CHAPTER-3
NCS-421Information Assurance and Security Management
Learning Objectives
□
Upon completion of this material, you should be able
to:
Define information security policy and discuss its central
role in a successful information security program
List and describe the three major types of information
security policy and discuss the major components of each
Explain what is necessary to implement effective policy
and what consequences the organization may face if it
does not
Discuss the process of developing, implementing, and
maintaining various types of information security policies
WHY POLICY?
Chapter 03: Information Security Policy
Introduction
□
Policy is the essential foundation of an effective
information security program:
The success of an information resources protection program
depends on the policy generated, and on the attitude of
management toward securing information on automated systems
You, the policy maker, set the tone and the emphasis on how
important a role information security will have within your agency
Your primary responsibility is to set the information resource
security policy for the organization with the objectives of reduced
risk, compliance with laws and regulations and assurance of
operational continuity, information integrity, and confidentiality
(NIST, 1989)
Secunry
at"' )Information
Enginee:cing
ISET Technology
Sphere of use
Redundanc
Sphere of protection
y Monitoring
systems
-=
-
Patches and
upgrades
:3
Host IDPS
People
Firewalls _ . . . . . . , _
::::
,Security
planning
(incident response,
disaster recovery,
business continuity)
......,_ Education
,,,
Network IDPS
and training
Proxy servers
Encryption
Backups
11
Access controls
Technology
People
Note: IDPS is an abbreviation of "intrusion detection and prevention systems".
Figure 4-1
:... CENGAGE
Spheres of security
-
Why Policy?
Some basic rules must be
followed when shaping a
policy:
Policy should never conflict with law
Policy must be able to stand up in court
if challenged
Policy must be properly supported and
administered
01
02
03
All policies must
contribute to the
success of the
organization
Management must
ensure the
adequate sharing
of responsibility for
proper use of
information systems
End users of
information systems
should be involved
in the steps of
policy formulation
Secunry
at"' )Information
Enginee:cing
ISET Technology
Policies
s stems
- - - - - Figure 4-2
:... CENGAGE
Bull's-eye model
-
Policy-Centric Decision Making
□
Bull’s-eye model layers:
Policies—first layer of defense
Networks—threats first meet the organization’s network
Systems—computers and manufacturing systems
Applications—all applications systems
□
Policies are important reference documents for internal
audits and for the resolution of legal disputes about
management's due diligence [and] policy documents
can act as a clear statement of management's intent
(Wood, 2012)
Policy, Standards, and Practices
Policy is a set of
“organizational
guidelines that dictate
certain behavior within
the organization”
Procedures are “step-bystep instructions designed
to assist employees in
following policies,
standards, and
guidelines”
A standard is “a detailed
statement of what must
be done to comply with
policy, sometimes viewed
as the rules governing
policy compliance”
Guidelines are
“nonmandatory
recommendations the
employee may use as a
reference in complying
with a policy”
Practices are “examples
of actions that illustrate
compliance with policies”
Policies define what you
can do and not do,
whereas the other
documents focus on the
how
at"' )
ISET
I
Policies
Practices
Industry,
government,
and
regulatory
exemplars
Standards
Detailed minimumspecifications for compliance
Guidelines
Recommendations for compliance
Influence
organization
documents
Procedures
Step-by-step instructionsfor compliance
Figure 4-3
:... CENGAGE
Policies, standards, practices, procedures, and guidelines
-
Information
Secunry
Enginee:cing
Technology
Policy, Standards, and Practices
(Continued)
□
□
Policies require constant modification and maintenance
In order to produce a complete information security
policy, management must define three types of
information security policy:
Enterprise information security program policy
Issue-specific information security policies
Systems-specific policies
ENTERPRISE INFORMATION
SECURITY POLICY
Chapter 04: Information Security Policy
Enterprise Information Security
Policy (EISP)
□
□
Enterprise information security policy (EISP) is highlevel information security policy that sets the strategic
direction, scope, and tone for all of an organization’s
security efforts
An EISP is also known as a security program policy,
general security policy, IT security policy, high-level
InfoSec policy, or simply an InfoSec policy
EISP Elements
□
□
An EISP assigns responsibilities for the various areas
of InfoSec, including maintenance of InfoSec policies
and the practices and responsibilities of end users
In particular, the EISP guides the development,
implementation, and management requirements of the
InfoSec program, which must be met by InfoSec
management and other specific security functions
Integrating an Organization’s Mission and
Objectives into the EISP
□
□
□
The EISP plays a number of vital roles, not the least of
which is to state the importance of InfoSec to the
organization’s mission and objectives
The EISP should not contradict the organizational
mission statement
However, it would be prudent for an institution to have
policies that govern such access and ensure that such
access does not interfere or create a hostile work
environment for other employees
EISP Elements
□
□
□
□
An overview of the corporate philosophy on security
Information on the structure of the InfoSec
organization and individuals who fulfill the InfoSec
role
Fully articulated responsibilities for security that are
shared by all members of the organization
(employees, contractors, consultants, partners, and
visitors)
Fully articulated responsibilities for security that are
unique to each role within the organization
')
Information
Security
Enginee:cing
a...
