FIREWALLS & NETWORK SECURITY with
Intrusion Detection and VPNs, 2nd ed.
3
Security Policies,
Standards, and Planning
By Whitman, Mattord, & Austin
© 2008 Course Technology
Learning Objectives
 Upon completion of this material, you should be
able to:
– Define management’s role in the development,
maintenance, and enforcement of information
security policy, standards, practices, procedures, and
guidelines
– Describe an information security blueprint, identify its
major components, and explain how it is used to
support a network security program
– Discuss how an organization institutionalizes policies,
standards, and practices using education, training,
and awareness programs
– Explain contingency planning and describe the
relationships among incident response planning,
disaster recovery planning, business continuity
planning, and contingency planning
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 2
Introduction
 To secure its network environment, organization
must establish a functional and well-designed
information security program
 Information security program begins with
creation or review of organization’s information
security policies, standards, and practices
 Selection or creation of information security
architecture and development and use of
detailed information security blueprint will create
plan for future success
 Without policy, blueprints, and planning,
organization’s security needs will not be met
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 3
Information Security Policy, Standards,
and Practices
 Management must consider policies as basis for
all information security efforts
 Policies direct how issues should be addressed
and technologies used
 Security policies are the least expensive control
to execute but the most difficult to implement
 Shaping policy is difficult because policy must:
– Never conflict with laws
– Stand up in court, if challenged
– Be properly administered through dissemination
and documented acceptance
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 4
Information Security Policy, Standards,
and Practices (continued)
For a policy to be considered effective and legally
enforceable:
 Dissemination (distribution): organization must be
able to demonstrate that relevant policy has been
made readily available for review by all employees
 Review (reading): organization must be able to
demonstrate that it disseminated document in
intelligible form, including versions for illiterate,
non-English reading, and reading-impaired
employees
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 5
Information Security Policy, Standards
and Practices (continued)
 Comprehension (understanding): organization
must be able to demonstrate that employees
understand requirements and content of policy
 Compliance (agreement): organization must be
able to demonstrate that employees agree to
comply with policy through act or affirmation OR
ELSE
 Uniform enforcement: organization must be able
to demonstrate policy has been uniformly
enforced
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 6
Definitions
 Policy is set of guidelines or instructions an
organization’s senior management implements to
regulate activities of members of organization
who make decisions, take actions, and perform
other duties
 Policies are organizational laws
 Standards, on the other hand, are more detailed
statements of what must be done to comply with
policy
 Practices, procedures, and guidelines effectively
explain how to comply with policy
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 7
Figure 3 -1 Policies, Standards, &
Practices
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 8
Enterprise Information Security Policy
(EISP)
 EISP is also known as general security policy,
IT security policy, or information security policy
 Sets strategic direction, scope, and tone for all
security efforts within the organization
 Executive-level document, usually drafted by or
with CIO of the organization and usually 2 to 10
pages long
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 9
Issue-Specific Security Policy (ISSP)
 Guidelines needed to use various technologies
and processes properly
 The ISSP:
– Addresses specific areas of technology
– Requires frequent updates
– Contains issue statement on the organization’s
position on an issue
 Three approaches:
– Create several independent ISSP documents
– Create a single comprehensive ISSP document
– Create a modular ISSP document
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 10
Systems-Specific Policy (SysSP)
 SysSPs frequently codified as standards and
procedures used when configuring or maintaining
systems
 SysSPs fall into two groups:
– Managerial guidance SysSPs: created by
management to guide implementation and
configuration of technology as well as to regulate
behavior of people in the organization
– Technical specifications SysSPs: technical policy
or set of configurations to implement managerial
policy
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 11
Systems-Specific Policy (SysSP)
(continued)
 Technical SysSPs are further divided into:
– Access control lists (ACLs) consist of access
control lists, matrices, and capability tables
governing rights and privileges of a particular
user to a particular system
– Configuration rule policies comprise specific
configuration codes entered into security
systems to guide execution of the system
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 12
Policy Management
 Policies are living documents that must be
managed and are constantly changing
 Special considerations should be made for
organizations undergoing mergers, takeovers,
