DownloadNote - The PPT/PDF document "1 Security Policies CS 397 Computer Se..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in 1 Security Policies CS 397 Computer Security and
Slide1
1
Security
Policies
CS 397 Computer Security and
Information Assurance
Slide2
2
Outline
of
Presentation
•
Introduction
to
Security
Policy
–
Definitions,
types,
elements.
•
The
necessity
of
a
Security
Policy.
–
Why
its
needed.
•
Example:
Email
Use
Policy
–
Analysis
and
critique
•
Closing
Comments
Slide3
3
What
is
a
Security
Policy?
•
A
security policy
is
a
set
of
rules
stating
which
actions
are
permitted
and
which
are
not.
It
is
a
statement
that
partitions
the
states
of
a
system
into
a
set
of
authorized
or
secure
states
and
a
set
of
unauthorized
or
non-secure
states.
–
Can
be
informal
or
highly
mathematical.
•
A
secure system
is
a
system
that
starts
in
an
authorized
state
and
cannot
enter
an
unauthorized
state.
•
A
breach of security
occurs
when
a
system
enters
an
unauthorized
state.
•
We
expect
a
trusted
system
to
enforce
the
required
security
policies.
Slide4
4
Elements
of
a
Security
Policy
•
A
security
policy
considers
all
relevant
aspects
of
confidentiality,
integrity
and
availability.
•
Confidentiality policy:
Identifies
information
leakage
and
controls
information
flow.
•
Integrity Policy:
Identifies
authorized
ways
in
which
information
may
be
altered.
Enforces
separation
of
duties.
•
Availability policy:
Describes
what
services
must
be
provided.
–
For
example,
a
browser
may
download
pages
but
not
Java
applets.
Slide5
5
Types
of
Security
Policies
•
A
military security policy
(also
called
government
security
policy)
is
a
security
policy
developed
primarily
to
provide
confidentiality.
–
Not
worried
about
trusting
the
object
as
much
as
disclosing
the
object.
•
A
commercial security policy
is
a
security
policy
developed
primarily
to
provide
integrity.
–
Focuses
on
how
much
the
object
can
be
trusted.
Slide6
Mechanism
vs.
Security
Policy
6
•
•
•
Mechanism
should
not
be
confused
with
policy.
A
security
mechanism
is
an
entity
or
procedure
that
enforces
some
part
of
a
security
policy.
–
MasterCard
has
the
Site
Data
Protection
(SDP)
Program.
(
https://sdp.mastercardintl.com/
)
–
Firewalls,
access
control,
permissions,
roles.
–
Logging
facilities,
such
as
syslog.
–
Spam
and
website
filters,
proxies.
E
nforcement
mechanisms
may
be
technical
or
procedural.
For
example,
a
firewall
may
enforce
certain
rules,
but
part
of
the
enforcement
is
the
procedure
to
set
up
and
maintain
configurations.
On
the
other
side,
tools
that
automatically
log
urls
can
be
used
to
enforce
policies
like
banning
porn
sites
Slide7
7
Is
it
a
Policy,
a
Standard
or aGuideline?•
A
policy is typically a document that outlines specific requirements or rules that must be met. – point-specific, covers a single area
•
A standard is typically collections of system-specific or
procedural-specific
requirements
that
must
be
met
by
everyone.
•
A
guideline
is
typically
a
collection
of
system
specific
or
procedural
specific
“suggestions”
for
best
practice.
They
are
not
requirements
to
be
met,
but
are
strongly
recommended.
•
Effective
security
policies
make
frequent
references
to
standards
and
guidelines
that
exist
within
an
organization.
Slide8
8
Real
World
Problems
Caused
By
Missing
Policies
• At a
local
newspaper... – A local newspaper had no policy requiring the termination of user-ID and password privileges after an employee left.
–
A senior reporter left the newspaper, and shortly thereafter,
the
newspaper
had
trouble
because
the
competition
consistently
picked-up
on
their
exclusive
stories
(scoops).
–
An
investigation
of
the
logs
revealed
that
the
former
employee
had
been
consistently
accessing
their
computer
to
get
ideas
for
stories
at
his
new
employer.