ISET Technology
Component
Descrip t ion
Purpose
Answers the question, 'What is this policy for?" Provides a framework
that helps th e reader to understand th e inte nt of the document. Can
include text such as the fo llowing, which is taken from Washingto n University
in St. Louis:
Thisdocument will:
• Identify the elements of a good security policy
• Explain the need for information security
• Specify the various categories of information security
• Identify the information security responsibilities and roles
• Identify appropriate levels of security through standards and guidelines
This document establishes an overarching security policy and direction for our
company. Individual departments are expected to establish standards, guidelines,
and operating procedures that adhere to and reference thispolicy while
addressing their specific and individual needs.5
:... CENGAGE
Elements
Defines the whole topic of information security within the organization as we ll
as its critical components. For example, the policy may state: "Protecting the
confidentiality, integrity, and availability of informat ion while in processing,
transmission, and storage, through the use of policy, education and train ing,
and technology" and then identify where and how the elements are used.
This section can also lay out security definitions or philosophies to clarify the
policy.
Need
Justifies the need for the organization to have a program for information
security. This is done by providing information on the importance of lnfoSec
in the organization and the obligation (legal and ethical) to protect critical
information, whether regarding customers, employees, or markets.
Roles and
responsibilities
Defines the staffing structure designed to support lnfoSec within the
organization. It will likely describe the placement of the governance elements
for lnfoSec as well as the categories of individuals with responsibility for
lnfoSec (IT department , management, users) and their lnfoSec responsibilities,
including maintenance of this document.
References
Lists other standards that influence and are influenced by t his policy
document, including relevant f ederal and state laws and other policies.
-
ISSUE-SPECIFIC SECURITY POLICY
Chapter 04: Information Security Policy
Issue-Specific Security Policy (ISSP)
An issue-specific security policy (ISSP) is “an organizational policy that provides
detailed, targeted guidance to instruct all members of the organization in the use of a
resource, such as one of its processes or technologies”
In some organizations, ISSPs are referred to as fair and responsible use policies,
describing the intent of the policy to regulate appropriate use
The ISSP should assure members of the organization that its purpose is not to establish a
foundation for administrative enforcement or legal prosecution but rather to provide a
common understanding of the purposes for which an employee can and cannot use the
resource
Issue-Specific Security Policy
(ISSP) (Continued)
□
An effective ISSP accomplishes the following:
It articulates the organization’s expectations about how its
technology-based system should be used
It documents how the technology-based system is controlled
and identifies the processes and authorities that provide this
control
It indemnifies the organization against liability for an
employee’s inappropriate or illegal use of the system
□
Every organization’s ISSPs should:
Address specific technology-based systems
Require frequent updates
Contain a statement on the organization’s position on an issue
Issue-Specific Security Policy (ISSP)
(Continued)
ISSP topics:
□
□
□
□
□
□
□
Use of electronic mail, IM, and other
communications apps
Use of the Internet, the Web, and
company networks by company
equipment
Malware protection requirements
Use of nonorganizationally issued
software or hardware on organization
assets
Use of organizational information on
nonorganizationally owned computers
Prohibitions against hacking or testing
security controls or attempting to modify
or escalate privileges
Personal and/or home use of company
equipment
□
□
□
□
□
□
□
□
Removal of organizational equipment from
organizational property
Use of personal equipment on company
networks (BYOD)
Use of personal technology during work
hours
Use of photocopying and scanning equipment
Requirements for storage and access to
company information while outside company
facilities
Specifications for the methods, scheduling,
conduct, and testing of data backups
Requirements for the collection, use, and
destruction of information assets
Storage of access control credentials by users
Elements of the ISSP
□
Statement of Purpose
Scope and Applicability
Definition of Technology Addressed
Responsibilities
□
