Tải bản đầy đủ - 0 (trang)
Appendix A. Preparing a Security Policy

Appendix A. Preparing a Security Policy

Tải bản đầy đủ - 0trang

WhatIsaSecurityPolicy?

TheSiteSecurityHandbook(RFC2196)statesthefollowing:

Themainpurposeofasecuritypolicyistoinformusers,staff,and

managersoftheirobligatoryrequirementsforprotectingtechnologyand

informationassets.

Asecuritypolicyisvitaltoanyorganizationandprovidesaframeworkinsideof

whichpeoplecanworksafely.Thepolicyprovidesstaffwithclearinformation

aboutresponsibilitiesinthehandlingofresourcesandinformation.Inaddition,

thepolicydetailsthemeaningofacceptableuseandanyprohibitedactivities.

Establishingasecuritypolicylessenstheriskofapotentialsecuritybreach.For

example,byraisingawarenessabouthowsomeonecaninadvertentlydivulge

informationbyimproperuseoftheInternet,acompanycanlimitthethreatof

thisoccurring.

Thepolicyisalsoaliving,ever-changingdocumentthatdescribeswhatassets

youaretryingtoprotect,fromwhomyouaretryingtoprotectthem,whatlikely

threatexists,andhowyouintendtoprovidethisprotection.Thedocumentcan

be1to2pagesor1400pageslong,dependingonwhatyouwanttocover.



RiskAssessment

Beforeyoustartonthesecuritypolicydocument,youneedtoperformarisk

assessmenttohelpallpartiesunderstandthecostoflosingsomething,whatit

actuallyistheyhavetolose,andhowtheycanloseit.Forexample,whatisthe

riskshouldyourbuildingexperiencetotalpowerfailure?Howmuchwillitcost

thecompanyifitiseffectivelyshutdownforanextendedperiodoftime?Thisis

whatyourriskassessmenthelpstoflushout.WhatifyourISPcutsoffyour

servicebecauseofspammingandhackingattackscomingfromyourIPaddress?

HowlongcanyoubewithoutInternetaccessasacompany,andhowmuchwill

itcost?Followingarethreemainpointsyoushouldalwaysbethinkingabout

whencreatingyourpolicy:

Whataretheassetsthatneedprotection?

Whatthreatsdotheyface?

Whatisthecostofprotectingthem?



Assets

Thefirstpartofyourriskassessmentistoidentifytheassetsthatneed

protection.Assetsareanythingfromphysicalcomputers,digitalinformation,

buildingsecurity,andevenintellectualproperty.Alloftheserequiresomeform

ofprotection.Whetheritisfromafireburningdownthebuildingorinformation

beingplacedinthewronghands,itcouldcostthecompanyasubstantialamount

ofmoneyorembarrassment.TableA-1listsbasicitemsaboutwhichyoushould

gatherinformationasitpertainstoyourcategoryofsecuritypolicy.

TableA-1.BasicAssetInformationforaSecurityPolicy

AssetCategory



Description



Hardware



Computers/laptops



Servers,routers,switches

Printers,copiers

Software



Operatingsystems

Sourcecode



Data



Databases

Archivetapes

Transmittedinformationonthenetwork

Intellectualproperty



People



Administrators

Users



Threats

Thesecondpartofriskassessmentdetailsthepossiblethreatstotheseassets.To

berealistic,thislistwillneverbetotallycomplete,butlistingasmuchas

possiblecanonlyhelpwhenplanningforcosts.TableA-2listssomepossible

threatstoyourbusiness.

TableA-2.PossibleSecurityThreats

ThreatCategory



Description



Human



Cracker

Hacker



Disgruntledworker

Untrainedemployee

Terrorist

Denialofservice

Equipment



Powerfailure

Hardwarefailure



Natural



Storm

Fire

Flood

Earthquake

Lightning

Meteorstrike



Cost

Lastbutnotleastiscalculatingthecostofprotectingyourassets.Business

decisionsalwaysweighheavilyoncosts.Ifitcostsmoretoprotectsomething

thanitisactuallyworth,youshouldseekanalternativemethodorsolutionor

justnotprotectit.TableA-3listssomedifferentcostsassociatedwithcompany

assets.

TableA-3.AssetProtectionCosts

Asset



Cost



Computer



Hardware

Software

Installationandconfiguration



Data



Databasedata



Powerfailure



UPS

Generator



Building



Replacementandrepair



Personnel



Downtime

Recruitment

Trainingtime

Employeebenefits



GettingAcceptance

Afteryouhavegatheredalltheriskassessmentinformation,thenextstepisto

presentthatdatatotheappropriatedepartmentheads.Gettingmanagersfrom

severaldifferentareassuchashelpdesk,accounting,research,engineering,and

humanresourcestoplacetheirinputintothepolicyandsignoffonitiscritical

tothesuccessfulimplementationofthepolicy.Peopleusuallyoverlookthis

basicstep,andtheresultisanewsecuritypolicythatnoonehadinputinto.

Whenthishappens,managersdonotrightfullyenforcethepolicyontotheirown

departments.Topreventthatfromhappening,getmanagersinvolved,getthem

excitedaboutsecurity,andletthemknowthattheiropinionisimportant.

