Security Policies
CS 397 Computer Security and
Information Assurance
1
Outline of Presentation
• Introduction to Security Policy
– Definitions, types, elements.
• The necessity of a Security Policy.
– Why its needed.
• Example: Email Use Policy
– Analysis and critique
• Closing Comments
2
What is a Security Policy?
• A security policy is a set of rules stating which actions
are permitted and which are not. It is a statement that
partitions the states of a system into a set of authorized
or secure states and a set of unauthorized or non-secure
states.
– Can be informal or highly mathematical.
• A secure system is a system that starts in an authorized
state and cannot enter an unauthorized state.
• A breach of security occurs when a system enters an
unauthorized state.
• We expect a trusted system to enforce the required
security policies.
3
Elements of a Security Policy
• A security policy considers all relevant aspects of
confidentiality, integrity and availability.
• Confidentiality policy: Identifies information leakage and
controls information flow.
• Integrity Policy: Identifies authorized ways in which
information may be altered. Enforces separation of
duties.
• Availability policy: Describes what services must be
provided.
– For example, a browser may download pages but not Java
applets.
4
Types of Security Policies
• A military security policy (also called government
security policy) is a security policy developed
primarily to provide confidentiality.
– Not worried about trusting the object as much as
disclosing the object.
• A commercial security policy is a security policy
developed primarily to provide integrity.
– Focuses on how much the object can be trusted.
5
Mechanism vs. Security Policy
•
•
Mechanism should not be confused with policy.
A security mechanism is an entity or procedure that enforces some
part of a security policy.
– MasterCard has the Site Data Protection (SDP) Program.
(https://sdp.mastercardintl.com/)
– Firewalls, access control, permissions, roles.
– Logging facilities, such as syslog.
– Spam and website filters, proxies.
•
Enforcement mechanisms may be technical or
procedural. For example, a firewall may enforce certain rules, but
part of the enforcement is the procedure to set up and maintain
configurations. On the other side, tools that automatically log urls
can be used to enforce policies like banning porn sites
6
Is it a Policy, a Standard or a
Guideline?
• A policy is typically a document that outlines specific
requirements or rules that must be met.
•
– point-specific, covers a single area
A standard is typically collections of system-specific or
procedural-specific requirements that must be met by
everyone.
• A guideline is typically a collection of system specific or
procedural specific “suggestions” for best practice. They
are not requirements to be met, but are strongly
recommended.
• Effective security policies make frequent references to
standards and guidelines that exist within an
organization.
7
Real World Problems Caused By
Missing Policies
• At a local newspaper...
– A local newspaper had no policy requiring the
termination of user-ID and password privileges after
an employee left.
– A senior reporter left the newspaper, and shortly
thereafter, the newspaper had trouble because the
competition consistently picked-up on their exclusive
stories (scoops).
– An investigation of the logs revealed that the former
employee had been consistently accessing their
computer to get ideas for stories at his new employer.
8
Real World Problems Caused By
Missing Policies (cont’d)
• At a government agency...
– A clerk spent a great deal of time surfing the Internet while on
the job. Because there was no policy specifying what constituted
excessive personal use, management could not discipline this
employee.
– Then management discovered that the clerk had downloaded a
great deal of pornography. Using this as a reason, management
fired him.
– The clerk chose to appeal the termination with the Civil Service
Board, claiming that he couldn't be fired because he had never
been told that he couldn't download pornography.
– After a Civil Service hearing, the Board ordered him to be
reinstated with back pay.
9
Why An Organization Needs
Security Policies
• Security policies are the foundation of your
secure infrastructure. Your security policies
serve as a guide and a reference point to
numerous security tasks in your organization
• Without security policies, no enforcement of
security configurations or standards can be
made. By establishing a policy, you are implying
that enforcement can or will follow. Without
security policies, enforcement of them is not
possible.
2/26/2004
Polytechnic University - CS996
10
It’s All In The Details!
• The computer security policy need to be detailed. The
security policy such as “Computer systems are not to be
used for personal use” needs to be explained.
– What constitutes personal use could be interpreted differently.
• A computer security policy should provide guidelines in
specific topics such as management’s position on:
– Downloading and viewing pornography.
– Sending and forwarding jokes (or other non-essential business
correspondence).
– Viewing stock prices.
– Sending and viewing personal e-mail.
– Use of computer for on line shopping during break times.
11
Security Policy: Clear Understanding
• A computer security policy gives users a clear
understanding of allowed activities.