Authorized Access and Usage of Equipment
User Access
Fair and Responsible Use
Protection of Privacy
□
Prohibited Usage of Equipment
Disruptive Use or Misuse
Criminal Use
Offensive or Harassing Materials
Copyrighted, Licensed, or Other Intellectual Property
Other Restrictions
Elements of the ISSP (Continued)
□
Systems Management
Management of Stored Materials
Employer Monitoring
Virus Protection
Physical Security
Encryption
□
Violations of Policy
Procedures for Reporting Violations
Penalties for Violations
□
Policy Review and Modification
Scheduled Review of Policy and Procedures for Modification
□
Limitations of Liability
Statements of Liability or Disclaimers
Implementing the ISSP
□
Common approaches:
A number of independent ISSP documents, each tailored
to a specific issue
A single comprehensive ISSP document that covers all
issues
A modular ISSP document that unifies policy creation and
administration while maintaining each specific issue’s
requirements
□
The recommended approach is the modular policy,
which provides a balance between issue orientation
and policy management
'' )
a...
ISET Technology
ISSP Document Organization Approaches
Approach
Advantages
Disadvantages
Individual
Policy
• Clear assignment to a responsible
department
• Typically yields a scattershot
result that fails to cover all of the
necessary issues
• Written by those with superior
subject matter expertise for
technology-specific systems
Comprehensive
Policy
• Well controlled by centrally
managed procedures assuring
complete topic coverage
• Often provides better formal
procedures than when policies are
individually formulated
• Can suffer from poor policy
dissemination , enforcement,
and review
• May overgeneralize the issues and
skip over vulnerabilities
• May be written by those with less
complete subject matter expertise
• Usually identifies processes for
dissemination, enforcement, and
review
Modular Policy
• Often considered an optimal
balance between the individual
ISSP and the comprehensive ISSP
approaches
• May be more expensive than other
alternatives
• Implementation can be difficult to
manage
• Well controlled by centrally
managed procedures, assuring
complete topic coverage
• Clear assignment to a responsible
department
• Written by those with superior
subject matter expertise for
techno logy-specific systems
:... CENGAGE
Information
Security
Enginee:cing
-
SYSTEM-SPECIFIC SECURITY
POLICY
Chapter 04: Information Security Policy
System-Specific Security Policy
System-Specific Security Policies (SysSPs) are
“organizational policies that often function as standards or
procedures to be used when configuring or maintaining
systems”
SysSPs can be:
separated into managerial
guidance and technical
specifications; or
combined in a single unified
SysSP document
Managerial Guidance SysSPs
Created by the management to guide the implementation and
configuration of technology, as well as to address the behavior of
people in the organization in ways that support the security of
information
Applies to any technology that affects the confidentiality, integrity,
or availability of information
Informs technologists of management intent
Technical Specifications SysSPs
System administrators’ directions and actions on implementing managerial
policy
While the manager is primarily responsible for the creation of the
managerial specifications, the sysadmins may be the primary authors or
architects of the technical specifications version
There are two general methods of implementing such technical controls:
Access control lists
Configuration rules
Access Control Lists
□
□
□
□
Include the user access lists, matrices, and capability
tables that govern the rights and privileges
A capability table specifies which subjects and
objects that users or groups can access
These specifications are frequently complex matrices,
rather than simple lists or tables
In general, ACLs enable administrations to restrict
access according to user, computer, time, duration, or
even a particular file
Access Control Lists (Continued)
□
In general ACLs regulate:
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system
□
Common user privileges (also known as permissions)
include:
Read
Write
Execute
Delete
0
local Security Policy
Action
Vif!W
cy
I
local Policies
)
)
)
)
)
"
ccounts: Administrator account status
[ 3 Ac counts : Block Microsoft accounts
Audit Policy
0
User Rights Assignment
Q
Security Options
Windows Firewall with Advanced Seci 0
Q
Network list Manager Policies
0
Public Key Policies
0
Software Restriction Policies
0
Application Control Policies
IP Security Policies on local Computt 0
Advanced Audit Policy Configuration
Accounts: Guest account status
Accounts: Limit local account use of blank passwords t o co...