Slide9
9
Real
World
Problems
Caused
By
Missing
Policies
(cont’d)• At
a
government agency... – A clerk spent a great deal of time surfing the Internet while on the job. Because there
was no
policy specifying what constituted excessive personal use, management
could
not
discipline
this
employee.
–
Then
management
discovered
that
the
clerk
had
downloaded
a
great
deal
of
pornography.
Using
this
as
a
reason,
management
fired
him.
–
The
clerk
chose
to
appeal
the
termination
with
the
Civil
Service
Board,
claiming
that
he
couldn't
be
fired
because
he
had
never
been
told
that
he
couldn't
download
pornography.
–
After
a
Civil
Service
hearing,
the
Board
ordered
him
to
be
reinstated
with
back
pay.
Slide10
2/26/2004
Polytechnic
University
-
CS996
10
Why
An
Organization NeedsSecurity
Policies
• Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference
point
to numerous security tasks in your organization• Without
security
policies,
no
enforcement
of
security
configurations
or
standards
can
be
made.
By
establishing
a
policy,
you
are
implying
that
enforcement
can
or
will
follow.
Without
security
policies,
enforcement
of
them
is
not
possible.
Slide11
11
It’s
All
In
The
Details!
•
The
computer
security policy need to be detailed. The security policy such as “Computer systems are not to be used for personal
use”
needs to be explained. – What constitutes personal use
could
be
interpreted
differently.
•
A
computer
security
policy
should
provide
guidelines
in
specific
topics
such
as
management’s
position
on:
–
Downloading
and
viewing
pornography.
–
Sending
and
forwarding
jokes
(or
other
non-essential
business
correspondence).
–
Viewing
stock
prices.
–
Sending
and
viewing
personal
e-mail.
–
Use
of
computer
for
on
line
shopping
during
break
times.
Slide12
12
Security
Policy:
Clear
Understanding
•
A
computer
security policy gives
users
a clear understanding of allowed activities.• If an employee is dismissed for inappropriate actions, a computer security policy that
has been
communicated to computer users will save time in
legal
disputes.
Slide13
13
Security
Policy
Basics
•
All
security
policies
need
to be written down. – Policies that exist in someone's head are not really policies.• When your organization has
finished developing
security policies, and right when you think you
can
breathe
easy,
it
will
be
time
to
update
your
security
policies.
•
New technology
-
make
sure
your
security
policies
still
make
sense
for
your
new
infrastructure.
•
Evaluating new equipment
-
make
sure
that
the
new
equipment
can
properly
be
configured
to
meet
your
security
requirements.
–
if
it
can't,
you
may
want
to
consider
purchasing
alternative
products.
Slide14
15
Where
to
Start?
•
The
first
issue
revolves around the
content
and structure of the policies themselves: Are they complete? Are they fully up to date? Do they reflect your needs?
•
The most cost effective way is often to
procure
a
set
of
pre-written policies
,
and
then
tailor
them
as
necessary
to
meet
specific
cultural
and
functional
needs.
–
Why
re-invent
the
wheel
and
proceed
down
a
more
complex
route
than
is
really
necessary?
Slide15
16
Where
to
Get
a
Good
Security
Policy?
• Good computer
programs
are copied from other good programs.• The skill of a programmer is not how effectively they can write code but
how
well they can incorporate the best routines of other
programs
to
make
a
useful
application.
•
A
good
security
policy
documents
are
not
written
but
are
copied
from
other
security
policy
documents.
Slide16
17
Formulate
Your
Own
Computer
Security
Policy
•
The security requirements
of
computer systems owned and operated by one organization will almost certainly differ from the requirements of another organization.• It is
therefore
important that each organization formulates its own Computer Security
Policy.
Slide17
18
Need
an
Example
Policy
or
Template?
•
•
•
•
Use
http://www.sans.org/resources/policies/What is the SANS Institute? – The SANS (SysAdmin, Audit, Network, Security) Institute was established
in
1989 as a cooperative research and education organization. The
SANS
Institute
enables
more
than
156,000
security
professionals,
auditors,
system
administrators,
and
network
administrators
to
share
the
lessons
they
are
learning
and
find
solutions
to
the
challenges
they
face.