• If an employee is dismissed for inappropriate
actions, a computer security policy that has been
communicated to computer users will save time
in legal disputes.
12
Security Policy Basics
• All security policies need to be written down.
– Policies that exist in someone's head are not really policies.
• When your organization has finished developing security
policies, and right when you think you can breathe easy,
it will be time to update your security policies.
• New technology - make sure your security policies still
make sense for your new infrastructure.
• Evaluating new equipment - make sure that the new
equipment can properly be configured to meet your
security requirements.
– if it can't, you may want to consider purchasing alternative
products.
13
Where to Start?
• The first issue revolves around the content and structure
of the policies themselves: Are they complete? Are they
fully up to date? Do they reflect your needs?
• The most cost effective way is often to procure a set of
pre-written policies, and then tailor them as necessary to
meet specific cultural and functional needs.
– Why re-invent the wheel and proceed down a more complex
route than is really necessary?
15
Where to Get a Good Security
Policy?
• Good computer programs are copied from other
good programs.
• The skill of a programmer is not how effectively
they can write code but how well they can
incorporate the best routines of other programs
to make a useful application.
• A good security policy documents are not written
but are copied from other security policy
documents.
16
Formulate Your Own Computer
Security Policy
• The security requirements of computer systems
owned and operated by one organization will
almost certainly differ from the requirements of
another organization.
• It is therefore important that each organization
formulates its own Computer Security Policy.
17
Need an Example Policy or
Template?
•
•
Use http://www.sans.org/resources/policies/
What is the SANS Institute?
– The SANS (SysAdmin, Audit, Network, Security) Institute was
established in 1989 as a cooperative research and education
organization. The SANS Institute enables more than 156,000 security
professionals, auditors, system administrators, and network
administrators to share the lessons they are learning and find solutions
to the challenges they face. At the heart of SANS are the many security
practitioners in government agencies, corporations, and universities
around the world who invest hundreds of hours each year in research
and teaching to help the entire information security community.
•
•
SANS has received permission to provide sanitized security policies
from a large organization.
They should form a good starting point if you need one of these
policies.
18
Before looking into the sample
security policies…
• <angle brackets> should be replaced with the
appropriate name from your organization.
• The term “InfoSec” is used through out these
documents to refer the team of people
responsible for network and information security.
Replace with the appropriate group name from
your organization.
• Any policy name that is in italics is a reference to
a policy that is also available on the SANS site.
21
Example: Email Use Policy
• Generally the company E-mail systems are a high risk
area due to their constant availability to the outside
world, and the risk is often two-fold.
• Exposes company mail addresses and (mail) systems to
potential attackers.
• Number one entry point from which most of the malicious
programs are entering the company.
• E-mail systems are a potential way to leak company
proprietary information, intentionally or accidentally (and
software exists to flag such things). Also, because of the
risk to company image.
22
Example: Email Use Policy
(cont’d)
• 1.0 Purpose
– To prevent tarnishing the public image of
<COMPANY NAME>. When email goes out from
<COMPANY NAME> the general public will tend to
view that message as an official policy statement from
the <COMPANY NAME>.
• 2.0 Scope
– This policy covers appropriate use of any email sent
from a <COMPANY NAME> email address and
applies to all employees, vendors, and agents
operating on behalf of <COMPANY NAME>.
23
Example: Email Use Policy
(cont’d)
• 3.0 Policy
– 3.1 Prohibited Use.
• The <COMPANY NAME> email system shall not to be used
for the creation or distribution of any disruptive or offensive
messages, including offensive comments about race, gender,
hair color, disabilities, age, sexual orientation, pornography,
religious beliefs and practice, political beliefs, or national
origin. Employees who receive any emails with this content
from any <COMPANY NAME> employee should report the
matter to their supervisor immediately.
24
Make An Addition to the Template!
• Prohibited Use:
– Using email for conducting personal business.
– Using email for purposes of political lobbying or
campaigning.
– Violating copyright laws by inappropriately distributing
protected works.
– Posing as anyone other than oneself when sending
email, except when authorized to send messages for
another when serving in an administrative support
role.
– The use of unauthorized e-mail software.
25
Don’t Slow Down Network
Communications!
• Make an addition to the template:
– Prohibited Use:
• Sending or forwarding chain letters.
• Sending unsolicited messages to large groups
except as required to conduct agency business.
• Sending excessively large messages
• Sending or forwarding email that is likely to contain
computer viruses.
