Download pdf - Policies Procedures Ch5

8/13/2019 Policies Procedures Ch5

1/25

Policy & Procedures

1


2/25

Why is Policy Important?

Policy provides the rules that govern how systems

should be configured.

Policy provides the rules that govern how employees of

an organization should act in normal circumstances and

How employees of an organization should react during

unusual circumstances.

Policy performs 2 primary functions: Policy defines what security should be in an organization.

Policy puts everyone in the know and understands what is

expected.

2


3/25


4/25

Defining Various Policies

There are many types of policies & procedures that

can be used by an organization to define how

security should work.

There are 3 aspects of each policy. These are:

PurposeWhy the policy was created?

ScopeWhere is the policy to be used?

ResponsibilityWho should be held accountable?

4


5/25

Information Policy I

The information policy defines what sensitiveinformation should be protected

The policy is constructed to cover all informationwithin the organization

Each employee is responsible for protectingsensitive information that comes into their

possession.

5


6/25

Information Policy II

Critical issues include:

Identification of Sensitive Information

Classifications of Sensitive Information

Storing Sensitive Information

Transmitting Sensitive Information

Destroying Sensitive Information

6


7/25

Security Policy I

The security policy defines the technical

requirements for security on computer systems

& network equipment.

The security policy defines how a system or

network administrator should configure a system

with regards to security.

The primary responsibility for the

implementation of this policy falls on the

Administrator.

7


8/25

Security Policy II


Identification & Authentication

Access Control

Audit (number of logins, logout, failures etc) Network Connectivity

Dial-in Connections

Permanent Connections

Remote Connections Wireless Networks

Malicious CodeWhat security programs to use.

EncryptionWhich encryption algorithms to use.

8


9/25

Computer Use Policy I

The computer use policy lays out the law as to

WHO may use computer systems and HOW they

may be used and for WHAT purposes.

The Computer Policy covers all computer

resources (internal & external) in an

organization.

All users are responsible for the Computer

Systems that they use (legally or illegally)

9


10/25

Computer Use Policy II


Ownership of Computers

Ownership of Information

Acceptable Use of Computers (no IRQ, MSN etc)

No Expectation of Privacy

10


11/25

Internet Use Policy

The Internet Use Policy is a general computerpolicy with an organization.

The Internet Use Policy defines appropriateuses of the internet, ie, Business Related

The Internet Use Policy is generally monitoredby Senior Managers, Employers

11


12/25

E-mail Policy I

E-mail policy serves to limit use of bandwidth

within an organization.

E-mail policy clarifies what is allowable and nonallowable transmission of data or information.

Every E-mail user & the Administrator is

responsible for ensuring Email is not beingexploited.

12


13/25

E-mail Policy II


Internal mail Issues

Harassment

Jokes

Attachments

External mail Issues

Scanning inbound and outbound emails

Virus protection

Key word detection

13


14/25

User Management Procedures I

Are normally overlooked by organizations.

Are security mechanisms used to protect

systems from unauthorized access. Such mechanisms are useless if they are not

managed properly.

14


15/25

User Management Procedures II


New Employee Procedure

Assigning usernames, passwords

ID Card, Access Card etc

Transferred Employee Procedure

Internal Transfer

External Transfer

Employee Termination Procedure

Removing Accounts details

Backing up user data15


16/25

System Administration Procedure

Defines how Security & System Administration

will work together to secure the organizations

system.

Defines how and how often various security

related administration tasks will be

accomplished.

16


17/25

System Administration Procedure


Software Upgrades

Vulnerability Scans Policy Reviews

Log Reviews

Regular & Non Regular Monitoring

17


18/25

Backup Procedure

Defines how system backup are to be performed.

Defines when system backup are to be performed.

Defines the Frequency of system backups.

Defines the media where backups are stored.

Defines how Backups are protected

Defines what system information/data needs to be

backed up.

Defines how often to conduct Restore Testing.

18


19/25

Incident Response Procedure I

An IRP defines how the organization will react when a

computer security incident occurs.

It should be noted that incidents may be different in

nature, hence:

Different incidents require different IRP

Different incidents may require different people to handle

the situation IRP should specify the objectives when handling

incidents.

19


20/25

Incident Response Procedure II Critical issues include:

Incident handling initiation (often helpdesk)

Event Identification (malicious or not)

Escalation (response team needed or not)

Information Control (what information to release)

Authority (who initiate the action)

Response (take system offline, shutdown,prosecution)

Documentation (incident should be documented)

Testing of the Procedure (IRP need practice) 20


21/25

Configuration Management Procedure

This procedure defines the steps that should be

taken to modify the state of the organizations

computer systems, network devices and software

system.

The purpose of this procedure is to identify

appropriate changes so they will not be

misidentified as security incidents.

The Initial System State should be well documented

(version, service patch, etc)

21


22/25

Disaster Recovery Procedure

Every organization should have a disasterrecovery plan (DRP).

This Plan or Procedure should aim to handle:

Fires

Floods

Storms / Lighting etc

There are various levels of failure, such as: Single System Failure, Multiple System, Site etc

Primary Network Failure

Data Storage Center Failure22


23/25

Creating Appropriate Policies

Different organizations have different policies.

Policy templates are useful but not enough.

The following is a normal practice:

Step 1Defining which policies are important.

Step 2Identifying Stakeholders

Step 3Defining Appropriate Outlines

Step 4Policy Development

Step 5Policy Deployment

23


24/25

Policy Deployment

Unlike creating a policy (which requires a small number

of people), Deploying a Policy requires the involvement

of the whole organization.

The normal procedure involves the following:

General Meeting with Everyone

Educating Employees

Providing Documentation Use of the Policy

24


25/25

Use Policy Effectively

Policy can be used a club but is much more

effective when used as an educational tool.

Keep in mind that most employees have theorganizations best interest at heart.

Some aspects of Policy Use include:

New Systems & Projects (early in the process)

Existing Systems & Projects (compliance testing)

Audits (internal compliance with policies)

Policy Reviews (policies do not last forever)25