2. Overview
Understanding why policy is important.
Defining various policies.
Creating an appropriate policy.
Deploying policies.
Using policy effectively.
3. Understanding Why Policy is
Important
The two primary functions of a policy are:
It defines the scope of security within an organization.
It clearly states the expectations from everyone in the
organization.
4. Understanding Why Policy is
Important
Policy defines how security should be implemented.
It includes the system configurations, network
configurations, and physical security measures.
It defines the mechanisms used to protect information and
systems.
It defines how organizations should react when security
incidents occur.
5. Understanding Why Policy is
Important
Policy provides the framework for employees to work
together.
It defines the common goals and objectives of the
organization’s security program.
Proper security awareness training helps implement policy
initiatives effectively.
7. Defining Various Policies
System administration procedures.
Backup policy.
Incident response policy.
Configuration management procedures.
Design methodology.
Disaster recovery plans.
8. Information Policy
Identification of sensitive information.
Classifications.
Marking and storing sensitive information.
Transmission of sensitive information.
Destruction of sensitive information.
9. Identification of Sensitive
Information
Sensitive information differs depending on the business of
the organization.
It may include business records, product designs, patent
information, and company phone books.
It may also include payroll, medical insurance, and any
other financial information.
10. Classifications
Only the lowest level of information should be made public.
All proprietary, company sensitive, or company confidential
information is releasable to employees.
All restricted or protected information must be made
available to authorized employees only.
11. Marking and Storing Sensitive
Information
The policy must mark all sensitive information.
It should address the storage mechanism for information on
paper or on computer systems.
Incase of information stored on computer systems, the
policy should specify appropriate levels of protection.
Use encryption wherever required.
12. Transmission of Sensitive
Information
The policy addresses how sensitive information needs to be
transmitted.
It specifies the encryption method to be used while
transmitting information through electronic mail.
Incase of hardcopies of information, request a signed
receipt.
13. Destruction of Sensitive
Information
To destroy sensitive information:
Shred the information on paper.
Use cross-cut shredders that provide an added level of
protection.
PGP desktop and BCWipe can be used to delete documents
placed on a desktop.
16. Identification and
Authentication
The security policy defines how users will be identified.
It defines the primary authentication mechanism for users
and administrators.
It defines stronger mechanism for remote access such as
VPN or dial-in access.
17. Access Control
The security policy defines the standard requirement for
access control of electronic files.
The requirement includes the required mechanism and the
default requirements for new files.
The mechanism should work with authentication
mechanism to allow only authorized users to access the
information.
18. Audit
Security policies must frequently audit the following events:
Logins (successful and failed).
Logouts.
Failed access to files or system objects.
Remote access (successful and failed).
Privileged actions.
System events (such as shutdowns and reboots).
19. Audit
Each event should also capture the following information:
User ID (if there is one)
Date and time
Process ID (if there is one)
Action performed
Success or failure of the event
20. Network Connectivity
The security policy specifies the rules for network connectivity
and the protection mechanisms. It includes:
Dial-in connections.
Permanent connections.
Remote access of internal systems.
Wireless networks.
21. Malicious Code
The security policy specifies where security programs that
look for malicious code need to be placed.
Some appropriate locations are file servers, desktop
systems, and electronic mail servers.
It should specify the requirements for security programs.
It should require updates of signatures for such security
programs on a periodic basis.
22. Encryption
The security policy should define the acceptable encryption
algorithms for use.
It can refer to the information policy to choose the
appropriate algorithms to protect sensitive information.
It should also specify the procedures required for key
management.
23. Waivers
The security policy should provide a mechanism for risk
assessment and formulating a contingency plan.
For each situation, the system designer or project manager should
fill a waiver form.
The security department reviews the waiver request and provides
risk assessment results and recommendations to minimize the risk.
The waiver should be approved by the organization’s officer in
charge of the project.
24. Appendices
The security policy appendices should have details of:
Security configurations for various operating systems.
Network devices.
Telecommunication equipments.
25. Computer Use Policy
Ownership of computers - States that all computers are owned by
the organization.
Ownership of information - States that all information stored on or
used by the organization’s computers is proprietary to the
organization.
26. Computer Use Policy
Acceptable use of computers - States all acceptable and
unacceptable use of the organization’s computers.
No expectation of privacy - States that the employee have
no expectation of privacy for any information stored, sent,
or received on the organization’s computers.
27. Internet Use Policy
The Internet use policy is a part of the general computer use
policy.
