Security Policies & Standards

Question 1

What is a Security Policy?

Answer 1

A security policy is a large document made up of many subdocuments that defines the company’s security strategy. It is a document that defines all the rules in the organization that all personnel need to follow—including users, network administrators, security professionals, and the management team. It is important to note that even the security team in the organization must follow the security policy defined by the organization.

As mentioned, the security policy is made up of many subdocuments, with each subdocument covering a specific area of concern, known as a policy. These policies specify the dos and don’ts that everyone within the organization must follow. The policies are created by the security professional, but are sponsored by upper-level management. The first step to creating a security policy is to get the support of upper-level management because without their approval and support, there is no enforcement of the policy.

Question 2

What is the Structure of a Security Policy?

Answer 2

Although it is up to you how you format your security policy and what sections go into each policy, here is a quick overview of parts that should exist in each document contained within the security policy. The following sections should be part of any security policy:

Overview:  The first section is the overview section, and it should identify what the purpose of the policy is and how it helps secure the environment. For example, the password policy would specify the need to have strong passwords and secure usage of passwords.

Scope:  The scope section of the policy defines who the policy applies to. For example, you should explicitly specify whether the policy applies to all employees, contractors, and/or temporary employees. You should also specify if the policy is to apply to all equipment within the organization.

Policy:  The policy section is the largest section in the document and is the listing of dos and don’ts. The policy section may be divided into different parts to help organize all of the rules specified by the policy.

Enforcement:  A very important part of the policy is to specify what happens if employees do not follow the policy. This section is usually a short section specifying that if employees do not adhere to the policy, it could result in disciplinary action and maybe even termination of employment.

Definitions:  The definitions section is where you can add definitions for terms that are used in the policy that the reader of the policy may not know.

Revision History:  The revision history is a section of the policy that lists the date the policy has been changed, who made the change, and maybe who authorized the change. Do not forget to add an entry to the revision history showing the creation date of the policy.

It is important to ensure that each policy has a consistent format. To help you create policies, visit www.sans.org and download some of their policy templates. These templates are published for you to use as a guideline when creating your own policies.

Question 3

What are Security Policy Types?

Answer 3

Three popular types of policies are standards, guidelines, and procedures.

Most policies within an organization are standards that must be followed. A standard policy is a policy that needs to be followed and typically covers a specific area of security. Failure to follow a standard policy typically results in disciplinary action such as termination of employment.

Some policies are guidelines, which are recommendations on how to follow security best practices. The National Security Agency (NSA) has published on their web site a number of guidelines on security best practices for different types of servers and operating systems. No disciplinary actions result from not following a recommended policy because it is just that—a recommendation.

The final type of policy is a procedure policy, which documents step-by-step procedures showing how to configure a system or device, or maybe step-by-step instructions on how to implement a security solution.

Question 4

What is ISO 17799?

Answer 4

`The International Standards Organization (ISO) created the ISO 17799 standard, which specifies best practices for information security management. ISO 17799 breaks the management of information security into different categories (typically known as domains). The following is a listing of some of the categories of information security you should be focused on to follow this standard:
\+ Risk Assessment
\+ Security Policies
\+ Security Organization
\+ Asset Protection
\+ Personnel Security
\+ Physical and Environmental Security
\+ Communication and Operation Management
\+ Access Control
\+ System Maintenance
\+ Business Continuity

Question 5

What is HIPAA?

Answer 5

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 and deals with the privacy of health care records. HIPAA is a U.S. standard whose key area of concern is to protect any individual identifiable health information and to control access to that information.

Question 6

What is Personal Identifiable Information?

Answer 6

Personal Identifiable Information (PII) is any information that can uniquely identify a person. It should be protected at all times. Examples of information considered Personal Identifiable Information are the following:

National identification number:  A national identification number would be something like the Social Security number (in the United States) or the social insurance number (in Canada).

Driver’s license number:  A driver’s license number is a good example of unique information about an individual that would need to be secured.

Question 7

What is Acceptable Use Policy?

