Information Security Policies:Information Security Policies:User/Employee use policiesUser/Employee use policies

2

OverviewOverview

Format of policiesUsage of policiesExample of policiesPolicy cover areasReferencesHomeworkQuestions

Format of policiesUsage of policiesExample of policiesPolicy cover areasReferencesHomeworkQuestions

3

Format of PoliciesFormat of Policies

Purpose The need of the policies

Scope Which part of the system is covering Who is applying to the policies

Policy What can or can’t use for the system

Enforcement Action can be taken once the policy is violated

Definitions Define keywords in the policy

Revision History Stated when and what have been changed

Purpose The need of the policies

Scope Which part of the system is covering Who is applying to the policies

Policy What can or can’t use for the system

Enforcement Action can be taken once the policy is violated

Definitions Define keywords in the policy

Revision History Stated when and what have been changed

4

Usage of PoliciesUsage of Policies

Policy A document that outlines specific

requirements or rules that cover a single area

Standard A collection of system-specific or

procedural-specific requirements that must be met by everyone

Guideline A collection of system specific or procedural

specific “suggestions” for best practice Not require, but strongly recommended

Policy A document that outlines specific

requirements or rules that cover a single area

Standard A collection of system-specific or

procedural-specific requirements that must be met by everyone

Guideline A collection of system specific or procedural

specific “suggestions” for best practice Not require, but strongly recommended

5

Example of PoliciesExample of Policies

6

Example of PoliciesExample of Policies

7

Example of PoliciesExample of Policies

8

Policy cover areasPolicy cover areas

Acceptable Use Information Sensitivity Ethics E-mail Anti-Virus Password Connection

Acceptable Use Information Sensitivity Ethics E-mail Anti-Virus Password Connection

9

Acceptable Use PolicyAcceptable Use Policy

General outline for all others policies Protecting employees, partners and

companies from illegal or damaging actions

Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use

General outline for all others policies Protecting employees, partners and

companies from illegal or damaging actions

Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use

10

Information Sensitivity Policy

Information Sensitivity Policy

To determine what information can/can’t be disclosed to non-employee

Public Declared for public knowledge Freely be given to anyone without any possible

damage Confidential

Minimal Sensitivity: General corporate information; some personal and

technical information More Sensitive:

Business, financial, and most personnel information Most Sensitive:

Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company

To determine what information can/can’t be disclosed to non-employee

Public Declared for public knowledge Freely be given to anyone without any possible

damage Confidential

Minimal Sensitivity: General corporate information; some personal and

technical information More Sensitive:

Business, financial, and most personnel information Most Sensitive:

Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company

11

Ethics PolicyEthics Policy

Defines the means to establish a culture of openness, trust and integrity Executive Commitment

Honesty and integrity must be top priority Employee Commitment

Treat everyone fairly, have mutual respect Company Awareness

Promote a trustworthy and honest atmosphere Maintaining Ethical Practices

Reinforce the importance of the integrity message Unethical Behavior

Unauthorized use of company information integral to the success of the company will not be tolerated

Defines the means to establish a culture of openness, trust and integrity Executive Commitment

Honesty and integrity must be top priority Employee Commitment

Treat everyone fairly, have mutual respect Company Awareness

Promote a trustworthy and honest atmosphere Maintaining Ethical Practices

Reinforce the importance of the integrity message Unethical Behavior

Unauthorized use of company information integral to the success of the company will not be tolerated

12

E-mail PolicyE-mail Policy

General usage To prevent tarnishing the public image Prohibited use

Can’t used for any disruptive or offensive messages Personal Use

Can/Can’t use for personal usage Monitoring

No privacy for store, send or receive massages Monitor without prior notice

General usage To prevent tarnishing the public image Prohibited use

Can’t used for any disruptive or offensive messages Personal Use

Can/Can’t use for personal usage Monitoring

No privacy for store, send or receive massages Monitor without prior notice

13

E-mail PolicyE-mail Policy

Retention Determine how long for an e-mail to retain Four main classifications

Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read

Instant Messenger Correspondence Only apply to administrative and fiscal

correspondence Encrypted Communications

Stored in decrypted format

Retention Determine how long for an e-mail to retain Four main classifications

Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read

Instant Messenger Correspondence Only apply to administrative and fiscal

correspondence Encrypted Communications

Stored in decrypted format

14

E-mail PolicyE-mail Policy

Automatically Forwarding To prevent unauthorized or inadvertent

disclose of sensitive information When

Approved by the appropriate manger Sensitive information defined in Information

Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy

Automatically Forwarding To prevent unauthorized or inadvertent

disclose of sensitive information When

Approved by the appropriate manger Sensitive information defined in Information

Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy

15

Anti-Virus PolicyAnti-Virus Policy

To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in auto-

protect stage Scan a storage media for virus before use it Never open any e-mail from unknown

