2 - 1
Information Assurance Foundations - SANS
©2001
1
Basic Security Policy
Security Essentials
The SANS Institute
CONTRIBUTING AUTHORS:
Doug Austin Dyncorp Information Systems, LLC
Alexander Bryce Alexander, Ltd.
Rob Dinehart IBJ Whitelhall Financial Group
Brian M. Estep Adelphia
Stephen Joyce bitLab, LLC
Carol Kramer SANS Institute
Randy Marchany Virginia Tech Computing Center
Stephen Northcutt Global Incident Analysis Center
John Ritter Intecs International, Inc.
Matt Scarborough IC
Arrigo Triulzi Albourne Parners, Ltd.
Eric Cole SANS Institute
2 - 2
Basic Security Policy - SANS
©2001
2
Preface
I never cease to be amazed by the fact that you can’t take a class
in Information Security without being told to do this or that in
accordance with “your security policy”, but nobody ever
explains what the policy is, let alone how to write or
evaluate it.
That is why we undertook this research and education project into
basic security policy. We hope you will find this module useful and
that you will participate in its evolution. Consensus is a powerful
tool. We need the ideas and criticisms from the information
security community in order to make this, The Roadmap, a usable,
and effective policy. Thank you!
Stephen Northcutt
I never cease to be amazed by the fact that you can’t take a class in Information Security without
being told to do this or that in accordance with “your security policy”, but nobody ever explains
what the policy is, let alone how to write or evaluate it.
That is why we undertook this research and education project into basic security policy. We hope
you will find this module useful and that you will participate in its evolution. Consensus is a
powerful tool. We need the ideas and criticisms from the information security community in order to
make this, The Roadmap, a usable and effective policy. Thank you!
Stephen Northcutt
2 - 3
Basic Security Policy - SANS
©2001
3
Objectives
• Defining Security Policy
• Using Security Policy to Manage Risk
• Identifying Security Policy
• Evaluating Security Policy
• Issue-specific Security Policy
• Exercise: Writing a Personal Security
Policy
This page intentionally left blank.
2 - 4
Basic Security Policy - SANS
©2001
4
Defining a Policy
• Policies direct the accomplishment of
objectives
–Program Policy
– Issue-specific Policy
– System-specific Policy
An effective and realistic Security
Policy is the key to effective and
achievable security.
A policy is a guideline or directive which indicates a conscious decision to follow a path towards an
objective defined in the policy. Often a policy may institute, empower resources, or direct action by
providing procedures or actions to be carried out. With that in mind, this course will attempt to
provide guidance towards the goal of developing a Basic Security Policy for an organization, or
better defining the existing one. The policy itself should be both effective and realistic with
achievable security goals.
Without a security policy, any organization can be left exposed to the world. In order to determine
your policy needs, a risk assessment must first be conducted. This may require an organization to
define levels of sensitivity with regard to information, processes, procedures, and systems.
During this presentation three references to policy types will be made. It may be inferred that the
policy being described when not specified is that of a program policy. Issue-specific polices will also
be covered, as well as system-specific policies. Let’s define these policy types before we get started.
Program Policy: This high-level policy sets the overall tone of an organization’s security approach.
Typically guidance is provided with this policy to enact the other types of policies and specify who is
responsible. This policy may provide direction for compliance with industry standards such as ISO,
QS, BS, AS, etc.
Issue-specific Policy: These policies are intended to address specific needs within an organization.
This may include password procedures, Internet usage guidelines, etc. This is not as broad a policy
category as the program policy; however, it is broader than the system-specific policy.
System-specific Policy: For a given organization there may be several systems that perform various
functions, where the use of one policy governing all of them may not be appropriate. It may be
necessary to develop a policy directed toward each system individually. This is a system-specific
policy.
2 - 5
Basic Security Policy - SANS
©2001
5
Defining a Policy (2)
• What makes up a policy?
–Purpose
– Related documents
– Cancellation
– Background
–Scope
– Policy statement
–Action
– Responsibility
Most organizations have a guide which dictates the makeup of all company policies. This guide
likely contains some or all of the following:
Purpose - the reason for the policy.
Related documents - lists any documents (or other policies) that affect the contents of this policy.
Cancellation - identifies any existing policy that is cancelled when this policy becomes effective.
Background - provides amplifying information on the need for the policy.
Scope - states the range of coverage for the policy (to whom or what does the policy apply).
Policy statement - identifies the actual guiding principles or what is to be done. The statements are
designed to influence and determine decisions and actions within the scope of coverage. The
statements should be prudent, expedient, and/or advantageous to the organization.
Action - specifies what actions are necessary and when they are to be accomplished.
Responsibility - states who is responsible for what. Subsections might identify who will develop
additional detailed guidance and when the policy will be reviewed and updated.
2 - 6
Basic Security Policy - SANS
©2001
6
Defining a Policy (3)
• Who can sign the policy?
• What process is used to:
– draft a policy
– approve a policy
– implement a policy
In addition, some organizations further define:
Who can sign the policy.
If you are part of a Department of Defense organization, the authority may be reserved for the senior
military officer. In other cases, it may be a senior vice president or a CIO or other manager. In any
case, the policy must be signed by someone with sufficient authority and credibility that it is
accepted by members of the organization to which it applies.
The process used to get policy drafted, signed, and implemented.
Once you’ve identified what should be in the policy and who will sign it, you need to identify the
folks who will help develop and review the policy before you submit it for signature. Typical
participants (in addition to the security staff) can include members of the legal and human resources
staff, as well as a representative from one or more collective bargaining units.