26
Non-<COMPANY NAME> Email
Accounts for Confidential Info?
• Make an addition to the template:
– Individuals must not send, forward or receive
confidential or sensitive <COMPANY NAME>
information through non-<COMPANY NAME>
email accounts. Examples of non<COMPANY NAME> email accounts include,
but are not limited to, Hotmail, Yahoo mail,
AOL mail, and email provided by other
Internet Service Providers (ISP).
27
Non-<COMPANY NAME> Mobile
Devices for Confidential Info?
• Make an addition to the template:
– Individuals must not send, forward, receive or
store confidential or sensitive <COMPANY
NAME> information utilizing non-<COMPANY
NAME> accredited mobile devices. Examples
of mobile devices include, but are not limited
to, Personal Data Assistants, two-way pagers
and cellular telephones.
28
Example: Email Use Policy
(cont’d)
– 3.2 Personal Use.
• Using a reasonable amount of <COMPANY NAME>
resources for personal emails is acceptable, but non-work
related email shall be saved in a separate folder from work
related email.
• Sending chain letters or joke emails from a <COMPANY
NAME> email account is prohibited.
• Virus or other malware warnings and mass mailings from
<COMPANY NAME> shall be approved by <COMPANY
NAME> VP Operations before sending. These restrictions
also apply to the forwarding of mail received by a
<COMPANY NAME> employee.
29
Example: Email Use Policy
(cont’d)
– 3.3 Monitoring
• <COMPANY NAME> employees shall have no
expectation of privacy in anything they store, send
or receive on the company’s email system.
<COMPANY NAME> may monitor messages
without prior notice. <COMPANY NAME> is not
obliged to monitor email messages.
30
Transmitted Information Needs To
Be Safe!
• Make an addition to the template:
– All sensitive <COMPANY NAME> material
transmitted over external networks must be
encrypted.
31
Example: Email Use Policy
(cont’d)
• 4.0 Enforcement
– Any employee found to have violated this
policy may be subject to disciplinary action,
up to and including termination of
employment.
32
Doesn’t Handle Non-Employees
• Need to change template:
– 4.0 Enforcement
• Violation of this policy may result in disciplinary action which
may include termination for employees and temporaries; a
termination of employment relations in the case of
contractors or consultants; dismissal for interns and
volunteers; or suspension or expulsion in the case of a
student. Additionally, individuals are subject to loss of
<COMPANY NAME> Information Resources access
privileges, civil, and criminal prosecution.
– NOTE: Enforcement can also include both identification of the
violation and a software needed to look for violations, spot
checking email, etc.
33
Example: Email Use Policy
•
(cont’d)
Term Definitions:
– Email: The electronic transmission of information through a mail
protocol such as SMTP or IMAP. Typical email clients include Eudora
and Microsoft Outlook.
– Forwarded email: Email resent from an internal network to an outside
point.
– Chain email or letter: Email sent to successive people. Typically the
body of the note has direction to send out multiple copies of the note
and promises good luck or money if the direction is followed.
– Sensitive information: Information is considered sensitive if it can be
damaging to <COMPANY NAME> or its customers' reputation or market
standing.
– Virus warning: Email containing warnings about virus or malware. The
overwhelming majority of these emails turn out to be a hoax and contain
bogus information usually intent only on frightening or misleading users.
– Unauthorized Disclosure: The intentional or unintentional revealing of
restricted information to people, both inside and outside <COMPANY
NAME>, who do not have a need to know that information.
34
Example: Email Use Policy
(cont’d)
• 6.0 Revision History
– Used when revisions are made in the duration of a
security policy.
35
High-level to Low-level
• Security policies begin from high level
statements and flow down to lower level policies,
which are more specific and detailed.
Example:
• High level: Confidential and classified company information shall be
protected from release to unauthorized personnel.
• Mid level: Classified information will only be accessible from internal network
(company intranet) via a secure website.
• Low level: The internal web-server will be running HTTPS (SSL) and be
password-protected. The perimeter firewall will deny all access to the webserver from external hosts (outside the intranet) by blocking external traffic
on port 443.
• The firewall is an enforcement mechanism. The password protection is an
enforcement mechanism as well.
47
Applicable Security Policies
• In the previous example, a company can refer to
the following security policies:
– Firewall – which ports are allowed through.
– Password – length of password, aging, allowed and
required characters.
– Intranet – who belongs on the intranet, how
information is distributed…
– Web server – its configuration, its permissions, and
what type of information its allowed to contain
(classification levels).
48