How IT Security Policies Enhance the IT Environment

1
How IT Security Policies Enhance the IT
Environment
Susan Comeau CPA/CISM Director of Security
Communications Commonwealth of
Massachusetts/ITD susan.m.comeau_at_state.ma.us
2
Agenda

• Objectives
• Information Security Trends
• Developing Implementing the solutions
• Summary

3
Objectives

• Protect information which must be openly shared
• Evolving infrastructure technologies
• Increased connectivity leads to increased
  complexity
• Implement strong controls that do not make use
  of systems difficult for users
• Apply security without jeopardizing performance
  and availability
• Reduced costs
• Increasingly difficult to stay abreast of new
  features in applications and operating systems
• More work with less people

4
The Business Reasons

• Two Main Governmental Business Drivers
• Increased productivity
• e-Government initiatives
• Three Main Security Drivers
• Open and connected architecture leads to
  increased vulnerability to attacks
• Attacks can be costly
• The Damage/Cost per Incident is increasing

5
Less Knowledge Required to Attack
High
Automated Tools Attack Sophistication
Intruder Knowledge
Low
1980
1985
1990
1995
2000
2005
6
Proactive not Reactive

• Preventive security through policy development
  and compliance reduces risk!!
• Education of IT Personnel and Users and Business
  Owners
• Only as strong as weakest link

7
Security Best Practices

• You cant fix everything at once, decide what you
  can do, develop a plan
• Secure critical systems first
• Formulate incident response plans
• Backups, redundancy, forensics, press relations
• Prepare for audit
• Industry best practices, government regulations
• Document Write it down
• Education, Education, Education

8
Security Documents

• Policy- simple and short
• Standard
• Procedure

9
Websites

• www.sans.org
• www.isaca.org
• www.symantec.com
• www.nist.org
• www.itd.state.ma.us
• www.esboard.state.ma.us
• within MAGNet
• (if you are on the Intranet)

10
Security Documents 1 of 2

• Physical Access
• Perimeter
• Facility
• Network
• Printers etc.
• Business Continuity Planning
• Disaster Recovery
• Personnel Background Checks
• Employees
• Contractors
• Vendors etc.
• Due Diligence
• Vendors Service Providers
• Investigations Forensics

11
Security Documents 2 of 2

• Logical Access Administration
• Authentication
• Authorization
• Accountability
• System Configurations
• Auditing
• Event Logs
• Default Rules
• Directory File System Protections
• Confidentiality
• Integrity
• Backups
• Change Management

12
Prioritize

• Implement best practices everywhere
• Written policies
• Education of all personnel
• Acceptable Use Policy
• Keeping service patches current
• Enforcing strong passwords
• Removing unneeded services (System Hardening)

13
Security Policies-Acceptable Use

• What employees must do
• What employees cannot do
• What vendors must do
• What vendors cannot do
• Education
• Acceptance-sign at hire every year!
• Compliance
• More Education

14
Keeping service patches current

• Identify available patches from vendor sites
• Identify systems that are not running the latest
  patch
• Download and test patches on test systems
• Deploy patches to systems
• Monitor systems

15
Enforcing strong passwords

• Minimum password length should be 8
• Use a password max age or 60 or 90 days
• Use a password min age of not less that 14 days
• Keep password history at least 10
• Use a password filter so that users are forced to
  use a combination of alphanumeric and
  non-alphanumeric characters
• Audit for empty and weak passwords using a
  password strength analysis tool
• Remove all default accounts from applications and
  devices
• Remove inactive accounts

16
Removing Unneeded Services

• Define the role of the information system
• Determine which services are needed on the system
  (legitimate business need) and remove all others
• Determine which features within the service
  should be enabled
• Public facing systems such as web servers, DNS,
  email servers, etc., should have priority in this
  first step

17
Summary

• Develop policies to secure the IT
  environment-include Business Owners, users and IT
  personnel in the process
• Write policies, standards, procedures
• Educate everyone in objectives and policies
• Re-evaluate policies regarding new IT roll-outs,
  assets, and risks