Question

search for any information security policies used at your academic institution. Compare them to the ones discussed in this chapter. Are there sections missing? If so, which ones?

Answer 1

Answer;

A security policy comprises a set of objectives for the company, rules of behavior for users and administrators, and requirements for system and management that collectively ensure the security of network and computer systems in an organization. A security policy is a “living document,” meaning that the document is never finished and is continuously updated as technology and employee requirements change.

The security policy translates, clarifies, and communicates the management position on security as defined in high-level security principles. The security policy acts as a bridge between these management objectives and specific security requirements. It informs users, staff, and managers of their obligatory requirements for protecting technology and information assets. It should specify the mechanisms that you need to meet these requirements. It also provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the security policy. Therefore, an attempt to use a set of security tools in the absence of at least an implied security policy is meaningless.

Governing Policy

The governing policy outlines the security concepts that are important to the company for managers and technical custodians:

• It controls all security-related interactions among business units and supporting departments in the company.
• It aligns closely with not only existing company policies, especially human resource policies, but also any other policy that mentions security-related issues, such as issues concerning email, computer use, or related IT subjects.
• It is placed at the same level as all companywide policies.
• It supports the technical and end-user policies.
• It includes the following key components:
  • A statement of the issue that the policy addresses
  • A statement about your position as IT manager on the policy
  • How the policy applies in the environment
  • The roles and responsibilities of those affected by the policy
  • What level of compliance to the policy is necessary
  • Which actions, activities, and processes are allowed and which are not
  • What the consequences of noncompliance are

Technical Policies

Security staff members use the technical policies in the conduct of their daily security responsibilities. These policies are more detailed than the governing policy and are system or issue specific (for example, router security issues or physical security issues). These policies are essentially security handbooks that describe what the security staff does, but not how the security staff performs its functions.

The following are typical policy categories for technical policies:

• General policies
  • Acceptable use policy (AUP): Defines the acceptable use of equipment and computing services, and the appropriate security measures that employees should take to protect the corporate resources and proprietary information.
  • Account access request policy: Formalizes the account and access request process within the organization. Users and system administrators who bypass the standard processes for account and access requests may cause legal action against the organization.
  • Acquisition assessment policy: Defines the responsibilities regarding corporate acquisitions and defines the minimum requirements that the information security group must complete for an acquisition assessment.
  • Audit policy: Use to conduct audits and risk assessments to ensure integrity of information and resources, investigate incidents, ensure conformance to security policies, or monitor user and system activity where appropriate.
  • Information sensitivity policy: Defines the requirements for classifying and securing information in a manner appropriate to its sensitivity level.
  • Password policy: Defines the standards for creating, protecting, and changing strong passwords.
  • Risk-assessment policy: Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the information infrastructure that is associated with conducting business.
  • Global web server policy: Defines the standards that are required by all web hosts.
• Email policies
  • Automatically forwarded email policy: Documents the policy restricting automatic email forwarding to an external destination without prior approval from the appropriate manager or director.
  • Email policy: Defines the standards to prevent tarnishing the public image of the organization.
  • Spam policy: The AUP covers spam.
• Remote-access policies
  • Dial-in access policy: Defines the appropriate dial-in access and its use by authorized personnel.
  • Remote-access policy: Defines the standards for connecting to the organization network from any host or network external to the organization.
  • VPN security policy: Defines the requirements for remote-access IP Security (IPsec) or Layer 2 Tunneling Protocol (L2TP) VPN connections to the organization network.
• Personal device and phone policies
  • Analog and ISDN line policy: Defines the standards to use analog and ISDN lines for sending and receiving faxes and for connection to computers.
  • Personal communication device policy: Defines the information security’s requirements for personal communication devices, such as voicemail, smartphones, tablets, and so on.
• Application policies
  • Acceptable encryption policy: Defines the requirements for encryption algorithms that are used within the organization.
  • Application service provider (ASP) policy: Defines the minimum security criteria that an ASP must execute before the organization uses the ASP’s services on a project.
  • Database credentials coding policy: Defines the requirements for securely storing and retrieving database usernames and passwords.
  • Interprocess communications policy: Defines the security requirements that any two or more processes must meet when they communicate with each other using a network socket or operating system socket.
  • Project security policy: Defines requirements for project managers to review all projects for possible security requirements.
  • Source code protection policy: Establishes minimum information security requirements for managing product source code.
• Network policies
  • Extranet policy: Defines the requirement that third-party organizations that need access to the organization networks must sign a third-party connection agreement.
  • Minimum requirements for network access policy: Defines the standards and requirements for any device that requires connectivity to the internal network.
  • Network access standards: Defines the standards for secure physical port access for all wired and wireless network data ports.
  • Router and switch security policy: Defines the minimal security configuration standards for routers and switches inside a company production network or used in a production capacity.
  • Server security policy: Defines the minimal security configuration standards for servers inside a company production network or used in a production capacity.
• Wireless communication policy: Defines standards for wireless systems that are used to connect to the organization networks.
• Document retention policy: Defines the minimal systematic review, retention, and destruction of documents received or created during the course of business. The categories of retention policy are, among others:
  • Electronic communication retention policy: Defines standards for the retention of email and instant messaging.
  • Financial retention policy: Defines standards for the retention of bank statements, annual reports, pay records, accounts payable and receivable, and so on.
  • Employee records retention policy: Defines standards for the retention of employee personal records.
  • Operation records retention policy: Defines standards for the retention of past inventories information, training manuals, suppliers lists, and so forth.

Standards, Guidelines, and Procedures

Security policies establish a framework within which to work, but they are too general to be of much use to individuals responsible for implementing these policies. Because of this, other, more-detailed documents exist. Among the more important of these detailed documents are the standards, guidelines, and procedures documents.

Whereas policy documents are very much high-level overview documents, the standards, guidelines, and procedures documents are documents that the security staff will use regularly to implement the security policies.

Standards

Standards enable an IT staff to be consistent. They specify the use of specific technologies so that IT staff members can narrow the focus of their expertise to those technologies instead of trying to know everything about all sorts of technologies. Standards also try to provide consistency in the network, because supporting multiple versions of hardware and software is unreasonable unless it is necessary. The most successful IT organizations have standards to improve efficiency and to keep things as simple as possible.

Standardization also applies to security. One of the most important security principles is consistency. If you support 100 routers, it is important that you configure all 100 routers as similarly as possible. If you do not do this, it is difficult to maintain security. When you do not strive for the simplest of solutions, you usually fail in being secure.