2 - 7
Basic Security Policy - SANS
©2001
7
Security Policy Protects
Information
Safeguarding information is
challenging when records are created
and stored on computers.
We live in a world where computers are globally linked and accessible, making digitized information
especially vulnerable to theft, manipulation, and destruction. Security breaches are inevitable.
Crucial decisions and defensive action must be prompt and precise.
A security policy establishes what must be done to protect information stored on computers. A well-
written policy contains sufficient definition of “what” to do so that the “how” can be identified and
measured or evaluated.
2 - 8
Basic Security Policy - SANS
©2001
8
Objectives
• Defining Security Policy
• Using Security Policy to Manage
Risk
• Identifying Security Policy
• Evaluating Security Policy
• Issue-specific Security Policy
• Exercise: Writing a Personal Security
Policy
This page intentionally left blank.
2 - 9
Basic Security Policy - SANS
©2001
9
Managing Risks in Your Job
• Identify risks
• Communicate your findings
• Update (create) policy as needed
• Develop metrics to measure
compliance
PROBLEM: The only secure computer is one that is not connected to a network and is powered off.
Use of computers to process information has associated risks. You need a methodology to validate
that the organization is responsible and accountable for managing that risk.
ACTION: Learn how to manage risks related to your job.
Step 1: Identify risks.
Determine how your organization uses computers and networks in the conduct of business, both
routinely and under emergency circumstances. This will provide insight into the risks that you face.
Examples of some things that can pose risks include: using the Internet, not using anti-virus software
on desktop computers, permitting customers/suppliers/partners to bypass the protection afforded by
your firewall, and permitting personal use of corporate computers and networks.
Step 2: Communicate your findings.
Identifying risks is necessary, but not sufficient. Decision-makers need to know what the risks are,
as well as options for managing those risks. Be sure you have adequately communicated the
situation in writing to folks who can make a difference.
Step 3: Update (create) policy as needed.
If there is no written policy in place, write it and get it signed by upper level management. A well-
written policy, signed by top executives, will identify the corporation’s values and demonstrate that
senior management supports the information security activities required by the policy.
Step 4: Develop metrics to measure compliance.
If you cannot measure compliance (conformance), the policy is unenforceable.
2 - 10
Basic Security Policy - SANS
©2001
10
Risk Assessment
• What do you do?
– The “important bid” story
– When is it okay to violate or change
policy?
– Who has the authority to do it?
– What are the risks involved?
It’s 2:00 a.m. on a Saturday morning. Your team is trying to finish a time-critical project - an
important bid - by sending a file. There are problems getting through the firewall. The obvious
solution is to modify the firewall, but this is prohibited by the security policy. The team faces a
dilemma. If they don’t act, they will not meet the deadline. If they do act, they risk the consequences
of violating a written security policy.
What do they do?
What policy may provide guidance on this subject?
What risks are involved in doing this?
Policy should also take into account any possible exceptions to the policy, and define:
• what types of exceptions can be made
• who has the authority to make them
• what review process should be followed to evaluate “emergency” exceptions
These considerations protect both the organization’s assets (by defining which changes are
acceptable and which are not) and those people responsible (by defining the responsible parties and
empowering them to make decisions and take action within the scope of the policy).
2 - 11
Basic Security Policy - SANS
©2001
11
Checkpoint: Policy In Action
Finding Policy Wins The Game!
Think of a football game. Picture the coach at practice sessions, in the locker room before the game.
What is the coach doing? He is presenting, refining, and reworking a plan for winning the game, a
plan that’s practiced over and over until it’s perfect! We can see team captains and players referring
to the plan before each play. What does a game plan have to do with a computer security policy? The
game plan is actually a policy on how to win the game. The team that identifies its capabilities and
limitations, along with the capabilities and limitations of its opponents, will devise the best plan and
the best chance of winning if they follow it.
Risks have been identified and policy has been defined in broad terms. Next we look at concrete
policies.
2 - 12
Basic Security Policy - SANS
©2001
12
Levels of Policy
• Recognize that policies can exist on
different levels
– Enterprise-wide/corporate policy
– Division-wide policy
–Local policy
– Issue-specific policy
– Procedures and checklists
Unless you are at the top of the organizational hierarchy, there is likely to be a part of the
organization above your level that issues policy that you are expected to implement. A common
hierarchy for policy in an organization might look like this:
Enterprise-wide or Corporate Policy: the highest level (perhaps national); consists of high-level
documents that provide a direction or thrust to be implemented at lower levels in the enterprise.
Division-wide Policy: typically consists of an amplification of enterprise-wide policy as well as
implementation guidance. This level might apply to a particular region of a national corporation.
Local Policy: contains information specific to the local organization or corporate element.
Issue-specific Policy: policy related to specific issues, e.g. firewall or anti-virus policy.
Security Procedures and Checklists: local Standard Operating Procedures (SOPs); derived from the
security policy.
Security policy may exist on some levels and not on others. Documents interact and support one
another, and generally contain many of the same elements. In a typical organization, policy written
to implement higher-level directives may not relieve (waive) any of the requirements or conditions
stipulated at a higher level. Security policy must always be in accordance with local, state, and
federal computer crime laws.
2 - 13
Basic Security Policy - SANS
©2001
13
Objectives
• Defining Security Policy
• Using Security Policy to Manage Risk
• Identifying Security Policy
• Evaluating Security Policy
• Issue-specific Security Policy
• Exercise: Writing a Personal Security
Policy
This page intentionally left blank.