At
the
heart
of
SANS
are
the
many
security
practitioners
in
government
agencies,
corporations,
and
universities
around
the
world
who
invest
hundreds
of
hours
each
year
in
research
and
teaching
to
help
the
entire
information
security
community.
SANS
has
received
permission
to
provide
sanitized
security
policies
from
a
large
organization.
They
should
form
a
good
starting
point
if
you
need
one
of
these
policies.
Slide18
21
Before
looking
into
the
sample
security
policies…
• <angle brackets> should
be
replaced with the appropriate name from your organization.• The term “InfoSec” is used through out these documents to refer the
team
of people responsible for network and information security.
Replace
with
the
appropriate
group
name
from
your
organization.
•
Any
policy
name
that
is
in
italics
is
a
reference
to
a
policy
that
is
also
available
on
the
SANS
site.
Slide19
22
Example:
Email
Use
Policy
•
Generally
the
company E-mail systems
are
a high risk area due to their constant availability to the outside world, and the risk is often two-fold.•
Exposes company
mail addresses and (mail) systems to potential attackers.
•
Number
one
entry
point
from
which
most
of
the
malicious
programs
are
entering
the
company.
•
E-mail
systems
are
a
potential
way
to
leak
company
proprietary
information,
intentionally
or
accidentally
(and
software
exists
to
flag
such
things).
Also,
because
of
the
risk
to
company
image.
Slide20
23
Example:
Email
Use
Policy
(cont’d)
•
1.0
Purpose – To
prevent
tarnishing the public image of <COMPANY NAME>. When email goes out from <COMPANY NAME> the general public will tend to
view that
message as an official policy statement from the
<COMPANY
NAME>.
•
2.0
Scope
–
This
policy
covers
appropriate
use
of
any
email
sent
from
a
<COMPANY
NAME>
email
address
and
applies
to
all
employees,
vendors,
and
agents
operating
on
behalf
of
<COMPANY
NAME>.
Slide21
24
Example:
Email
Use
Policy
(cont’d)
•
3.0
Policy –
3.1
Prohibited Use. • The <COMPANY NAME> email system shall not to be used for the creation or distribution of any
disruptive or
offensive messages, including offensive comments about race, gender,
hair
color,
disabilities,
age,
sexual
orientation,
pornography,
religious
beliefs
and
practice,
political
beliefs,
or
national
origin.
Employees
who
receive
any
emails
with
this
content
from
any
<COMPANY
NAME>
employee
should
report
the
matter
to
their
supervisor
immediately.
Slide22
25
Make
An
Addition
to
the
Template!
•
Prohibited Use: –
Using
email for conducting personal business. – Using email for purposes of political lobbying or campaigning. – Violating copyright laws by
inappropriately distributing
protected works. – Posing as anyone other than
oneself
when
sending
email,
except
when
authorized
to
send
messages
for
another
when
serving
in
an
administrative
support
role.
–
The
use
of
unauthorized
e-mail
software.
Slide23
26
Don’t
Slow
Down
Network
Communications!
•
Make
an addition to
the
template: – Prohibited Use: • Sending or forwarding chain letters. • Sending unsolicited messages to large groups except as
required to
conduct agency business. • Sending excessively large messages
•
Sending
or
forwarding
email
that
is
likely
to
contain
computer
viruses.
Slide24
27
Non-<COMPANY
NAME>
Email
Accounts
for
Confidential
Info?
• Make an
addition
to the template: – Individuals must not send, forward or receive confidential or sensitive <COMPANY NAME> information through non-<COMPANY NAME>
email
accounts. Examples of non- <COMPANY NAME> email accounts include,
but
are
not
limited
to,
Hotmail,
Yahoo
mail,
AOL
mail,
and
email
provided
by
other
Internet
Service
Providers
(ISP).
Slide25
28
Non-<COMPANY
NAME>
Mobile
Devices
for
Confidential
Info?
• Make an
addition
to the template: – Individuals must not send, forward, receive or store confidential or sensitive <COMPANY NAME> information utilizing non-<COMPANY
NAME>
accredited mobile devices. Examples of mobile devices include, but
are
not
limited
to,
Personal
Data
Assistants,
two-way
pagers
and
cellular
telephones.
