280 likes | 295 Views
SECURITY POLICIES. Indu Ramachandran. Outline. General idea/Importance of security policies When security policies should be developed Who should be involved in this process Cost of security policies Available resources Security policies in detail Failure of Security policies
E N D
SECURITY POLICIES Indu Ramachandran
Outline • General idea/Importance of security policies • When security policies should be developed • Who should be involved in this process • Cost of security policies • Available resources • Security policies in detail • Failure of Security policies • After Security policy is written
About Security Policies • Increased level of threats • Organization’s attitude towards security policies • Establishing Standards • More than just “Keeping the bad guys out”! • Management and Security policy • Policies Not Procedures!!
Importance of Security Policies • Establishes Standards • Provides basic guidelines • Defines appropriate behavior • Helps against being sued
Aspects of Security • Traditional Ideas of Security • Revised Security aspects • Confidentiality • Protect objects from unauthorized release/use of info • Integrity • Preserve objects / avoid unauthorized modification
When should Policies be developed • Ideal Scenario • Often not the case • After a Security Breach • To mitigate Liability • For document compliance • To demonstrate quality control processes • Customers/Clients requirements
Who should be involved • Basically EVERYONE!!!!! • System users • System support personnel • Managers • Business lawyers
Importance of Involving Management • Funding and Commitment • Leadership • Authority • Responsibility/Support
Do you need Sec. Policies?? Questions to answer this question… • Do workers at your organization handle information that is confidential? • Do workers at your organization access the internet? • Does your organization have trade secrets? Custom questions to suit you!!
The Security Cost Function • Cost for security • Exponential increase • Trade off between cost for security and cost of violations • Formula for calculating cost : Total cost for Violations = Cost for a single Violation X frequency of the violation
GOOD NEWS!!!! You are not on your own !!! • Internet Resources • The SANS institute • NIST (National Inst. Of Stds. And Technology) • RFC • Universities
Resources (cont’d) • Books • Guide for Developing Security Policies for Information Technology Systems • Information Security Policies made easy • around 1360+ security templates • used by several large organizations • Training Sessions • SANS Institute
Types of security policies • Administrative Security Policy • Examples of Administrative sec policies: • Users must change password each quarter • Employees must not use dial out modems from their desktops. • Technical sec policies • Examples • Server will be configured to expire password each quarter • Accounts must initiate a lockout after four unsuccessful attempts to login
What is in a security policy Three Categories First category – Parameters Section • Introduction • Audience • Definitions
What is in a security policy (cont’d) The Second category • Risk assessments • When this should be done • Benefits • Who should do this • Identifying Assets • Threats to assets
What is in a security policy (cont’d) The Third Category • Actual Policies Examples of policies • Physical security
Examples of policies (cont’d) • Authentication • Password policy • Remote Access Policy • The Modem Issue
Examples of policies (cont’d) • Acceptable Use Policy Examples of AU Policy at http://www.eff.org/pub/CAF/policies • Other Policies Examples of policies as well as their templates on the SANS website. http://www.sans.org/resources/policies/
What makes a good security policy • Must be usable • Must communicate clearly • Must not impede/interfere with business • Enforceable • Update regularly • Other factors • Interests • Laws
Problems with Sec. Policies • Increase in tension level • Security needs viewed differently • Too restrictive/hard to implement • Impediments productivity
Conflict and Politics • Management concentrates on goals for company • Technical Personnel’s agenda So what happens??? What do you do???
Information Security Management Committee • Bridge the gap • Committee Composition • Responsibilities of the committee
Real world problems caused by missing policies • At A Government Agency... • At A Local Newspaper...
Why Security Policies Fail • Security is a barrier to Progress • Perceived to have zero benefit • Obstacles/Impediment productivity • Security is a learned behavior • Not instinct • Value of assets • Not taken seriously
Why Security Policies Fail (cont’d) • Complexity • Security work is never finished • Failure to review • Other reasons • Lack of stake holder support • Organizational Politics
Compliance & Enforcement • Training • Testing and effectiveness of the policy • Monitoring • Taking Action
Review The Policy • Review Committee • Good representation • Frequency of review meetings • Responsibilities • What to Review
References • Barham, Scott - Writing information security policies • http://dmoz.org/Computers/Security/Policy/Sample_Policies/ • http://www.netiq.com/products/pub/ispme_realproblems.asp • http://www.sans.org/rr/policy/policy.php • http://www.networknews.co.uk/Features/1138373 • http://irm.cit.nih.gov/security/sec_policy.html • http://www.cisco.com/warp/public/126/secpol.html