Answer 7

The acceptable use policy, also known as the AUP, is an important policy because it lets the users know what the company considers acceptable use of its assets such as the Internet, e-mail, laptops, and mobile devices.
The acceptable use policy should be reviewed by all employees during employee orientation and should be signed as proof that they have read the policy and agree to its terms. The following are topics typically covered by the acceptable use policy:

Acceptable use of Internet:  Typically covers rules such as prohibiting inappropriate content. You may also want to state whether the Internet should be used only for business purposes and what the company tolerance is for use of social networking sites during business hours.

Acceptable use of e-mail:  This policy should cover the fact that e-mail is for business use with minimal personal e-mails. Also specify in the policy what the company rules are surrounding the topic of forwarding chain letters and that no harassing e-mails should be sent from business e-mail accounts.

Acceptable use of laptops:  This policy specifies any rules surrounding the use of laptops. You may want to cover topics such as locking the laptop in the trunk of the car if it is left in the car—laptops are not to be left in plain view. Also specify if the content on the laptop should be encrypted and whether the user can connect the laptop to non-work networks.

Acceptable use of mobile devices:  This policy should cover any rules surrounding mobile devices, such as the type of mobile devices that can be used for corporate mail and phone. Also specify how much personal use is allowed with the mobile device and what to do if the mobile device is stolen. Lastly, you may want to specify what features of a mobile device are to be enabled or disabled.

Question 8

What is Password Policy?

Answer 8

The password policy is an important policy to both users and administrators. I’ve placed the password policy in the section affecting users, but note that it affects the administrators as well because it will dictate to the administrators what to configure as password restrictions on the servers and the requirements for proper passwords.
The following outlines some of the considerations that should go into the password policy:

Minimum password length:  The minimum password length specifies how many characters employees must have in their passwords. The typical minimum length used by businesses is eight characters.

Password history:  The password history setting specifies how many past passwords the system should keep track of. The concept here is that employees are not allowed to reuse a password in the password history. Companies typically set the history to 12 or 24 passwords.

Maximum password age:  The maximum password age specifies how long an employee is allowed to have a specific password. This value is normally set anywhere from 30 to 60 days, at which time the user must change their password.

Minimum password age:  The minimum password age is a minimum number of days that a user must have their password. This setting will prevent employees from changing their password multiple times in order to get the desired password out of the history with the intent of reusing an old password.

Password complexity:  The password complexity setting specifies whether you require complex passwords. A complex password is a password that has a mix of letters, numbers, and symbols and uses a mix of uppercase and lowercase characters. It is highly recommended to have password complexity enabled within your environment.

Question 9

What is Change Management Policy?

Answer 9

The change management policy will specify the process to follow when implementing a change to the network. When a change management process is not in place and the policy is not being followed, access to the asset may be denied due to mistakes in changes.

Having a change management policy that specifies procedures to follow should reduce mistakes in configuration because a process can ensure that the change will be properly tested.

Question 10

What is Secure Disposal of Computers?

Answer 10

One of the most vital policies to consider today is secure disposal of equipment. What do you do with a computer that has been decommissioned in the business? Do you donate it to the local school system? What about the corporate data that resided on the hard drive of that system? It is important to consider what you do with systems and devices after they are taken out of production.

In highly secure environments, it is critical that you physically destroy any hard drives that held sensitive data. In less secure environments, you may want to securely wipe the drives so that the data cannot be recovered. Simply formatting a drive does not remove the information, and it still can be retrieved.

Also specify in this secure disposal of computers policy what to do with old equipment taken out of production. This includes servers, tapes, switches, routers, and mobile devices. I have seen many cases where the network administrator has sold the company’s old server or router on the Internet without ensuring that the existing data and configuration are erased. This should be a violation of the security policy, and administrators need to be educated on the risks associated with not securely disposing of equipment.

Question 11

What is Service Level Agreement?

