Policy & Procedures

Why is Policy Important?

Policy provides the rules that govern how systems should be configured. Policy provides the rules that govern how employees of an organization should act in normal circumstances and How employees of an organization should react during unusual circumstances. Policy performs 2 primary functions:
Policy defines what security should be in an organization. Policy puts everyone in the know and understands what is expected.
2

Defining Security Policy

Policy defines how security should be implemented
Proper Configuration Network Configuration IP Configuration Usernames, Passwords etc

Technical aspects of security are not the only things defined by policy. Policy also defines how employers & employees should behave when things fail or do not go as expected.
3

Defining Various Policies

There are many types of policies & procedures that can be used by an organization to define how security should work. There are 3 aspects of each policy. These are:
Purpose Why the policy was created? Scope Where is the policy to be used? Responsibility Who should be held accountable?

Information Policy I
The information policy defines what sensitive information should be protected The policy is constructed to cover all information within the organization Each employee is responsible for protecting sensitive information that comes into their possession.

Information Policy II
Critical issues include:
Identification of Sensitive Information Classifications of Sensitive Information Storing Sensitive Information Transmitting Sensitive Information Destroying Sensitive Information

Security Policy I
The security policy defines the technical requirements for security on computer systems & network equipment. The security policy defines how a system or network administrator should configure a system with regards to security. The primary responsibility for the implementation of this policy falls on the Administrator.
7

Security Policy II
Critical issues include:
Identification & Authentication Access Control Audit (number of logins, logout, failures etc) Network Connectivity
Dial-in Connections Permanent Connections Remote Connections Wireless Networks

Malicious Code What security programs to use. Encryption Which encryption algorithms to use.
8

Computer Use Policy I

The computer use policy lays out the law as to WHO may use computer systems and HOW they may be used and for WHAT purposes. The Computer Policy covers all computer resources (internal & external) in an organization. All users are responsible for the Computer Systems that they use (legally or illegally)
9

Computer Use Policy II

Critical issues include:
Ownership of Computers Ownership of Information Acceptable Use of Computers (no IRQ, MSN etc) No Expectation of Privacy

10

Internet Use Policy

The Internet Use Policy is a general computer policy with an organization. The Internet Use Policy defines appropriate uses of the internet, ie, Business Related The Internet Use Policy is generally monitored by Senior Managers, Employers

11

E-mail Policy I
E-mail policy serves to limit use of bandwidth within an organization. E-mail policy clarifies what is allowable and non allowable transmission of data or information. Every E-mail user & the Administrator is responsible for ensuring Email is not being exploited.

12

E-mail Policy II
Critical issues include:
Internal mail Issues
Harassment Jokes Attachments

External mail Issues

Scanning inbound and outbound emails Virus protection Key word detection
13

User Management Procedures I

Are normally overlooked by organizations. Are security mechanisms used to protect systems from unauthorized access. Such mechanisms are useless if they are not managed properly.

14

User Management Procedures II

Critical issues include:
New Employee Procedure
Assigning usernames, passwords ID Card, Access Card etc

Transferred Employee Procedure

Internal Transfer External Transfer

Employee Termination Procedure

Removing Accounts details Backing up user data
15

System Administration Procedure

Defines how Security & System Administration will work together to secure the organizations system. Defines how and how often various security related administration tasks will be accomplished.

16

System Administration Procedure

Critical issues include:
Software Upgrades Vulnerability Scans Policy Reviews Log Reviews Regular & Non Regular Monitoring

17

Backup Procedure
Defines how system backup are to be performed. Defines when system backup are to be performed. Defines the Frequency of system backups. Defines the media where backups are stored. Defines how Backups are protected Defines what system information/data needs to be backed up. Defines how often to conduct Restore Testing.
18

Incident Response Procedure I

An IRP defines how the organization will react when a computer security incident occurs. It should be noted that incidents may be different in nature, hence:
Different incidents require different IRP Different incidents may require different people to handle the situation

IRP should specify the objectives when handling incidents.

19

Incident Response Procedure II

Critical issues include:
Incident handling initiation (often helpdesk) Event Identification (malicious or not) Escalation (response team needed or not) Information Control (what information to release) Authority (who initiate the action) Response (take system offline, shutdown, prosecution) Documentation (incident should be documented) Testing of the Procedure (IRP need practice)

20

Configuration Management Procedure

This procedure defines the steps that should be taken to modify the state of the organizations computer systems, network devices and software system. The purpose of this procedure is to identify appropriate changes so they will not be misidentified as security incidents. The Initial System State should be well documented (version, service patch, etc)
21

Disaster Recovery Procedure

Every organization should have a disaster recovery plan (DRP). This Plan or Procedure should aim to handle:
Fires Floods Storms / Lighting etc

There are various levels of failure, such as:

Single System Failure, Multiple System, Site etc Primary Network Failure Data Storage Center Failure
22

Creating Appropriate Policies

Different organizations have different policies. Policy templates are useful but not enough. The following is a normal practice:
Step 1 Defining which policies are important. Step 2 Identifying Stakeholders Step 3 Defining Appropriate Outlines Step 4 Policy Development Step 5 Policy Deployment
23

Policy Deployment
Unlike creating a policy (which requires a small number of people), Deploying a Policy requires the involvement of the whole organization. The normal procedure involves the following:
General Meeting with Everyone Educating Employees Providing Documentation Use of the Policy

24

Use Policy Effectively

Policy can be used a club but is much more effective when used as an educational tool. Keep in mind that most employees have the organizations best interest at heart. Some aspects of Policy Use include:
New Systems & Projects (early in the process) Existing Systems & Projects (compliance testing) Audits (internal compliance with policies) Policy Reviews (policies do not last forever)
25