ISY 251 - Chapter 2: Security Policies and Standards
Purpose of SETA to enhance security by
Improving awareness of the need to protect system resources -Developing skills and knowledge so computer users can perform their jobs more securely -Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems
Effective Security Program
Use of a formal plan to implement and manage security in the organization
dictionary attack
a variation on the brute force attack, narrows the field by selecting specific target accounts and using a list of commonly used passwords instead of random combinations. Organizations can use such dictionaries themselves to disallow passwords during the reset process and thus guard against easy to-guess passwords. In addition, rules requiring additional numbers and/or special characters make the dictionary attack less effective. Another variant, called a rainbow attack, makes use of a pre-computed hash using a time-memory tradeoff technique that uses a database of pre-computed hashes from sequentially calculated passwords to look up the hashed password and read out the text version, with no brute force required.
Procedures
How to accomplish the policies and standards
Statement of Purpose
*(Components of EISP)* Answers the question "What is this policy for?" Provides a framework that helps the reader understand the intent of the document.
Information Technology Security Elements
*(Components of EISP)* Defines information security. This section can also lay out security definitions or philosophies to clarify the policy.
Information Technology Security responsibilities and Roles
*(Components of EISP)* Defines the organizational structure designed to support information security. IDs categories individuals with responsibility for information security (IT Department, management, users) and their information security responsibilities, including maintenance of this document.
Reference to Other Information Technology standards and Guidelines
*(Components of EISP)* List other standards that influence and are influenced by this policy document, perhaps including relevant laws (federal and state) and other policies
Need for Information Technology Security
*(Components of EISP)* Provides information on the importance of information security in the organization and the obligation (legal and ethical) to protect critical information about customers, employees, and markets.
Dissemination
*(For Effective Policies)* -Distribution of the information -Is it in a readily available place?
Review
*(For Effective Policies)* -Has it been read? -Who is reading it?
Comprehension
*(For Effective Policies)* -Is it understandable? -Too confusing?
Compliance
*(For Effective Policies)* Acknowledge vs. Agree
Uniform Enforcement
*(For Effective Policies)* How are violations being handled?
Strategic Planning
*(Things that drive Policy Development)* -Process of moving the organization towards its vision -Constantly reworked to promote progress
Mission of an Organization
*(Things that drive Policy Development)* -Written statement of purpose of organization -Usually not modified
Vision of an Organization
*(Things that drive Policy Development)* -Written statement of the organization's long-term goals -Occasionally modified
Security Policy
*(Things that drive Policy Development)* Set of rules that protects and organization's assets.
Systems-specific security policies
-Appear with the managerial guidance expected in a policy -Include detailed technical specifications not usually found in other types of policy documents -Managerial Guidance SysSPs --Guide the implementation and configuration of a specific technology -Technical Specifications SysSPs --General methods for implementing technical controls -Access control lists --Set of specifications that identifies a piece of technology's authorized users and includes details on the rights and privileges those users have on that technology -Access control matrix --Combines capability tables and ACLs -Configuration rules --Specific instructions entered into a security system to regulate how it reacts to the data it receives -Rule-based policies --More specific to a system's operation than ACLs --May or may not deal with users directly
Organization
-Collection of people working together toward a common goal -Must have clear understanding of the rules of acceptable behavior
Policy
-Conveys management's intentions to its employees -Set of guidelines or instructions -Organization's senior management implements -Idea
The steps to make for policy to be considered effective
-Dissemination -Review -Comprehension -Compliance -Uniform Enforcement
Security Education, Training, and Awareness Program (SETA)
-Education, training, and awareness (SETA) program -Responsibility of the CISO -Control measure designed to reduce the incidences of accidental security breaches by employees -Designed to supplement the general education and training programs
Standards
-More detailed descriptions of what must be done to comply with policy -Specifics and outline
Security Framework
-Outline of the overall information security strategy -Roadmap for planned changes to the organization's information security environment --The ISO 27,000 Series --NIST Model
4 phases of incident recovery
1. Planning—getting ready to handle incidents 2. Detection—identifying that an incident has occurred 3. Reaction—responding to the immediate threat of an incident and regaining control of information assets 4. Recovery—getting things "back to normal," resolving the damage done during the incident, and understanding what happened to prevent reoccurrence
difference between policy and standard
A policy is a set of guidelines or instructions that an organization's senior management implements to regulate the activities of the organization members who make decisions, take actions, and perform other duties. Policies are the organizational equivalent of public laws in that they dictate acceptable and unacceptable behavior within an organization. Like laws, policies define what is right and what is wrong, what the penalties are for violating policy, and what the appeal process is. Standards, although they have the same compliance requirement as policies, are more detailed descriptions of what must be done to comply with policy.
Security blueprint
Basis for the design, selection, and implementation of all security program elements.
NIST Security Models
Computer Security Resource Center (CSRC) publications -SP 800-14: Generally Accepted Principles and Practices for Securing InformationTechnology Systems --Lists the principles and practices to be used in the development of a security blueprint -SP 800-41 Rev. 1: Guidelines on Firewalls and Firewall Policy --Provides an overview of the capabilities and technologies of firewalls and firewall policies -SP 800-53 Rev. 3: Recommended Security Controls for Federal Information Systems and Organizations --Describes the selection and implementation of security controls for information security to lower the possibility of successful attack from threats -SP 800-53 A, Jul 2008: Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans --Provides a systems developmental lifecycle approach to security assessment of information systems
Benchmarking
Evaluation against a standard -*Spheres of security*:Generalized foundation of a good security framework -*Controls*: Implemented between systems and the information, between networks and the computer systems, and between the Internet and internal networks -*Information security*: Designed and implemented in three layers: policies, people (education, training, and awareness programs), and technology
Enterprise Information Security Policy
General Security Policy -Supports the mission, vision, and direction of the organization -Sets the strategic direction, scope, and tone for all security efforts -Executive-level document -Drafted by organization's chief information officer -Expresses the security philosophy within the IT environment -Guides the development, implementation, and management of the security program -Address an organization's need to comply with laws and regulations in two ways: -General compliance -Identification of specific penalties and disciplinary actions
Defense In Depth
One of the basic tenets of security architecture is the layered implementation of security. This layered approach is called ________ ___ _______. To achieve ________ ___ _______, an organization must establish multiple layers of security controls and safeguards, which can be organized into policy, training and education, and technology, as per the CNSS model discussed earlier. While policy itself may not prevent attacks, it certainly prepares the organization to handle them; and coupled with other layers, it can deter attacks. This is true of training and education, which can also provide some defense against non-technical attacks such as employee ignorance and social engineering. Social engineering occurs when attackers try to use social interaction with members of the organization to acquire information that can be used to make further exploits against information assets possible.
Best Practices
Procedures that are accepted or prescribed as being correct or most effective.
Information Security Policy
Set of rules for the protection of an organization's information assets
*Issue-specific security policies*
Specific technology Policy -Addresses specific areas of technology -Requires frequent updates -Contains a statement on the organization's position on a specific issue -May cover: --Use of company-owned networks and the Internet --Use of telecommunications technologies (fax and phone) --Use of electronic mail --Specific minimum configurations of computers to defend against worms and viruses --Prohibitions against hacking or testing organization security controls --Home use of company-owned computer equipment --Use of personal equipment on company networks Use of photocopy equipment
De Jure Standards
Standards that are published, scrutinized, and ratified by a group.
De Facto Standards
The standards that may be an informal part of an organization's culture