Slide26
29
Example:
Email
Use
Policy
(cont’d)
–
3.2 Personal Use.
•
Using a reasonable amount of <COMPANY NAME> resources for personal emails is acceptable, but non-work related email shall be saved
in a
separate folder from work related email. • Sending
chain
letters
or
joke
emails
from
a
<COMPANY
NAME>
email
account
is
prohibited.
•
Virus
or
other
malware
warnings
and
mass
mailings
from
<COMPANY
NAME>
shall
be
approved
by
<COMPANY
NAME>
VP
Operations
before
sending.
These
restrictions
also
apply
to
the
forwarding
of
mail
received
by
a
<COMPANY
NAME>
employee.
Slide27
30
Example:
Email
Use
Policy
(cont’d)
–
3.3 Monitoring •
<COMPANY
NAME> employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
<COMPANY NAME>
may monitor messages without prior notice. <COMPANY NAME>
is
not
obliged
to
monitor
email
messages.
Slide28
31
Transmitted
Information
Needs
To
Be
Safe!
•
Make an addition
to
the template: – All sensitive <COMPANY NAME> material transmitted over external networks must be encrypted.
Slide29
32
Example:
Email
Use
Policy
(cont’d)
•
4.0
Enforcement –
Any
employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Slide30
33
Doesn’t
Handle
Non-Employees
•
Need
to
change
template:
– 4.0 Enforcement • Violation of this policy may result in disciplinary
action
which may include termination for employees and temporaries;
a
termination
of
employment
relations
in
the
case
of
contractors
or
consultants
;
dismissal
for
interns
and
volunteers
;
or
suspension
or
expulsion
in
the
case
of
a
student
.
Additionally,
individuals
are
subject
to
loss
of
<COMPANY
NAME>
Information
Resources
access
privileges,
civil,
and
criminal
prosecution.
–
NOTE:
Enforcement
can
also
include
both
identification
of
the
violation
and
a
software
needed
to
look
for
violations,
spot
checking
email,
etc.
Slide31
Example:
Email
Use
Policy
(cont’d)
34
•
Term
Definitions: – Email:
The
electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft
Outlook. –
Forwarded email: Email resent from an internal network to
an
outside
point.
–
Chain email or letter:
Email
sent
to
successive
people.
Typically
the
body
of
the
note
has
direction
to
send
out
multiple
copies
of
the
note
and
promises
good
luck
or
money
if
the
direction
is
followed.
–
Sensitive information:
Information
is
considered
sensitive
if
it
can
be
damaging
to
<COMPANY
NAME>
or
its
customers'
reputation
or
market
standing.
–
Virus warning:
Email
containing
warnings
about
virus
or
malware.
The
overwhelming
majority
of
these
emails
turn
out
to
be
a
hoax
and
contain
bogus
information
usually
intent
only
on
frightening
or
misleading
users.
–
Unauthorized Disclosure:
The
intentional
or
unintentional
revealing
of
restricted
information
to
people,
both
inside
and
outside
<COMPANY
NAME>,
who
do
not
have
a
need
to
know
that
information.
Slide32
35
Example:
Email
Use
Policy
(cont’d)
•
6.0
Revision History
–
Used when revisions are made in the duration of a security policy.
Slide33
47
High-level
to
Low-level
•
Security
policies
begin
from high
level
statements and flow down to lower level policies, which are more specific and detailed. Example: • High level: Confidential and classified
company information
shall be protected from release to unauthorized personnel.
•
Mid level:
Classified
information
will
only
be
accessible
from
internal
network
(company
intranet)
via
a
secure
website.
•
Low level:
The
internal
web-server
will
be
running
HTTPS
(SSL)
and
be
password-protected.
The
perimeter
firewall
will
deny
all
access
to
the
web-
server
from
external
hosts
(outside
the
intranet)
by
blocking
external
traffic
on
port
443.
•
The
firewall
is
an
enforcement mechanism
.
The
password
protection
is
an
enforcement
mechanism
as
well.
