Security Policies and Procedures

1
Security Policies and Procedures
2
Security Policies and Procedures

• Policy
• Definition
• Types of policies
• Policy model
• Standards
• Procedures
• Guidelines

3
Policy

• Definition A plan or course of action
  intended to influence and determine decisions,
  actions, and other matters. (Webster dictionary)
• Policy should not conflict with any laws
• Policy must be able to withstand court challenges
• Policy must be properly supported and
  administered
• Policy must contribute to success of organization
• End-users must have some input in policies
  developed

4
Types of Policies

• Enterprise InfoSec policy
• Issue-specific security policy
• System-specific security policy

5
Types of Policies

• Enterprise InfoSec policy
• All members in the organization know it
• Sets strategic direction and scope for security
  efforts
• Outlines the organizational structure that
  supports the security aspects
• Policy specifies all acceptable and unacceptable
  uses of organizational resources concerning
  security
• Violations of policy are handled uniformly

6
Types of Policies

• Issue-specific security policy
• Addresses specific technology-based systems
• Requires constant updates
• Issues involved could be
• Email
• Internet use
• Use of fax, phone
• Use of copier and printer
• Home use of organizational equipment
• Handling violations of policy
• Limitations of liability

7
Types of Policies

• System-specific security policy
• Usually treated as standards or procedures
• Example firewall configuration
• Example login policy might state password
  expiration. System-specific policy implements
  that policy
• Develop user access privileges
• Who can use what, when, how, and where
• Read, write, create, delete, change, copy

8
Policy Model
9
Policy diagram relationships
10
Standards

• Standards are direct derivatives of policies
• It is a detailed statement explaining how to
  comply with the policy
• Example Inappropriate use of the internet is
  not allowed is a policy statement. The standard
  for implementing this policy would spell out what
  types of uses (such as pornography, gambling,
  chatting, IM) are considered inappropriate.

11
Procedures

• Procedure explains how a policy would be
  implemented
• Example Policy states information must be
  protected based on its level of security (top
  secret, proprietary, confidential, etc.).
  Procedure would state where to look for
  classification level, media used for storage or
  transfer of data, how to dispose of information
  once it is no longer needed

12
Procedures

• Policy states employees are eligible for computer
  account.
• Procedure states how this policy is implemented.
  
• What should the employee do to have a computer
  account set up is part of procedure

13
Guidelines

• Guidelines amplify policy in the form of ways to
  implement the policy
• Example Appropriate use of email is policy.
  The guideline for this spells out in greater
  detail the types of emails sent and received,
  size of the email attachment, etc.

14
Policy Management Tools

• VigilEnt Policy Center (VPC) is the most popular
  tool for policy development, dissemination,
  implementation, and management
• VPC is by NetIQ
• Pedestal software for policy management
• Zequel software for policy management

15
References

• Whitman, M. E. Mattord, H. J. Management of
  Information Security, Course Technology, 2004
• Wood, C. C. Information Security Policies Made
  Easy, 9th Edn., NetIQ Corp., 2003
• Security Policy http//www.netiq.com/products/pub
  /ispme.asp

16
References

• NIST guideline for policy http//csrc.nist.gov/pub
  lications/nistpubs/800-14/800-14.pdf
• NIST Handbook An introduction to computer
  security Publication 800-12
• Whitman, M. E. Townsend, A. M. Alberts, R. J.
  Considerations for an effective
  telecommunications-use policy, Communications
  of ACM, 42(6), 1999, 101-109.

17
References

• Software for policy management http//www.pedestal
  software.com/
• Software for policy management http//www.zequel.c
  om/