Answer 11

A service level agreement (SLA) is a contract, or agreement, between your company and anyone providing services to the organization. The service level agreement sets the maximum amount of downtime that is allowed for assets such as Internet and e-mail and is an important element of the security policy. It is important to ensure that you have an SLA in place with all providers, including Internet providers, communication link providers, and even the network service team.

Question 12

What is Privacy Policy?

Answer 12

An important aspect to any organization today is to have a privacy policy in place that is used to educate employees and customers as to how and why information is collected from its customers and how that information will be used. Most businesses place a privacy statement on their web site to inform the public how they intend to use and manage that information.

Question 13

What is Classification of Information?

Answer 13

Another example of a policy that deals with the concerns of management is an information classification policy. The information classification policy helps define the different classifications of information, for example, secret and top secret, and what clearance level is needed to access that information.

Assigning a classification level (known as a data label) to information determines the amount of effort used to secure the information. For example, information that is classified as top secret will have more security controls in place to protect the information than will information of lower classification such as secret or even unclassified.
The following are some popular information classifications used by the military:

Top secret:  This is the highest classification level. Top secret is information that would cause grave damage to national security if disclosed to the public.

Secret:  A classification level below top secret. Information classified as secret could cause serious damage to national security if disclosed to the public.

Confidential:  A classification level below secret and the lowest classification level. Information classified as confidential could cause potential damage to national security if disclosed to the public.

Unclassified:  Any information that is not classified falls into this category—unclassified. Unclassified information is considered safe and not harmful to national security if disclosed to the public.

The security policy should specify what type of information is top secret, secret, confidential, and unclassified. The policy should not only specify how information is classified, but also under what circumstances information can be declassified (the classification removed or changed) and what the process is to have that classification on the information changed.

Once the information in the organization has been classified, the next step is to assign persons within the organization a clearance level. To access top secret information, an employee would need top secret clearance and need-to-know status.

There are other classification levels that can be assigned to information. The previous examples are common with government and military, but companies may use their own internal classification system. The following are other examples of classification labels:

High/medium/low:  Your company may use an internal classification system of low, medium, and high to rate the security risk if the information is exposed to the public.

Private/public:  A simple approach to classifying information is to label the information as either private or public. Private means that the information is for internal use, while public is information that does not present a security risk if exposed to the public.

Question 14

What is Remote Access Policy?

Answer 14

The remote access policy is designed to determine how remote users will gain access to the network, if at all. In the remote access policy, you specify remote access protocols that are required to be used and specific software solutions that the company has tested and approved. In this policy you may also specify that the client system must be up to date with patches and antivirus updates.

Question 15

What is VPN Policy?

Answer 15

The VPN (virtual private network) policy specifies how remote users will connect to the network using the Internet. A VPN encrypts communication between the client and the VPN server. In the VPN policy, you will specify what VPN protocol and solution are to be used for remote access via VPN. In this policy you may also specify that the client system must be up to date with patches and antivirus updates.

Question 16

What is Incident Response Policy?

Answer 16

The incident response policy is designed for the security team that will be handling security incidents. The incident response policy specifies what each person on the incident response team is responsible for and how to handle security incidents.

Question 17

What is Firewall Policy?

Answer 17

The firewall policy is a policy that specifies the company’s firewall solution and the type of traffic that is or is not allowed to pass through the firewall.

Question 18

What is Audit Policy?

Answer 18

The audit policy is an important policy that specifies where auditing needs to be implemented in the company. The audit policy should specify what types of servers on the network need auditing enabled and what type of activity should be audited. The audit policy should also specify who is to review the logs and how frequently.

Question 19

What is Physical Security Policy?

Answer 19

The physical security policy is designed to specify any physical security controls, such as locked doors, fencing, and guards, that should be implemented. It is important to ensure that you control access to servers by placing them in a locked server room.

Question 20

What is Software Policy?

Answer 20

The software policy specifies what the approved software is for the business and indicates what software can and cannot be installed on the system. The software policy should also specify how a piece of software can be added to the approved list. You also want to ensure you indicate in the software policy that there is to be no software piracy by employees.