Slide34
48
Applicable
Security
Policies
•
In
the
previous
example, a company
can
refer to the following security policies: – Firewall – which ports are allowed through. – Password – length of
Download this presentation
DownloadNote - The PPT/PDF document "1 Security Policies CS 397 Computer Se..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in 1 Security Policies CS 397 Computer Security and
1
Security
Policies
CS 397 Computer Security and
Information Assurance
Slide22
Outline
of
Presentation
•
Introduction
to
Security
Policy
–
Definitions,
types,
elements.
•
The
necessity
of
a
Security
Policy.
–
Why
its
needed.
•
Example:
Email
Use
Policy
–
Analysis
and
critique
•
Closing
Comments
Slide33
What
is
a
Security
Policy?
•
A
security policy
is
a
set
of
rules
stating
which
actions
are
permitted
and
which
are
not.
It
is
a
statement
that
partitions
the
states
of
a
system
into
a
set
of
authorized
or
secure
states
and
a
set
of
unauthorized
or
non-secure
states.
–
Can
be
informal
or
highly
mathematical.
•
A
secure system
is
a
system
that
starts
in
an
authorized
state
and
cannot
enter
an
unauthorized
state.
•
A
breach of security
occurs
when
a
system
enters
an
unauthorized
state.
•
We
expect
a
trusted
system
to
enforce
the
required
security
policies.
Slide44
Elements
of
a
Security
Policy
•
A
security
policy
considers
all
relevant
aspects
of
confidentiality,
integrity
and
availability.
•
Confidentiality policy:
Identifies
information
leakage
and
controls
information
flow.
•
Integrity Policy:
Identifies
authorized
ways
in
which
information
may
be
altered.
Enforces
separation
of
duties.
•
Availability policy:
Describes
what
services
must
be
provided.
–
For
example,
a
browser
may
download
pages
but
not
Java
applets.
Slide55
Types
of
Security
Policies
•
A
military security policy
(also
called
government
security
policy)
is
a
security
policy
developed
primarily
to
provide
confidentiality.
–
Not
worried
about
trusting
the
object
as
much
as
disclosing
the
object.
•
A
commercial security policy
is
a
security
policy
developed
primarily
to
provide
integrity.
–
Focuses
on
how
much
the
object
can
be
trusted.
Slide6Mechanism
vs.
Security
Policy
6
•
•
•
Mechanism
should
not
be
confused
with
policy.
A
security
mechanism
is
an
entity
or
procedure
that
enforces
some
part
of
a
security
policy.
–
MasterCard
has
the
Site
Data
Protection
(SDP)
Program.
(
https://sdp.mastercardintl.com/
)
–
Firewalls,
access
control,
permissions,
roles.
–
Logging
facilities,
such
as
syslog.
–
Spam
and
website
filters,
proxies.
E
nforcement
mechanisms
may
be
technical
or
procedural.
For
example,
a
firewall
may
enforce
certain
rules,
but
part
of
the
enforcement
is
the
procedure
to
set
up
and
maintain
configurations.
On
the
other
side,
tools
that
automatically
log
urls
can
be
used
to
enforce
policies
like
banning
porn
sites
Slide77
Is
it
a
Policy,
a
Standard
or aGuideline?•
A
policy is typically a document that outlines specific requirements or rules that must be met. – point-specific, covers a single area
•
A standard is typically collections of system-specific or
procedural-specific
requirements
that
must
be
met
by
everyone.
•
A
guideline
is
typically
a
collection
of
system
specific
or
procedural
specific
“suggestions”
for
best
practice.
They
are
not
requirements
to
be
met,
but
are
strongly
recommended.
•
Effective
security
policies
make
frequent
references
to
standards
and
guidelines
that
exist
within
an
organization.
Slide88
Real
World
Problems
Caused
By
Missing
Policies
• At a
local
newspaper... – A local newspaper had no policy requiring the termination of user-ID and password privileges after an employee left.
–
A senior reporter left the newspaper, and shortly thereafter,
the
newspaper
had
trouble
because
the
competition
consistently
picked-up
on
their
exclusive
stories
(scoops).
–
An
investigation
of
the
logs
revealed
that
the
former
employee
had
been
consistently
accessing
their
computer
to
get
ideas
for
stories
at
his
new
employer.
Slide99
Real
World
Problems
Caused
By
Missing
Policies
(cont’d)• At
a
government agency... – A clerk spent a great deal of time surfing the Internet while on the job. Because there
was no
policy specifying what constituted excessive personal use, management
could
not
discipline
this
employee.
