Computer Security Policies Reasons for Having Policies Ethical

Computer Security Policies

Reasons for Having Policies Ethical reasons n e. g. , ensure that organization “does the right thing” Business reasons n clarification of business practice Regulatory reasons n may be required by partner, sponsor, government Liability reasons n n having/following policy may mitigate liability support disciplinary action if not followed

Psychology of Policies People don’t like being restricted However, people don’t like being cast adrift on the open sea, either n Policies can make life easier Trust is a key issue n Policies play a key role in providing guidelines where you can’t trust people to always do the right thing

What makes a good policy? Concise and focused Self-contained (define key terms) Supportive of current/intended business practice n Consensus approach is desirable Technology independence n But specific in technical detail Enforceable Realistic Auditable

Policy Template Outline 1) Purpose 2) Definition of Terms 3) Scope 4) Description 5) Enforcement 6) Revision History

Example Policies Policy on Encryption Usage n http: //www. sans. org/resources/policies/Accept able_Encryption_Policy. pdf University Security Policy n http: //www. usg. edu/oiit/policies/security. phtml

Waivers Policies are guidelines, not absolutes Waivers are sometimes acceptable, based on: n n n solid justification infrequent occurrence consistency with overall policy goals Issuance of multiple waivers is a good motivation to examine and possibly revise the policy

Areas Appropriate for Security Policies Passwords Email usage / attachments Wireless Access/Usage/Security FTP/Telnet Access (vs. SSH) Welcome/Warning Banners Remote Access Viruses / Use of Outside Media Information Removal / System Sanitizing Encryption tool usage

Security Policy Case Study (1) A large corporation changes its password policy to use only computer generated passwords. Existing password policy prohibits employees from writing down passwords. Questions n n n What problems do you foresee? Is this enforceable? What changes would you recommend?

Security Policy Case Study (2) A university includes language in a policy on distribution of root passwords that prohibits issuance of these passwords to anyone besides the system administrator and asst. S. A. Questions: n n What issues do you foresee? What revisions would you suggest?

Security Policy Case Study (3) As a new security officer for a large corporation, you create new policies on passwords, application security, wireless usage, email usage, etc. Your company is bidding for a contract with a government organization that requires the security policies you’ve created. You find out that approximately 40% of your company’s departments will be asking for waivers in one or more areas before the contract submission deadline. Question n What do you do?

Policy Resources General n n n regulations documented business practices templates from other organizations Computer Security policies and practices n n n SANS (http: //www. sans. org/resources/policies/ ) CERT (http: //www. cert. org/nav/index_green. html ) many others