Developing a Security Policy

1
Developing a Security Policy

• Chapter 2

2
Learning Objectives

• Understand why a security policy is an important
  part of a firewall implementation
• Determine the goals of your firewall and
  incorporate them into a security policy
• Follow the seven steps to building a security
  policy
• Account for situations the firewall cant handle
• Define responses to security violations
• Work with administration to make your security
  policy work

3
What Is a Security Policy?

• A set of organization-level rules governing
• Acceptable use of computing resources
• Security practices
• Operational procedures

4
Example of a Security Policy
5
Essential Information in a Security Policy

• Date last updated
• Name of office that developed the policies
• Clear list of policy topics
• Equal emphasis on positive points (access to
  information) and negative points (unacceptable
  policies)

6
Why Is a Security Policy Important?

• Essential component of a fully functional
  firewall
• Defines what needs to be done when firewall is
  configured
• Defines intrusion detection and auditing systems
  that are needed
• Minimizes impact of a hack attack on
• Staff time
• Data loss
• Productivity

7
Setting Goals for an Effective Security Policy

• Describe a clear vision for a secure networked
  computing environment
• Be flexible enough to adapt to changes in the
  organization
• Be consistently communicated and implemented
  throughout the organization
• Specify how employees can and cannot use the
  Internet
• Define appropriate and inappropriate behavior as
  it pertains to privacy and security

8
Seven Steps to Building a Security Policy

• Develop a policy team
• Determine organizations overall approach to
  security
• Identify assets to be protected
• Determine what should be audited for security
• Identify security risks
• Define acceptable use
• Provide for remote access

9
Develop a Policy Team

• Members (5-10 people)
• Senior administrator
• Member of legal staff
• Representative from rank-and-file employees
• Member of IT department
• Editor or writer who can structure and present
  the policy coherently
• Identify one person to be the official policy
  interpreter

10
Determine Overall Approach to Security

• Two primary activities for overall approach
• Restrictive
• Permissive
• Specific security stances
• Open
• Optimistic
• Cautious
• Strict
• Paranoid

11
Identify Assets to Be Protected

• Physical assets
• Actual hardware devices
• Logical assets
• Digital information that can be viewed and
  misused
• Network assets
• Routers, cables, bastion hosts, servers, firewall
  hardware and software
• System assets
• Software that runs the system (ie, server
  software and applications)

12
Example of Assets to Be Protected
13
Determine What Should Be Audited for Security

• Auditing
• Process of recording which computers are
  accessing a network and what resources are being
  accessed
• Includes recording the information in a log file
• Specify types of communication to be recorded and
  how long they will be stored
• Use Tripwire to audit system resources
• Use a firewall log to audit security events

14
Auditing with Tripwire
15
Auditing with a Firewall Log
16
Determine What Should Be Audited for Security

• Auditing log files
• Auditing object access

17
Identify Security Risks

• Specify the kinds of attacks the firewall needs
  to guard against
• Denial of service attacks
• Disclosure of information due to fraud
• Unauthorized access

18
Define Acceptable Use

• Define acceptable computing and communications
  practices on the part of employees and business
  partners
• Aspects
• E-mail
• News

19
Provide for Remote Access

• Specify acceptable protocols
• Determine use of Telnet or Secure Shell (SSH)
  access to internal network from Internet
• Describe use of cable modem, VPN, and DSL
  connections to access internal network through
  the firewall
• Require remote users to have a firewall on their
  computer

20
Accounting for What the Firewall Cannot Do

• A firewall sandwich or load balancing switches
  can be compromised by
• Brute force attack
• Sending an encrypted e-mail message to someone
  within the network with a virus attached
• Employees who give out remote access numbers
  unauthorized users can access company network
• Employees who give out passwords

21
Other Security Policy Topics

• Passwords
• Encryption
• Restrictions on removable media
• ASPs
• Acceptable users

• Secure use of office-owned laptop computers
• Wireless security
• Use of VPNs
• Key policy

22
Defining Responses to Security Violations

• Gather information on an incident response form
• Define disciplinary action to be pursued if
  employees access the Internet improperly
• Identify who to contact in case of intrusion

23
Defining Responses to Security Violations
24
Overcoming Administrative Obstacles
25
Educating Employees

• Security User Awareness program
• Advise workers of expectations and consequences
• Make policies available on local network

26
Presenting and Reviewing the Process

• Keep reports short and concise
• Give people ample time to respond after policy
  statement is issued

27
Amending the Security Policy

• Change the security policy when
• The organization makes substantial changes in
  hardware configuration, or
• The firewall is reconfigured in response to
  security breaches

28
Chapter Summary

• What a security policy is why they are important
• Setting goals that govern how a firewall is
  configured to protect a network
• Seven steps to building a security policy
• Defining responses to attacks and other
  intrusions
• Guiding your security policy through corporate
  bureaucracy to gain management support and
  achieve security policy goals