–
Then
management
discovered
that
the
clerk
had
downloaded
a
great
deal
of
pornography.
Using
this
as
a
reason,
management
fired
him.
–
The
clerk
chose
to
appeal
the
termination
with
the
Civil
Service
Board,
claiming
that
he
couldn't
be
fired
because
he
had
never
been
told
that
he
couldn't
download
pornography.
–
After
a
Civil
Service
hearing,
the
Board
ordered
him
to
be
reinstated
with
back
pay.
Slide102/26/2004
Polytechnic
University
-
CS996
10
Why
An
Organization NeedsSecurity
Policies
• Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference
point
to numerous security tasks in your organization• Without
security
policies,
no
enforcement
of
security
configurations
or
standards
can
be
made.
By
establishing
a
policy,
you
are
implying
that
enforcement
can
or
will
follow.
Without
security
policies,
enforcement
of
them
is
not
possible.
Slide1111
It’s
All
In
The
Details!
•
The
computer
security policy need to be detailed. The security policy such as “Computer systems are not to be used for personal
use”
needs to be explained. – What constitutes personal use
could
be
interpreted
differently.
•
A
computer
security
policy
should
provide
guidelines
in
specific
topics
such
as
management’s
position
on:
–
Downloading
and
viewing
pornography.
–
Sending
and
forwarding
jokes
(or
other
non-essential
business
correspondence).
–
Viewing
stock
prices.
–
Sending
and
viewing
personal
e-mail.
–
Use
of
computer
for
on
line
shopping
during
break
times.
Slide1212
Security
Policy:
Clear
Understanding
•
A
computer
security policy gives
users
a clear understanding of allowed activities.• If an employee is dismissed for inappropriate actions, a computer security policy that
has been
communicated to computer users will save time in
legal
disputes.
Slide1313
Security
Policy
Basics
•
All
security
policies
need
to be written down. – Policies that exist in someone's head are not really policies.• When your organization has
finished developing
security policies, and right when you think you
can
breathe
easy,
it
will
be
time
to
update
your
security
policies.
•
New technology
-
make
sure
your
security
policies
still
make
sense
for
your
new
infrastructure.
•
Evaluating new equipment
-
make
sure
that
the
new
equipment
can
properly
be
configured
to
meet
your
security
requirements.
–
if
it
can't,
you
may
want
to
consider
purchasing
alternative
products.
Slide1415
Where
to
Start?
•
The
first
issue
revolves around the
content
and structure of the policies themselves: Are they complete? Are they fully up to date? Do they reflect your needs?
•
The most cost effective way is often to
procure
a
set
of
pre-written policies
,
and
then
tailor
them
as
necessary
to
meet
specific
cultural
and
functional
needs.
–
Why
re-invent
the
wheel
and
proceed
down
a
more
complex
route
than
is
really
necessary?
Slide1516
Where
to
Get
a
Good
Security
Policy?
• Good computer
programs
are copied from other good programs.• The skill of a programmer is not how effectively they can write code but
how
well they can incorporate the best routines of other
programs
to
make
a
useful
application.
•
A
good
security
policy
documents
are
not
written
but
are
copied
from
other
security
policy
documents.
Slide1617
Formulate
Your
Own
Computer
Security
Policy
•
The security requirements
of
computer systems owned and operated by one organization will almost certainly differ from the requirements of another organization.• It is
therefore
important that each organization formulates its own Computer Security
Policy.
Slide1718
Need
an
Example
Policy
or
Template?
•
•
•
•
Use
http://www.sans.org/resources/policies/What is the SANS Institute? – The SANS (SysAdmin, Audit, Network, Security) Institute was established
in
1989 as a cooperative research and education organization. The
SANS
Institute
enables
more
than
156,000
security
professionals,
auditors,
system
administrators,
and
network
administrators
to
share
the
lessons
they
are
learning
and
find
solutions
to
the
challenges
they
face.
At
the
heart
of
SANS
are
the
many
security
practitioners
in
government
agencies,
corporations,
and
universities
around
the
world
who
invest
hundreds
of
hours
each
year
in
research
and
teaching
to
help
the
entire
information
security
community.