Accounts: Rename administrator account
Accounts: Rename guest account
Audit Audit the access of global system objects
Audit Audit the use of Backup and Restore privilege
Figure 4-4
>
Security Setting
Disabled
Users can 't add or log o ...
Disabled
Enabled
Administrator
Guest
Disabled
Enabled
Audit Force audit policy subcategory settings (Windows Vis... Not Defined
Audit Shut down system immediately if unab le t o log secur... Disabled
D DCOM: Machine Access Restrictions in Security Descriptor D...
Q DCOM: Machine launch Restrictions in Security Descriptor ...
D Devices: Allow undock without having t o log on
D Devices: Allowed to format and eject removable media
D Devices: Prevent users from installing printer drivers
D Devices: Restrict CD-ROM access to locally logged-on user ...
D Devices: Restrict floppy access to locally logged-on user only
D Domain controller: Allow server operators to schedule tasks
0 Doma in controller: lDAP server signing requ irements
D Domain controller: Ref use machine account password chan ...
Q Doma in member: Digitally encrypt or sign secure channel d ...
<
Not Defined
Not Defined
Enabled
Not Defined
Disabled
Not Defined
Not Defined
Not Defined
Not Defined
Not Defined
Enabled
0 Domain member: Digitally encrypt secure channel data (wh... Enabled
D Domain member: Digitally sign secure channel data (when ... Enabled
D Domain member: Disable machine account password chan ... Disabled
D Domain member: Maximum machine account password age 30 days
D Domain member: Require strong (Windows 2000 or later) se... Enabled
D Interactive logon : Display user information when the session ... Not Defined
' - -
Local security policy settings
Source: Microsoft.
:... CENGAGE
x
Help
Account Policies
v
Information
Security
Enginee:cing
Technology
-
-!
l u u m r - (Looi u ers a11d Groups {lotill)\Us
Fi l
Action
V i
D
]
'')
Ht.Ip
l ocal U!;E'rs and Grou p s (loca
FUI Namc
N• m11:
u. ...
A<iTinisttator
MJltAtcount
Group;
Act ions
Docnption
BLitt-in account for admiiiste.ringithe:come>uter/comain
A J S accc::unt manitgd ho/ t ' t ) t
9Lit--rn 1'n :oont fOI' 9 t1PSt (
to th computMi domJin
t,lGo""'
More Actions ._
ju " '
lusrmfi!r -(Loe.al Use-sar.d Groups (locil)\GroupsJ
+•
Fil' Action
ViiM
D
Usen
Group;
Ht.Ip
N•mc
Dac.rption
Ac100.
4j1Acc:tss Cc:rntrol AssiL Mr:mbm of this grc:rup un rM'!otl'ly qury autkoriution attribut;•nd pr_rmi ssionsfor r...
ii!A'*1-inidrltfor<t
Backup Operdors
Bacb..rp Operators un override securityrmricbom: for the sole purpose cl backi ng up or rest..
iiiCryptogr.tphic OraL
Groups
McreActions .-
t.Aembert art authorized to perf orm cryptogr1phic cperatic:rm.
CjOirtributed COM Usen
mbetl Ml allowed to launch,atv1te1nd use Oirtrlbuted COM c-bjech :in this rra-ehine.
.:Evurt. log Rud@"
M.:mb<trs of this group nn rHd r1t1nt logs from loc.11 m1chin1
4j1Gue<I•
Guets luvt the s•me t<e:s
memben
Qf
ttle Users group by dthult, ocept for the Gues.t ...