Question 21

What is Backup Policy?

Answer 21

The backup policy specifies what type of data needs to be backed up and how frequently. Administrators will look to the backup policy to determine how they will back data up within the business.

Question 22

What is Hiring Policy?

Answer 22

The hiring policy should be created to help HR understand what they need to do during the hiring process to help maintain security. The hiring policy may specify any of the following to be performed by HR:
image Interview process  The hiring policy may specify the order of types of interviews to be performed. For example, the hiring policy may specify to do a phone interview as a first level of screening before performing in-person interviews.

Contact references:  During the in-person interview, the hiring policy may specify to ask for references so that they can be contacted before the next interview.

Background check:  The hiring policy may specify the types of background checking that are to be performed on a candidate. During this phase of the hiring process, you may verify information on the applicant’s résumé. Any indication that the candidate has lied on their résumé is a good reason not to hire the candidate. The goal of the background check is to ensure that the education and job experience the candidate claims to have actually exists. You may also consider doing criminal background checks and Google searches on the candidate.

Sign a noncompete and NDA:  The hiring policy may state that during the last interview you are to ask the candidate if they would be willing to sign a noncompete agreement and a nondisclosure agreement (NDA). If the candidate is not willing to sign such agreements, this could be a reason to not hire the candidate.

Drug screening:  During the last interview, you may ask the candidate if they would be willing to do a drug screening test as well. Again, if the candidate says no to the drug screening, the policy should indicate to move on to a candidate who will do the drug screening tests.

The point of having a hiring policy is that you can help create a more secure environment for your organization by starting with the hiring of honest and good-willed individuals.

Question 23

What is Termination Policy?

Answer 23

It is critical that a termination policy be in place to help human resources determine the steps needed to terminate an employee. The steps taken during termination depend on whether it is a friendly termination or an unfriendly termination.

A friendly termination typically involves an employee leaving the company on good terms and normally for noncompetitive reasons. With a friendly termination, you want to host an exit interview and document the reasons for the employee leaving the company. More importantly, you want to remind the employee of the NDA they signed when joining the company and inform them that they still need to adhere to the agreement even though they will no longer be working for the company. Be sure to collect any pass cards and keys from the employee and disable their accounts after they have left the company.

An unfriendly termination typically involves an employee being let go from the company or leaving on bad terms. Often, the unfriendly termination stems from the employee leaving the company for competitive reasons or being let go due to failure to follow company policy. Either way, HR should notify the network team of their intention to let the employee go so that while they are giving notice to the employee, the network team can disable the employee’s access to network resources and sensitive areas of the building. More often than not, in an unfriendly termination, security will need to escort the employee from the premises to ensure that the employee leaves the facility.

Question 24

What are Mandatory Vacations?

Answer 24

From a security point of view, it is important that the security policy enforces mandatory vacations—vacation time that must be taken. The importance of taking vacation time is that it will help detect fraudulent or suspicious activities within the organization because another employee will need to take over the job role while someone is on vacation. This will help keep employees honest in their job functions because they know they will be held accountable for irregular activities.

Question 25

What is User Education and Awareness?

Answer 25

Creating and implementing a security policy is an important step to creating a secure environment for your company, but if you do not educate employees on security and the relevant security policies within the business, there is no security!

It is important to spend some time to develop a security training and awareness program that involves educating all employees at all levels on their responsibility for security. This section is designed to inform you of the different types of awareness training that should be supplied to individuals within the company.

Question 26

What is General Training and Role-Based Training?

Answer 26

Your first major decision when designing a security training program is to identify what type of information to expose to the different types of employees within the organization. Because security is such a critical concept and an area where you want to ensure you capture your audience during the training and awareness seminars, you want to make sure that you keep the training relevant to the audience and based on job roles. For example, you do not want to put the business users to sleep with complex discussions on how a firewall is implemented, so technical security training is reserved for the technical team. Any members in that job role would be required to take the detailed technical training. The following is a basic outline on what should be explained to the different job roles or types of employees in the organization:

Business users:  Areas of security that you should educate the typical business users about are password best practices, social engineering, virus protection, and the importance of physical security.