SANS
has
received
permission
to
provide
sanitized
security
policies
from
a
large
organization.
They
should
form
a
good
starting
point
if
you
need
one
of
these
policies.
Slide1821
Before
looking
into
the
sample
security
policies…
• <angle brackets> should
be
replaced with the appropriate name from your organization.• The term “InfoSec” is used through out these documents to refer the
team
of people responsible for network and information security.
Replace
with
the
appropriate
group
name
from
your
organization.
•
Any
policy
name
that
is
in
italics
is
a
reference
to
a
policy
that
is
also
available
on
the
SANS
site.
Slide1922
Example:
Email
Use
Policy
•
Generally
the
company E-mail systems
are
a high risk area due to their constant availability to the outside world, and the risk is often two-fold.•
Exposes company
mail addresses and (mail) systems to potential attackers.
•
Number
one
entry
point
from
which
most
of
the
malicious
programs
are
entering
the
company.
•
E-mail
systems
are
a
potential
way
to
leak
company
proprietary
information,
intentionally
or
accidentally
(and
software
exists
to
flag
such
things).
Also,
because
of
the
risk
to
company
image.
Slide2023
Example:
Email
Use
Policy
(cont’d)
•
1.0
Purpose – To
prevent
tarnishing the public image of <COMPANY NAME>. When email goes out from <COMPANY NAME> the general public will tend to
view that
message as an official policy statement from the
<COMPANY
NAME>.
•
2.0
Scope
–
This
policy
covers
appropriate
use
of
any
email
sent
from
a
<COMPANY
NAME>
email
address
and
applies
to
all
employees,
vendors,
and
agents
operating
on
behalf
of
<COMPANY
NAME>.
Slide2124
Example:
Email
Use
Policy
(cont’d)
•
3.0
Policy –
3.1
Prohibited Use. • The <COMPANY NAME> email system shall not to be used for the creation or distribution of any
disruptive or
offensive messages, including offensive comments about race, gender,
hair
color,
disabilities,
age,
sexual
orientation,
pornography,
religious
beliefs
and
practice,
political
beliefs,
or
national
origin.
Employees
who
receive
any
emails
with
this
content
from
any
<COMPANY
NAME>
employee
should
report
the
matter
to
their
supervisor
immediately.
Slide2225
Make
An
Addition
to
the
Template!
•
Prohibited Use: –
Using
email for conducting personal business. – Using email for purposes of political lobbying or campaigning. – Violating copyright laws by
inappropriately distributing
protected works. – Posing as anyone other than
oneself
when
sending
email,
except
when
authorized
to
send
messages
for
another
when
serving
in
an
administrative
support
role.
–
The
use
of
unauthorized
e-mail
software.
Slide2326
Don’t
Slow
Down
Network
Communications!
•
Make
an addition to
the
template: – Prohibited Use: • Sending or forwarding chain letters. • Sending unsolicited messages to large groups except as
required to
conduct agency business. • Sending excessively large messages
•
Sending
or
forwarding
email
that
is
likely
to
contain
computer
viruses.
Slide2427
Non-<COMPANY
NAME>
Email
Accounts
for
Confidential
Info?
• Make an
addition
to the template: – Individuals must not send, forward or receive confidential or sensitive <COMPANY NAME> information through non-<COMPANY NAME>
email
accounts. Examples of non- <COMPANY NAME> email accounts include,
but
are
not
limited
to,
Hotmail,
Yahoo
mail,
AOL
mail,
and
email
provided
by
other
Internet
Service
Providers
(ISP).
Slide2528
Non-<COMPANY
NAME>
Mobile
Devices
for
Confidential
Info?
• Make an
addition
to the template: – Individuals must not send, forward, receive or store confidential or sensitive <COMPANY NAME> information utilizing non-<COMPANY
NAME>
accredited mobile devices. Examples of mobile devices include, but
are
not
limited
to,
Personal
Data
Assistants,
two-way
pagers
and
cellular
telephones.
Slide2629
Example:
Email
Use
Policy
(cont’d)
–
3.2 Personal Use.
•
Using a reasonable amount of <COMPANY NAME> resources for personal emails is acceptable, but non-work related email shall be saved
in a
separate folder from work related email. • Sending
chain
letters
or
joke
emails
from
a
<COMPANY
NAME>
email
account
is
prohibited.