Securityistheirfriend,nottheirenemy.Helppeopleunderstandthathavingand



followingdocumentedpoliciesandproceduresmakestheirjobseasier.Theywill

nolongerbeoutonalimbwhenrefusingarequestfromaseniormemberof

stafftoreuseapassword,becausetheycanrefertothepolicyinsupportoftheir

argument.Whenacompanyadoptsthismethodofcommunitypolicybuilding,

everyonefeelshehashelpedtocontributetothenewsecuritypolicy,which

facilitatesdepartmentacceptanceandenforcement.



BasicPolicyRequirements

Thissectionexploresthecreationofasamplepolicyanditsessential

components.Assumethatyouneedtocreateapolicygoverningtheuseof

electroniccommunications(e-mail).Thispolicyshouldcoverthefollowing

subjects:

PurposeThepurposestateswhatthepolicyisallaboutandwhatit

enforces.

ScopeThescopecoverstowhomthepolicyapplies,whattheaffected

equipmentis,andwhattechnologiesareutilized.

PolicyThepolicyisthemaincontentofthedocumentthatoutlineswhatis

acceptablebehaviorandwhatisnotallowed.

EnforcementEnforcement,asthenameimplies,isadetailedsectionthat

explainspossibleconsequencesifthepolicyisnotfollowed.

TermsorGlossaryThetermssectionisnotalwaysneeded;however,

documentscanbecomequitetechnical,andreadersmightnotalways

understandthetermsoracronymswithinthedocument.Thissectionisa

commonareatohelpexplainwhatthetermsmeanforclarification.



SampleE-MailUsagePolicy

Thefollowingisasamplee-mailusagepolicythatcoversallfivesubjects

previouslylisted.



E-mailAcceptableUsePolicy



1.0Purpose



Intheeffortstoprotecttheimageof,thi



intoplace.Everye-mailfromemployeessho



standardofprofessionalismandtactthath



thepubliceye.E-mailshouldbetreatedasofficialstatements



andmustbewrittenandreadcarefullyata

sent.



2.0Scope



Thescopeofthispolicycoversanyuseofe-mailsentfrom


addressesandappliestoeveryemployee,vendor,contractor,an

onthebehalfof.



3.0Policy



3.1ProhibitedUse.



'se-mailservers,systems,andclientprogr



anytimeforthecreationordistributionofoffensiveordisru



Thiscontentincludesbutisnotlimitedtooffensivecomments



color,age,haircolor,sexualorientation,disabilities,relig

beliefs,pornography,ornationality.



Anyemployeeswhoreceivesuche-mailwithoffensivecontentfr



employeesshouldreporttheincidenttothe

immediately.



3.2PersonalUse



e-mailforpersonaluseisacceptableona



personale-mailsshouldbekeptseparatefromstandardcompany

offorpersonaluseisprohibited.



3.3ProhibitedUse



e-mailisnevertobeusedforsendingknow



letters,jokee-mails,spam,andmassmailingsunlessapproved

supervisor.



3.4Monitoring



E-mailatmaybecontinuouslymonitoredwit



anyemployee.Employeesshouldhavenoexpectationthate-mail



isprivate.However,is

monitoralle-mails.



4.0Enforcement



Anyemployeefoundviolatingthise-mailpo

todisciplinaryactionandpossibleterminationofemployment.



5.0Glossary

E-mail:ElectronicmaildeliveredtypicallyviatheInternet.



UnderstandingYourEnvironment

Knowingwhatconstitutesa"normal"routinewithinyourorganizationcangive

yougreaterinsightintothepotentialsecurityrisksthatexistandanylikely

barrierstoenforcingsecuritypolicy.Whataboutthatdatabaseserverthatall

usersaccessusingasystemadminaccountbecausetheapplicationvendorsaidit

couldnotworkanyotherway,orthefactthatyoucangetintothebuilding

withoutidentificationeverymorningbetween7:30and8:00becausethenight

securityguardisoutbackpreparingtoleaveandthedaytimereceptionisthasnot

yetarrived?



BalancingProductivityandProtection



Althoughtheoverallaimofasecuritypolicyistoprotecttheassetsofthe

organization,apolicythatistoorestrictivecanhavetheoppositeeffect.For

example,ifusersareforcedtoadheretoacomplexpasswordpolicy,youcan

expecttwothings:asignificantincreaseincallstoyourhelpdeskforaccount

resets,andtheproliferationof"helpfulreminders"stucktomonitorsaroundthe

workplace.



TheTrustModel

Whenlookingatlevelsoftrustwithinyourorganization,threebasicmodels

exist:

Trusteveryoneallthetime

Trustnooneatanytime

Trustsomepeoplesomeofthetime

Employingthe"Trustsomepeoplesomeofthetime"modelismostlikelyto

ensurethatyoursecuritypolicywillgainacceptancebyyourusercommunity

withoutcompromisingtheintegrityofthepolicy.Atthislevel,accessis

delegatedasneededwhileretainingcontrols(suchascomprehensiveauditing)to

ensurethatthosetrustsarenotbeingviolated.



HowShouldItBeWritten?

Writeyourpolicyintermsthataresimpletounderstand.Complianceshouldnot

beattheexpenseofproductivity;itisimportantthatusersthroughoutthe

organizationunderstandthereasonforthecontrolsyouareimplementing.



WhoCreatesthePolicy?

Theorganizationasawholeshouldbeinvolvedinthecreationofitssecurity

policy.Asstatedpreviously,gainingbuy-infromkeypersonnelisanimportant

partofrollingoutasuccessfulpolicy.Theroleofthesecurityofficershouldbe



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Appendix A. Preparing a Security Policy

Tải bản đầy đủ ngay(0 tr)

×