Technical team:  The technical team consists of the network administrators, security administrators, and potentially the desktop support team. These individuals are educated on the technical solutions that offer security, such as intrusion detection systems, firewalls, and malware protection solutions.

Management:  You will take a totally different approach with the management team. You need to remember that management care little about how things are done, but care more about the whys. When raising security awareness to management, focus on why they should support the security initiatives being proposed by giving them examples of past occurrences where businesses have lost huge amounts of money due to security incidents. Also try to find laws and regulations that require the organization to make an effort to protect its assets, or find past cases where an organization has been held legally accountable for not implementing appropriate security measures to protect its assets. Another good idea would be to find cases where insurance companies have found violations in the insurance policy due to a company not making efforts to secure its assets. These are all examples of the type of information that would grab the attention of management in a security awareness seminar geared toward management.

Question 27

What is Awareness of Policy?

Answer 27

When training all personnel in the organization, make sure that you educate everyone on topics that will reduce the likelihood of a security event occurring. Educate employees, technical teams, and management on the purpose of the security policy and the types of rules that are contained in the security policy. Ensure that you educate the employees on what PII is, and give examples of PII-related information that your company stores so that employees know to not give out that information and can focus on securing the information.

Educate all employees on your information classification system and about data labeling. A data label is the classification label, such as top secret, that is assigned to information. Ensure that employees know the different clearance levels that can access different data labels.

You also want to make sure you spend time educating employees on the secure disposal of equipment policy, and make sure that all employees see the importance of destroying drives and erasing configuration from old equipment.
Ensure that employees understand the importance of complying with laws and regulations within the company’s industry.

Question 28

What are Delivery Methods?

Answer 28

You can use a number of different methods to deliver the awareness training. You can use any of the following methods, or a combination of methods:

Seminars  One of the most popular methods to educate employees is to hold seminars where a security expert explains the relevant issues to the participants. These seminars are normally half- or full-day seminars.

Lunch and learn  Lunch-and-learn sessions are similar to seminars, but are approximately 50 minutes in length and designed to touch on one specific issue. Most companies will supply lunch while the employees are being educated on security.

CBTs  Computer Based Training (CBT) is a method in which employees use self-study tools such as training sessions played from a CD-ROM to learn about security.

Intranet site  You can have resources on your intranet site such as documents describing security best practices.

Videos on demand  A newer approach to internal training is to have seminars recorded as videos available for download from an internal server.

Question 29

What is Password Behavior?

Answer 29

When it comes to good password best practices, educate your users on the importance of having strong passwords and the fact that a simple password can be cracked in seconds. Explain that a strong password is a password of at least eight characters, has a mix of upper- and lowercase characters, and contains numbers and/or symbols.

Ensure that users are not using easy-to-guess passwords or writing the passwords down anywhere. This point should be clearly specified in the password policy. Ensure that users are changing their passwords on a regular basis to help prevent a hacked account from being used for a long period.

Question 30

What is Data Handling?

Answer 30

Users should also be educated on secure ways to handle data. Data that is stored on a removable drive should be stored in an encrypted format so that if the removable media falls into the wrong hands, the data is protected. Policies should be in place as to what types of removable media are allowed in the business and what types of information are allowed to be stored on that media. You must ensure that users review the policy and understand the terms of use for such media.

Be sure to educate your users on the proper destruction of data. Educate the users that simply deleting the files off the drive does not remove the data from the disk and that employees must follow the secure disposal of computers policy to get rid of any devices.

Educate your users on proper destruction of hard copies of data (paper-based printouts), and ensure that there is a paper shredder available to all users to shred sensitive documents when no longer needed. Educate the users on the fact that hackers will dumpster dive, meaning they will go through the garbage to try to find sensitive information, which is why documents need to be shredded.

Question 31

What is Clean Desk Policy?