•
Virus
or
other
malware
warnings
and
mass
mailings
from
<COMPANY
NAME>
shall
be
approved
by
<COMPANY
NAME>
VP
Operations
before
sending.
These
restrictions
also
apply
to
the
forwarding
of
mail
received
by
a
<COMPANY
NAME>
employee.
Slide2730
Example:
Email
Use
Policy
(cont’d)
–
3.3 Monitoring •
<COMPANY
NAME> employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
<COMPANY NAME>
may monitor messages without prior notice. <COMPANY NAME>
is
not
obliged
to
monitor
email
messages.
Slide2831
Transmitted
Information
Needs
To
Be
Safe!
•
Make an addition
to
the template: – All sensitive <COMPANY NAME> material transmitted over external networks must be encrypted.
Slide2932
Example:
Email
Use
Policy
(cont’d)
•
4.0
Enforcement –
Any
employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Slide3033
Doesn’t
Handle
Non-Employees
•
Need
to
change
template:
– 4.0 Enforcement • Violation of this policy may result in disciplinary
action
which may include termination for employees and temporaries;
a
termination
of
employment
relations
in
the
case
of
contractors
or
consultants
;
dismissal
for
interns
and
volunteers
;
or
suspension
or
expulsion
in
the
case
of
a
student
.
Additionally,
individuals
are
subject
to
loss
of
<COMPANY
NAME>
Information
Resources
access
privileges,
civil,
and
criminal
prosecution.
–
NOTE:
Enforcement
can
also
include
both
identification
of
the
violation
and
a
software
needed
to
look
for
violations,
spot
checking
email,
etc.
Slide31Example:
Email
Use
Policy
(cont’d)
34
•
Term
Definitions: – Email:
The
electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft
Outlook. –
Forwarded email: Email resent from an internal network to
an
outside
point.
–
Chain email or letter:
Email
sent
to
successive
people.
Typically
the
body
of
the
note
has
direction
to
send
out
multiple
copies
of
the
note
and
promises
good
luck
or
money
if
the
direction
is
followed.
–
Sensitive information:
Information
is
considered
sensitive
if
it
can
be
damaging
to
<COMPANY
NAME>
or
its
customers'
reputation
or
market
standing.
–
Virus warning:
Email
containing
warnings
about
virus
or
malware.
The
overwhelming
majority
of
these
emails
turn
out
to
be
a
hoax
and
contain
bogus
information
usually
intent
only
on
frightening
or
misleading
users.
–
Unauthorized Disclosure:
The
intentional
or
unintentional
revealing
of
restricted
information
to
people,
both
inside
and
outside
<COMPANY
NAME>,
who
do
not
have
a
need
to
know
that
information.
Slide3235
Example:
Email
Use
Policy
(cont’d)
•
6.0
Revision History
–
Used when revisions are made in the duration of a security policy.
Slide3347
High-level
to
Low-level
•
Security
policies
begin
from high
level
statements and flow down to lower level policies, which are more specific and detailed. Example: • High level: Confidential and classified
company information
shall be protected from release to unauthorized personnel.
•
Mid level:
Classified
information
will
only
be
accessible
from
internal
network
(company
intranet)
via
a
secure
website.
•
Low level:
The
internal
web-server
will
be
running
HTTPS
(SSL)
and
be
password-protected.
The
perimeter
firewall
will
deny
all
access
to
the
web-
server
from
external
hosts
(outside
the
intranet)
by
blocking
external
traffic
on
port
443.
•
The
firewall
is
an
enforcement mechanism
.
The
password
protection
is
an
enforcement
mechanism
as
well.
Slide3448
Applicable
Security
Policies
•
In
the
previous
example, a company
can
refer to the following security policies: – Firewall – which ports are allowed through. – Password – length of
password, aging,
allowed and required characters. – Intranet – who
belongs
on
the
intranet,
how
information
is
distributed…
–
Web server
–
its
configuration,
its
permissions,
and
what
type
of
information
its
allowed
to
contain
(classification
levels).