WEBSENSE DOCUMENT TITLE
Best Practices for Implementing and Enforcing a Web Acceptable Use Policy
Page1
This template is intended to provide sample content for a best-practices document describing Internet use risks, company policy, employee education, and technical controls.
This template is intended to serve only as sample content and does not represent legal advice. Consult with your attorney for legal advice.
Any portion of this template may be modified
An acceptable use policy (AUP) is a set of rules applied by the manager of a corporate network defining the ways in which the network site or system may be used. AUP policies are written to reduce the exposure to risks, such as data theft, malware infections, or potential legal liability from inappropriate Internet use by employees.
New employees are usually asked to sign an AUP before they are given access to the company’s information systems. An AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization. It should define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should, as usual, be measured by regular audits.
The purpose of this document is to outline how to protect your organization against malware, data theft, and information system misuse.
Malware has become the greatest external threat to most hosts, causing damage and requiring extensive recovery efforts within most organizations. The following are the classic categories of malware:
Viruses. A virus self-replicates by inserting copies of itself into host programs or data files. Viruses are often triggered through user interaction, such as opening a file or running a program. Viruses can be divided into the following two subcategories: o Compiled Viruses. A compiled virus is executed by an operating system. Types of compiled viruses include file infector viruses, which attach themselves to executable programs; boot sector viruses, which infect the master boot records of hard drives or the boot sectors of removable media; and multipartite viruses, which combine the characteristics of file infector and boot sector viruses. o Interpreted Viruses. Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications’ macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS.
Worms. A worm is a self-replicating, self-contained program that usually executes itself without user intervention. Worms are divided into two categories:
CONFIDENTIAL
Best Practices for Implementing and Enforcing a Web Acceptable Use Policy
Page2 o Network Service Worms. A network service worm takes advantage of a vulnerability in a network service to propagate itself and infect other hosts. o Mass Mailing Worms. A mass mailing worm is similar to an email-borne virus but is self-contained, rather than infecting an existing file.
Trojan Horses. A Trojan horse is a self-contained, non-replicating program that, while appearing to be benign, actually has a hidden malicious purpose. Trojan horses either replace existing files with malicious versions or add new malicious files to hosts. They often deliver other attacker tools to hosts.
Malicious Mobile Code. Malicious mobile code is software with malicious intent that is transmitted from a remote host to a local host and then executed on the local host, typically without the user’s explicit instruction. Popular languages for malicious mobile code include Java, ActiveX, JavaScript, and VBScript.
Blended Attacks. A blended attack uses multiple infection or transmission methods. For example, a blended attack could combine the propagation methods of viruses and worms.
Using personal, company-owned, or company-provided computer systems to circumvent any security systems, authentication systems, user-based systems, or escalating privileges should be prohibited. Knowingly taking any actions to bypass or circumvent security should also be prohibited.
No company-owned or company-provided computer systems should be knowingly used for activities that are considered illegal under local, state, federal, international, or other applicable laws. Such actions may include, but are not limited to, the following:
Unauthorized Port Scanning
Unauthorized Network Hacking
Unauthorized Packet Sniffing
Unauthorized Packet Spoofing
Unauthorized Denial of Service
Unauthorized Wireless Hacking
Any act that may be considered an attempt to gain unauthorized access to or escalate privileges on a computer or other electronic system
Acts of Terrorism
CONFIDENTIAL
Best Practices for Implementing and Enforcing a Web Acceptable Use Policy
Page3
Identity Theft
Improper handling or theft of data determined to be damaging by the company
Spying
Downloading, storing, or distributing violent, perverse, obscene, lewd, or offensive material
Downloading, storing, or distributing copyrighted material
The company should take all necessary steps to report and prosecute any violations of the AUP.
Noncompliance with the Acceptable Use Policy can lead to disruption of business functions, loss of intellectual property, losses in business opportunities, and not being able to meet the Company’s stakeholder commitments.
To protect the organization from malware and misuse on any of its information systems assets the following should be completed.
Utilize a template, like the one contained in this AUP kit and customize it to your company’s needs. Distribute the
AUP to all employees and have them sign the policy.
Awareness Training is very important to an organization and security organization for a number of reasons.
Technology itself will not 100% defend an organization from security attacks this is the same for processes. The way to defend against common day threats and attacks is to make sure the end users of the systems understand how to safely use their systems, understand and identify the basics indicators of an attack and most importantly know what to do when they feel they are under attack or have been compromised. Knowing what to do when an end user feels they are under attack or have been compromised feeds the Incident Reporting and Response process which is highlighted below.
Threat and Risk Analysis is a process which is used to determine who would want to get access to an asset, what is the likelihood they can get access, and if they did what would be the impact. From the threat and risk analysis data proper controls can be put in place to protect the asset. The list of assets for an organization is long and includes the following:
Data
Systems
CONFIDENTIAL
Best Practices for Implementing and Enforcing a Web Acceptable Use Policy
Page4
During the analysis and proposal of controls the cost to secure an asset may be determined to be too expensive or cause too much business disruption. In these situations a risk escalation and acceptance process must be used.
The signing authority for accepting the risk must have the budget approval power to spend the same amount as the calculated loss. Example: If a manager can sign off and approve a $10,000 expense they can also accept a $10,000 risk.
In today’s interconnected world we lever people, process, and technology to overcome challenges. Technology is key because it enables security with controls otherwise we could not be able to achieve. Examples of this are using firewalls for isolation and segmentation, or using log forwarding with an event management system to identify and detect threats across the organization. Furthermore the implementation of technology based or driven countermeasures must be done using defense in depth. Defense in depth is the process of applying controls that create layers of control and detection points. Technology base threat countermeasures must be deployed providing proactive and reactive protection. An example to protect from a web or email channel compromise is using Websense Web and Email Secure Gateways (proactive) to protect the clients accessing the internet but also using DLP (reactive in nature because host compromise previously occurred) to identify and determine when data is leaving the company using the same web and email channel.
According to Q1 Labs “Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise.
The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.” There is also another form of security intelligence which is provided by external organizations that help monitor and notify security organizations of the next threat and potentially the next attack. This combined with what Q1 Labs states along with monitoring can help identify incidents before
(Threat and Risk Analysis) or after (Incident Reporting and Response) and security event takes place.
All malware and misuse violations will be recorded and investigated on a case by case basis. Figure 1 shows a highlevel workflow as an example of how malware and misuse incidents could be escalated, investigated, and remediated.
The AUP should be enforced by the IT Manager and/or Executive Team. Violations could result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company should report such activities to the applicable authorities.
© 2012 We bsen se, Inc . Al l righ t s re serve d. Webse nse an d the We bsen se l og o are re gi stere d trade m ark s o f We bsen se , Inc . in th e U nite d St at es an d variou s c ountrie s. A ll o ther trade m ark s are the pro perty o f their re specti ve o wner s.
CONFIDENTIAL
Best Practices for Implementing and Enforcing a Web Acceptable Use Policy
Page5
Figure 1:
High-level Security Response Workflow
User
Security Responder
(Desktop)
Security Handler
(Security Operations)
Security Examiner
(Forensics)
Special Security
Examiner (Malware
Forensics)
Management
Detects Incident
Responds by gathering data and escalating
Detects Incident
Responds by gathering data and escalating
Responds to escalation
Determines
Criticality
Determines
Response
Team
Initiates
Response Team and Activities
Response Team
Member
Response Team
Member
(Optional)
Response Team
Member
Performs, Triage, Response, and Irradiation Duties
Completes
Awareness
Feedback
Completes
Awareness
Feedback
Closes Incident
CONFIDENTIAL