and partnerships
 To remain viable, security policies must have:
– An individual responsible for reviews
– A schedule of reviews
– A specific policy issuance and revision date
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 13
Frameworks and Industry Standards
 Security blueprint is basis for design, selection,
and implementation of all security program
elements including policy implementation,
ongoing policy management, risk management
programs, education and training programs,
technological controls, and maintenance of
security program
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 14
Frameworks and Industry Standards
(continued)
 Security framework is outline of overall
information security strategy and roadmap for
planned changes to the organization’s
information security environment
 Number of published information security
frameworks, including ones from government
sources
 Because each information security environment
is unique, security team may need to modify or
adapt pieces from several frameworks
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 15
Benchmarking and Best Practices
 Benchmarking and best practices are reliable
methods used by some organizations to assess
security practices
 Possible to gain information by benchmarking
and using best practices and thus work
backwards to effective design
 Federal Agency Security Practices Site
(fasp.nist.gov) designed to provide best
practices for public agencies and is adapted
easily to private organizations
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 16
Figure 3-4 Spheres of Security
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 17
Design of Security Architecture
 Defense in depth
– One of the foundations of security architectures
is requirement to implement security in layers
– Requires that the organization establish sufficient
security controls and safeguards so an intruder
faces multiple layers of controls
 Security perimeter
– Point at which an organization’s security
protection ends and the outside world begins
– Unfortunately, perimeter does not apply to
internal attacks from employee threats or on-site
physical threats
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 18
Security Education, Training, and
Awareness
 As soon as policies exist, policies to implement
security education, training, and awareness
(SETA) should follow
 SETA is a control measure designed to reduce
accidental security breaches
 Supplement general education and training
programs to educate staff on information
security
 Security education and training builds on
general knowledge that employees must
possess to do their jobs, familiarizing them with
the way to do their jobs securely
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 19
SETA Elements
 SETA program consists of three elements:
– Security education
– Security training
– Security awareness
 Organization may not be capable or willing to
undertake all elements but may outsource them
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 20
Security Education
 Everyone in an organization needs to be trained
and aware of information security, but not every
member of the organization needs a formal
degree or certificate in information security
 When formal education for appropriate
individuals in security is needed, an employee
can identify curriculum available from local
institutions of higher learning or continuing
education
 A number of universities have formal
coursework in information security
– (See, for example, http://infosec.kennesaw.edu)
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 21
Security Training
 Involves providing members of the organization
with detailed information and hands-on
instruction designed to prepare them to perform
their duties securely
 Management of information security can
develop customized in-house training or
outsource the training program
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 22
Security Awareness
 One of the least frequently implemented but
most beneficial programs is the security
awareness program
 Designed to keep information security at
forefront of users’ minds
 Need not be complicated or expensive
 If program is not actively implemented,
employees begin to ‘tune out,’ and the risk of
employee accidents and failures increases
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 23
Continuity Strategies
 Plans for events of this type are referred to in a
number of ways:
–
–
–
–
Business continuity plans (BCPs)
Disaster recovery plans (DRPs)
Incident response plans (IRPs)
Contingency plans
 Large organizations may have many types of
plans and small organizations may have one
simple plan, but most have inadequate planning
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 24
Figure 3-9 Contingency Planning
Timeline
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 25
Contingency Planning Team
 Before any planning begins, a team has to plan
the effort and prepare resulting documents
 Champion: high-level manager to support,
promote, and endorse findings of the project
 Project manager: leads project and makes sure
a sound project planning process is used, a
complete and useful project plan is developed,
and project resources are prudently managed
 Team members: should be managers or their
representatives from various communities of
interest (business, IT, and information security)
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 26
Figure 3-10 Major Steps in
Contingency Planning
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 27
Business Impact Analysis
 Begin with business impact analysis (BIA)
– If the attack succeeds, what do we do then?