It can be a separate policy due to the specific nature of the
Internet use.
The Internet use policy defines the appropriate uses of the
Internet within an organization.
It may also define inappropriate uses such as visiting non-
business-related web sites.
28. E-mail Policy
Internal mail issues - The electronic mail policy should not
be in conflict with other human resource policies.
External mail issues - Electronic mail leaving an
organization may contain sensitive information. Therefore,
it may be monitored.
29. User Management Procedures
New employment procedure - Provides new employees with
the proper access to computer resources.
Transferred employee procedure - Reviews employee’s
computer access when they are transferred within the
organization.
Employee termination procedure - Ensures removal of users
who no longer work for the organization.
30. System Administration
Procedure
Software upgrades - Defines how often a system administrator
will check for new patches or updates.
Vulnerability scans - Defines how often and when the scans will be
conducted by security.
Policy reviews - Specifies the security requirements for each
system.
31. System Administration
Procedure
Log reviews - Specifies configuration of automated tools
that create log entries and how exceptions must be handled.
Regular monitoring - Documents when network traffic
monitoring will occur.
32. Backup Policy
Frequency of backups - Identifies how often backups
actually occur.
Storage of backups - Defines how to store backups in a
secure location. It also states the mechanism for requesting
and restoring backups.
Information to be backed up - Identifies which data needs
to be backed up more frequently.
33. Incident Response Procedure
Incident handling objectives - Specifies the objectives of the
organization when handling an incident.
Event identification - States corrective actions for an intrusion or
user mistake.
Escalation - Specifies an escalation procedure such as activating
an incident response team.
Information control - Specifies what information is classified and
what can be made public.
34. Incident Response Procedure
Response - Defines the type of response when an incident occurs.
Authority - Defines which individual within the organization or the
incident response team has the authority to take action.
Documentation - Defines how the incident response team should
document its actions.
Testing of the procedure - Tests the IRP once it is written. It also
identifies the loop holes in the procedure and suggests corrective
actions.
35. Configuration Management
Procedures
Initial system state - Documents the state of a new system
when it goes into production. It should include details of the
operating system, version, patch level, application details,
and configuration details.
Change control procedure - Executes a change control
procedure when a change is to be made to an existing
system.
36. Design Methodology
Requirements definition - Specifies the security requirements that
need to be included during the requirement definition phase.
Design - Specifies that security should be represented to ensure
that the project is secured during the design phase.
Test - Specifies that when the project reaches the testing phase,
the security requirement should also be tested.
Implementation - Specifies that the implementation team should
use proper configuration management procedures.
37. Disaster Recovery Plans
Single system or device failures - Includes a network device, disk,
motherboard, network interface card, or component failure.
Data center events - Provides procedures for a major event within
a data center.
Site events - Identifies the critical capabilities that need to be
restored.
Testing the DRP - Identifies key employees and performs
walkthroughs of the plan periodically.
38. Creating an Appropriate Policy
To create an appropriate policy:
Identify which policies are most relevant and important to an
organization.
Conduct a risk assessment to identify risk areas.
Define all acceptable and unacceptable employee behavior.
State all restrictions clearly.
Identify individuals and other stakeholders who will be affected
by the policy. State expectations clearly.
39. Creating an Appropriate Policy
To create an appropriate policy:
Define a set of possible outlines.
Draft the policy based on the outline.
Include stakeholders during discussions and invite suggestions.
Brainstorm before developing the final policy.
40. Deploying the Policy
Every department of the organization that is affected by the
policy must accept the underlying concept.
Conduct security awareness training where employees are
informed of the intended change.
Make well-planned transitions rather than radical changes
while implementing the policy.
41. Using Policy Effectively
Identify security requirements early in the process. Security
should be a part of the design phase of the project.
Examine existing systems to ensure it is in compliance to new
policies.
Conduct periodic audits to ensure compliance with the policy.
Review policies regularly to ensure they are still relevant for the
organization.
42. Summary
Policies define how security is implemented within an organization.
Each policy must have a purpose, scope, and responsibility.
An organization must establish information policy, security policy,
computer use policy, Internet and e-mail policy, and a backup
policy.
An organization must also define user management, system
administration, incident response, and configuration management
procedures.
43. Summary
The disaster recovery plan details recovery action for various
levels of failures.
While creating a policy ensure that it will be relevant and
important to an organization.
Involve stakeholders in policy discussions. Conduct security
awareness trainings regularly.
Include security issues at each development phase of a project.