.!{ilHyper-VAdmi nistrators Members of this group ha...ecompIrle •ndunrcrtrided.ucess to •II features of Hyper-V.
lf!jlllS_IUIRS
Built - n group used by lnte-net Information SeMcies.
fjNdYlcri: (¢nfigur.,tioM. McmbcN in this group c:n h.3\'c s:>me adminisb3tNcprr.. lcgcs to mM'l:igc configuQtion of
"1i!Pcrfomwmcc log Us::n Members of this group rT4'/ schedu e loggin(j of performance counter>, enable trace provide...
4jPciformonce Monitor ... Mcmben eif this group c1n access pc:rf'ormance counter data lou!ly and remotely
M•
ifjPow:r Uscn
Power Users oreindu dcd for bock"H.rcb compat1bili':yond posicn limited 1dmini:strotivc po•.•
Members in this group &re granted the right to loga>i remotely
. Rm10te Mcr"gernt:nlM. Ml:::mbcrs of this group ciln accas VIMI rooun:a over managimlttll. prolo:::ols (iuch .ts WS-M.
,Rtc Desktop Users
Ii
tJ1RepI
Supports fie replication in ., dom1r
C-'lOI
41'Systcm Manag Acc... Mt:mbcr.5 cf this group art:mam19e:d by thc syst,m.
1t5iUsm
Us are prevented from makng "ccid11:nt.I or i11tentiono=I
em·vride ch•nges ¥1d cm ru.M
CW (onfigMgr Remote C. .
Members in thisgroup cm vi and control this computrusinq Conti9ur.t1on Man.?gcr RI!...
Offe:r Remote Assisti!n.•. Me:mbm in this grou? cm offu Rie:mote:Assistancl!to 1hr: usof this computcr.
------------Fg
iure
4Source: Microsoft.
:.5.. CENGAGE
x
ll m!il B i:..t l fi n
.fl.I Local Users and Groups (loca
W indows AC Ls
-
tf
Information
Security
Enginee:cing
a...
ISET Technology
x
I
Secunry
at"' )Information
Enginee:cing
ISET Technology
1.
This Linux Ubuntu system is logged in as user mouse.
2.The i d command shows us which groups mouse is in. You can
see that mouse is a member of the rodents group. This group
shares a directory for shared files called rodentfiles.
uid=lOOO(seccdc)
gid=lOOO(seccdc)
groups=lOOO(mouse)
,
27 (sudo),
114 (sambashare),
901 (rodents)
getfacl rodentfiles
# file : rodentfiles
4. This directory is owned by user rat, who has Read (r), Write (w),
and Execute (x) privileges on the directory and all files in it.
user: :rwx
group::rwx
other ::r-x
5. All members of the rodents group have these privileges as
well. But, everyone else can only Read and Execute files in the
directory.
mouse©ubuntu: -$
Figure 4-6
3. The g e t f a c l command shows us the directory file's access
control list (ACL).
Linux ACL
Source: Linux.
:... CENGAGE
-
Configuration Rules
□
□
□
Configuration rules are instructional codes that guide
the execution of the system when information is
passing through it
Rule policies are more specific to the operation of a
system than ACLs, and may or may not deal with users
directly
Many security systems require specific configuration
scripts telling the systems what actions to perform on
each set of information they process
')
Information
Security
Enginee:cing
a...
ISET Technology
Source: packet "from." Destination: packet "to."
Zone: port of origin or destination of the packet.
Address: IPaddress. User: predefined user groups.
II
Action specifies whether
the packet from Source:
is allowed or dropped.
Rules 16 and 17 specify any
packet involving use of the
BitTorrent application is
automatically dropped.
Rule 22 ensures any user
in the Internal (Trusted)
network: L3-Trust is able
to access any external
Web site.
Figure 4-7
.I
Alla bv ftost t..g ln ruk.
•
Rlff CJrdi>r
21
MS.OS
l!nf
!. - - - - - - - - - - - - - - - - - - -
Sample Palo Alto firewall configuration rules
Source: Palo Alto Software, Inc.
:... CENGAGE
-
-
I
Combination SysSPs
Many organizations create a single document
combining elements of both management guidance
and technical specifications SysSPs
While this document can be somewhat confusing to the
users of the policies, it is very practical to have the
guidance from both perspectives in a single place
Such a document should carefully articulate the
required actions for each procedure described
Thank You