 CP team conducts BIA in the following stages:
–
–
–
–
–
Threat attack identification
Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 28
Threat Attack Identification and
Prioritization
 Update threat list with latest developments and
add the attack profile
 Attack profile is the detailed description of
activities during an attack
 Must be developed for every serious threat the
organization faces
 Used to determine the extent of damage that
could result to business unit if attack were
successful
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 29
Table 3-7 Attack Profile
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 30
Business Unit Analysis
 Second major task within the BIA is analysis
and prioritization of business functions within
the organization
 Identify functional areas of the organization and
prioritize them as to which are most vital
 Focus on prioritized list of various functions that
the organization performs
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 31
Attack Success Scenario Development
 Next, create series of scenarios depicting the
impact a successful attack from each threat
could have on each prioritized functional area
with:
– Details on method of attack
– Indicators of attack
– Broad consequences
 Attack success scenario details are added to
attack profile, including best, worst, and most
likely outcomes
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 32
Potential Damage Assessment
 From previously developed attack success
scenarios, BIA planning team must estimate
cost of best, worst, and most likely cases
 Costs include actions of response team
 This final result is referred to as an attack
scenario end case
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 33
Incident Response Planning
 Incident response planning covers identification
of, classification of, and response to an incident
 Incident is attack against an information asset
that poses clear threat to the confidentiality,
integrity, or availability of information resources
 Attacks are only classified as incidents if they
have the following characteristics:
– Are directed against information assets
– Have a realistic chance of success
– Could threaten the confidentiality, integrity, or
availability of information resources
 IR is more reactive than proactive, with
exception of planning and preparation of IR
teams
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 34
Incident Planning
 Predefined responses enable organization to
react quickly and effectively to detected incident
 This assumes the organization has an IR team
and can detect the incident
 IR team consists of those individuals needed to
handle systems as incident takes place
 IR consists of the following four phases:
–
–
–
–
Planning
Detection
Reaction
Recovery
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 35
Incident or Disaster
 When does an incident become a disaster?
– The organization is unable to mitigate the impact
of an incident during the incident
– The level of damage or destruction is so severe
that the organization is unable to quickly recover
 Difference may be subtle
 Up to the organization to decide which incidents
are to be classified as disasters and thus
receive the appropriate level of response
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 36
Disaster Recovery Planning
 Disaster recovery planning (DRP) is planning
the preparation for and recovery from a disaster
 Contingency planning team must decide which
actions constitute disasters and which constitute
incidents
 When situations are classified as disasters,
plans change as to how to respond; take action
to secure the system’s most valuable assets to
preserve value for the longer term even at the
risk of more disruption in the immediate term
 DRP strives to reestablish operations at the
‘primary’ site
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 37
DRP Steps
 There must be a clear establishment of priorities
 There must be a clear delegation of roles and
responsibilities
 Someone must initiate the alert roster and notify
key personnel
 Someone must be tasked with the
documentation of the disaster
 If and only if it is possible, some attempts must
be made to mitigate the impact of the disaster
on the operations of the organization
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 38
Crisis Management
 Crisis management occurs during and after a
disaster and focuses on the people involved and
addressing the viability of the business
 Crisis management team responsible for
managing event from enterprise perspective by:
– Supporting personnel and families during crisis
– Determining impact on business operations and,
if necessary, making disaster declaration
– Keeping public informed
– Communicating with major customers, suppliers,
partners, regulatory agencies, industry
organizations, media, other interested parties
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 39
Business Continuity Planning
 Business continuity planning outlines
reestablishment of critical business operations
during a disaster that impacts operations
 If disaster has rendered the business unusable
for continued operations, there must be a plan
to allow the business to continue to function
 BCP is somewhat simpler than an IRP or DRP
 Consists primarily of selecting continuity
strategy and integrating off-site data storage
and recovery functions into this strategy
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 40
Summary
 To effectively secure networks, an organization
must establish functional, well-designed
information security program
 Information security program creation requires
information security policies, standards, and
practices; an information security architecture;
and a detailed information security blueprint
 Management must make policy the basis for all
information security planning, design, and
deployment in order to direct how issues are
addressed and how technologies are used
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 41
Summary (continued)
 Policy must never conflict with laws but should
stand up in court if challenged
 To be effective and legally enforceable, policy
must be disseminated, reviewed, understood,
complied with, and uniformly enforced
 Information security team identifies
vulnerabilities and then develops security
blueprint that is used to implement security
program
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 42
Summary (continued)
 Security framework is outline of steps to take to
design and implement information security
 Purpose of security education, training, and
awareness (SETA) is to enhance security by
improving awareness of need to protect system
resources and teaching users to perform jobs
more securely, and to build knowledge to
design, implement, or operate security
programs
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 43
Summary (continued)
 IT and InfoSec managers must assure
continuous availability of information systems
 Achieved with various contingency plans:
incident response (IR), disaster recovery (DR),
business continuity (BC)
 IR plan addresses identification, classification,
response, and recovery from incident
 DR plan addresses preparation for and recovery
from disaster
 BC plan ensures that critical business functions
continue if catastrophic event occurs
Firewalls & Network Security, 2nd ed. - Chapter 3
Slide 44