Accepable Use and User Policies - Information Systems and Internet

advertisement
Information Security Policies:
User/Employee use policies
Overview
Format of policies
 Usage of policies
 Example of policies
 Policy cover areas
 References
 Homework
 Questions

2
Format of Policies

Purpose


Scope



Action can be taken once the policy is violated
Definitions


What can or can’t use for the system
Enforcement


Which part of the system is covering
Who is applying to the policies
Policy


The need of the policies
Define keywords in the policy
Revision History

Stated when and what have been changed
3
Usage of Policies

Policy


Standard


A document that outlines specific requirements or
rules that cover a single area
A collection of system-specific or proceduralspecific requirements that must be met by
everyone
Guideline


A collection of system specific or procedural
specific “suggestions” for best practice
Not require, but strongly recommended
4
Example of Policies
5
Example of Policies
6
Example of Policies
7
Policy cover areas







Acceptable Use
Information Sensitivity
Ethics
E-mail
Anti-Virus
Password
Connection
8
Acceptable Use Policy



General outline for all others policies
Protecting employees, partners and
companies from illegal or damaging actions
Applied to all computer related equipments



General use and ownership
Security and proprietary information
Unacceptable Use
9
Information Sensitivity Policy


To determine what information can/can’t be
disclosed to non-employee
Public



Declared for public knowledge
Freely be given to anyone without any possible damage
Confidential

Minimal Sensitivity:


More Sensitive:


General corporate information; some personal and technical
information
Business, financial, and most personnel information
Most Sensitive:

Trade secrets & marketing, operational, personnel, financial,
source code, & technical information integral to the success of
the company
10
Ethics Policy

Defines the means to establish a culture of
openness, trust and integrity

Executive Commitment


Employee Commitment


Promote a trustworthy and honest atmosphere
Maintaining Ethical Practices


Treat everyone fairly, have mutual respect
Company Awareness


Honesty and integrity must be top priority
Reinforce the importance of the integrity message
Unethical Behavior

Unauthorized use of company information integral to the
11
success of the company will not be tolerated
E-mail Policy

General usage


To prevent tarnishing the public image
Prohibited use


Personal Use


Can’t used for any disruptive or offensive messages
Can/Can’t use for personal usage
Monitoring


No privacy for store, send or receive massages
Monitor without prior notice
12
E-mail Policy

Retention


Determine how long for an e-mail to retain
Four main classifications





Instant Messenger Correspondence


Administrative correspondence – 4 years
Fiscal Correspondence – 4 years
General Correspondence – 1 years
Ephemeral Correspondence – Until read
Only apply to administrative and fiscal correspondence
Encrypted Communications

Stored in decrypted format
13
E-mail Policy

Automatically Forwarding


To prevent unauthorized or inadvertent disclose of
sensitive information
When


Approved by the appropriate manger
Sensitive information defined in Information Sensitivity
Policy is encrypted in accordance with Acceptable
Encryption Policy
14
Anti-Virus Policy

To prevent computer virus problems







Install anti-virus software
Update anti-virus software daily
Always maintain anti-virus software in autoprotect stage
Scan a storage media for virus before use it
Never open any e-mail from unknown source
Never download files from unknown source
Remove virus-infected computers from network
until verified as virus-free
15
Password Policy

A standard for creation of string password







Contain both upper and lower case characters
Contain digits and punctuation characters
At least eight alphanumeric characters long
Not based on personal information
Not a word in any language
Can be easily remembered
Frequency of change passwords
16
Password Policy

Protection of passwords







Never written down or stored on-line
Don’t reveal a password over the phone
Don’t reveal a password in an email message
Don’t reveal a password to the boss
Don’t reveal a password to co-workers
Don’t hint at the format of a password
Don’t share a password with family members
17
Connection Policy

Remote Access


Defines standards for connecting to the company’s
network from any host or network externally
General



Same consideration as on-site connection
General Internet access for recreational use for immediate
household is permitted
Requirement




Public/private keys with strong pass-phrases
Can’t connect to others network at the same time
Can’t provide their login or e-mail password to anyone
Installed the most up-to-date anti-virus software
18
Connection Policy

Analog/ISDN Line


Define standards for use of analog/ISDN lines for
Fax sending and receiving, and for connection to
computer
Scenarios & Business Impact


Facsimile Machines


Physically disconnect from computer/internal network
Computer-to-Analog Line Connections


Outside attacker attached to trusted network
A significant security threat
Requesting an Analog/ISDN Line

Stated why other secure connections can’t be use
19
Connection Policy

Dial-in Access



To protect information from being inadvertently
compromised by authorized personnel using a
dial-in connection
One-time password authentication
Connect to Company’s sensitive information


Analog and non-GSM digital cellular phones



Reasonable measure to protect assets
Signals are readily scanned unauthorized individuals
Monitor account activity
Disable account after no access for six months
20
Connection Policy

Extranet



Describes the third party organizations connect to
company network for the purpose of transacting
business related to the company
In best possible way, Least Access
Valid business justification


Point of Contact from Sponsoring Organnization


Approved by a project manager
Pertain the Third Party Connection Agreement
Establishing Connectivity

Provide a complete information of the proposed access
21
Connection Policy

Modifying Access



Terminating Access



Notifying the extranet management group
Security and Connectivity evolve accordingly
Access is no longer required
Terminating the circuit
Third Party Connection Agreement


Defines the standards and requirements, including legal
requirements, needed in order to interconnect a third
party organization’s network to the production network.
Must be signed by both parties
22
Connection Policy
23
Connection Policy

Virtual Private Network (VPN) Security






Define the requirements for Remote Access IPSec
or L2TP VPN connections to the company network
Force all traffic to and from PC over VPN tunnel
Dual tunneling is not allowed
24 hours absolute connection time limit
Automatically disconnected with 30 min. inactivity
Only approved VPN client can be used
24
Connection Policy

Wireless Communication


Defines standards for wireless systems used to
connect to the company network
Access Points and PC Cards


Approved Technology


Use approved products and security configurations
Encryption and Authentication


Register and approved by InfoSec
Drop all unauthenticated and unencrypted traffic
Setting the SSID

Should not contain any identifying informaiton
25
Reference

The SANS Security Policy Project


Information Security Policies & Computer Security Policy Directory


http://www.information-security-policies-and-standards.com
RFC 1244 – Site Security Handbook


http://www.sans.org/resources/policies
http://www.faqs.org/rfcs/rfc1244.html
Google

http://www.google.com
26
Reference
27
Reference
28
Homework
1.
Write an full versions of the policy based on
assignment 5 “Acceptable student use of the
GTS” with the format that presented
2.
Define presented usage of policies
Tips:



Policy document’s format is located in slide 3
Policy’s usage are located in slide 4
You may find more information in SANS
29
Questions
Any questions?
30
Download