Answer 31

A number of organizations implement a clean desk policy. A clean desk policy is a policy that requires the users to ensure that any sensitive documents are stored away in a secure location at all times and not left in plain view on someone’s desk. It is important to stress to employees what the ramifications of not following the clean desk policy are and to be sure to perform periodic checks in the evening by walking around the office to see if anyone has left sensitive documents in plain view.

Question 32

What is Tailgating?

Answer 32

Tailgating is a method intruders use to bypass the physical security controls put in place by a company. The concept of tailgating is that an intruder will wait until an authorized person uses their swipe card or pass code to open a door, and then the intruder will walk in with the person through the open door.

To help prevent tailgating, you can use a revolving door or a mantrap. A mantrap is an area between two locked doors with the second door not opening until the first door is completely closed. Educate your employees on what to do if someone tries to tailgate, or piggyback, through an open door. Most companies tell the employee not to open the door if someone is hanging around the entrance and to ensure the door closes completely.

Question 33

What are Personally Owned Devices?

Answer 33

You should ensure that your security policy and AUP cover the company’s policy surrounding the usage of personally owned devices for business use or within the company’s network and facility. The best practice here is to not allow personally owned devices because the company has no right to search or monitor activity if the device is not owned by the company. For this reason, it is safest to simply state that no personal devices are allowed for work-related purposes.

Question 34

What are New Threats and Security Trends?

Answer 34

Ensure that your training and awareness program discusses the fact that new viruses come out each day and that employees should ensure that their home and work computer virus definitions are up to date at all times. Ensure that the company has a method to inform the employees of new virus threats so that all employees are aware of the threat right away.Ensure that employees are aware of common threats such as phishing attacks. A phishing attack is when the employee receives an e-mail asking them to click the link provided to visit a site. This typically is a fake e-mail that appears to be coming from your bank asking you to click the link provided to verify your bank account has not been tampered with. Inform the employees of such threats, and tell them to delete the e-mail and not to click the link provided.Also educate your employees on zero day exploits. Zero day exploits are attacks on software or hardware that has just come out, and the vendor of the software or hardware is not aware of the exploits yet. The issue here is that if the vendor is not aware of an exploit, then they do not have a fix for it. It is important to educate your users that hackers are always coming up with new ways to exploit systems and that we need to be security-focused in our everyday thinking.

Question 35

What is Use of Social Network and P2P?

Answer 35

One of the leading security concerns regarding employees’ everyday use is their Internet habits at home, in the office, or with the company laptop. Two areas of concern are social networking sites and peer-to-peer (P2P) programs that allow you to download music, movies, and software.

Be sure to educate your employees on the use of social media such as Twitter, MySpace, and Facebook. Ensure that employees know not to post company-related information on such sites, and deter them from posting pictures of company parties and other events. Such activities could damage the image of the company.

You should also specify in the acceptable use policy the company’s rules around the use of social networking sites during work hours. Some businesses allow the use of such sites on break or lunchtime, but many people spend more time than they should on such sites even during work hours. Be sure to keep virus protection software up to date because a large number of viruses are being written in applications used in social networking sites.

Peer-to-peer software is used to share music, videos, and software applications on the Internet for the rest of the world to download. Examples of such software are Bearshare and BitTorrent. There are two areas to educate your employees on P2P software use. First, this is a popular way for hackers to distribute viruses across the network, and employees should have virus protection software up to date on all systems at home because P2P software should not be allowed in the company.

The second point that should be made in the AUP is that there is to be no downloading or sharing of any copyrighted material such as music, movies, TV shows, or software from the company systems and assets. Make it clear that the company has no tolerance for copyright violations and software piracy.

Question 36

What are Training Metrics and Follow Up?

Answer 36

It is important to ensure that you gather training metrics to gauge the success of your security training. You should have a training plan that includes all required training for each employee and a way to track whether the training was taken.
You should also have a method of testing the effectiveness of the training, whether that be with testing or simulations. You need to validate the effectiveness of the training, compliance to policy, and test the security posture of the organization.