciesWritten Security PoliciesWritten security policies exist to provide a high-level roadmap of what needs to be doneto ensure that the organization has a well-defined and thought-out security strategy. It is acommon misconception that an organization has a security policy. In fact, anorganizations overall security policy typically consists of numerous individual securitypolicies, which are written to address specific objectives, devices, or issues.The objective of a security policy is to define what needs to be protected, who isresponsible for protection, and in some cases how the protection will occur. This lastfunction is typically separated out into a standalone procedure document such as theingress-filtering, egress-filtering, or management-access policy documents discussed laterin this chapter. In a nutshell, the security policy should simply and concisely outline thespecific requirements, rules, and objectives that must be met, to provide a measurablemethod of validating the security posture of the organization.To help ensure that your security policies will do this, think of the firewall in terms ofsecurity layers, with each layer having a specific realm of operation. Figure 10-1illustrates this layered view of the firewall. As you can see, the firewall is separated intofour distinct components. Figure 10-1. Firewall Security LayersAt the center is the firewall physical integrity layer, which is predominantly concernedwith the physical access to the firewall. Consequently, you want to ensure that yoursecurity policies address issues related to gaining physical access to the device, such asthrough a hard console port connection.The next layer is the firewall static configuration, which is predominantly concerned withaccess to the static configured software the firewall is running (for example, the PIXoperating system and startup configuration). At this layer, your security policy needs tofocus on defining the controls that will be required to restrict administrative access,including performing software updates and configuring the firewall.The third layer is the firewall dynamic configuration, which complements the staticconfiguration by being concerned with the dynamic configuration of the firewall throughthe use of technologies such as routing protocols, Address Resolution Protocol (ARP)commands, interface and device status, audit logs, and shun commands. The objective ofthe security policy at this point is to define the requirements around what kinds ofdynamic configurations will be permitted.Finally, you have the network traffic through the firewall layer, which is really what thefirewall exists to doprotect resources. This layer is concerned with functionality such asACLs and service proxy information. The security policy at this layer is responsible fordefining the requirements as they relate to traffic passing through the firewall.TipWhen you decide to create your security policies, remember a couple of things: • The security policy should specify security objectives, not necessarily the actual configuration or commands that need to be run. This allows the policy to be portable across platforms, because all firewalls typically have the same issues and requirements, regardless of the actual commands or configuration required to achieve the requirements. • In working through your policies, continue to refer back to the layered structure in Figure 10-1 to ensure that the policy addresses all potential issues. Work from the inside (physical security) to the outside. Doing so will reduce the likelihood of overlooking a critical security requirement.The Difference Between Policies, Standards, Guidelines, and ProceduresOne of the more confusing elements of security policies is the interaction betweenpolicies, standards, guidelines, and procedures. First, lets define what we mean by each: • Policy A policy is a document that outlines the requirements or rules that must be met. Policies frequently refer to standards or guidelines as the basis for the existence. The scope of a policy tends to be a broad, high level statement of intent. An example of a policy is an Encryption Use Policy, which might state to the effect of encryption should be used in these circumstances. • Standard A standard is a set of requirements, typically system or technology specific, that must be adhered to by everyone. The scope of a standard tends to be to specify the requirements about a given technology or area. An example might be defining that the only acceptable encryption algorithms are Triple DES (3DES) or Advanced Encryption Standard (AES). • Guideline A guideline is similar to a standard, but it differs in that unlike a standard, a guideline is merely a recommendation or suggestion that should probably be followed but is not necessarily required. Guidelines and standards are largely interchangeable in most cases. • Procedure A procedure defines the process that is followed to meet the requirements of a policy, standard, or guideline. The scope of a procedure is the specific step-by-step processes and procedures that should be followed for implementing a given standard or guideline. An example of this might be defining the procedures required to implement 3DES or AES encryption on your firewalls.Figure 10-2 helps to illustrate the relationship between policies, standards, andprocedures as a pyramid. Keep in mind that standards and guidelines are interchangeableand occupy the same level in the pyramid. As you go down the pyramid, the documentsget more detailed and are more subject to change. So, policies are broad and do notchange often. Standards and guidelines are mor ...