source Never download files from unknown source Remove virus-infected computers from

network until verified as virus-free

To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in auto-

protect stage Scan a storage media for virus before use it Never open any e-mail from unknown

source Never download files from unknown source Remove virus-infected computers from

network until verified as virus-free

16

Password PolicyPassword Policy

A standard for creation of string password Contain both upper and lower case

characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered

Frequency of change passwords

A standard for creation of string password Contain both upper and lower case

characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered

Frequency of change passwords

17

Password PolicyPassword Policy

Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an email

message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family

members

Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an email

message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family

members

18

Connection PolicyConnection Policy

Remote Access Defines standards for connecting to the

company’s network from any host or network externally

General Same consideration as on-site connection General Internet access for recreational use for

immediate household is permitted Requirement

Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or e-mail password to anyone Installed the most up-to-date anti-virus software

Remote Access Defines standards for connecting to the

company’s network from any host or network externally

General Same consideration as on-site connection General Internet access for recreational use for

immediate household is permitted Requirement

Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or e-mail password to anyone Installed the most up-to-date anti-virus software

19

Connection PolicyConnection Policy

Analog/ISDN Line Define standards for use of analog/ISDN

lines for Fax sending and receiving, and for connection to computer

Scenarios & Business Impact Outside attacker attached to trusted network

Facsimile Machines Physically disconnect from computer/internal

network Computer-to-Analog Line Connections

A significant security threat Requesting an Analog/ISDN Line

Stated why other secure connections can’t be use

Analog/ISDN Line Define standards for use of analog/ISDN

lines for Fax sending and receiving, and for connection to computer

Scenarios & Business Impact Outside attacker attached to trusted network

Facsimile Machines Physically disconnect from computer/internal

network Computer-to-Analog Line Connections

A significant security threat Requesting an Analog/ISDN Line

Stated why other secure connections can’t be use

20

Connection PolicyConnection Policy

Dial-in Access To protect information from being

inadvertently compromised by authorized personnel using a dial-in connection

One-time password authentication Connect to Company’s sensitive information

Reasonable measure to protect assets Analog and non-GSM digital cellular phones

Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months

Dial-in Access To protect information from being

inadvertently compromised by authorized personnel using a dial-in connection

One-time password authentication Connect to Company’s sensitive information

Reasonable measure to protect assets Analog and non-GSM digital cellular phones

Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months

21

Connection PolicyConnection Policy

Extranet Describes the third party organizations connect

to company network for the purpose of transacting business related to the company

In best possible way, Least Access Valid business justification

Approved by a project manager Point of Contact from Sponsoring Organnization

Pertain the Third Party Connection Agreement Establishing Connectivity

Provide a complete information of the proposed access

Extranet Describes the third party organizations connect

to company network for the purpose of transacting business related to the company

In best possible way, Least Access Valid business justification

Approved by a project manager Point of Contact from Sponsoring Organnization

Pertain the Third Party Connection Agreement Establishing Connectivity

Provide a complete information of the proposed access

22

Connection PolicyConnection Policy

Modifying Access Notifying the extranet management group Security and Connectivity evolve accordingly

Terminating Access Access is no longer required Terminating the circuit

Third Party Connection Agreement Defines the standards and requirements,

including legal requirements, needed in order to interconnect a third party organization’s network to the production network.

Must be signed by both parties

Modifying Access Notifying the extranet management group Security and Connectivity evolve accordingly

Terminating Access Access is no longer required Terminating the circuit

Third Party Connection Agreement Defines the standards and requirements,

including legal requirements, needed in order to interconnect a third party organization’s network to the production network.

Must be signed by both parties

23

Connection PolicyConnection Policy

24

Connection PolicyConnection Policy

Virtual Private Network (VPN) Security Define the requirements for Remote Access

IPSec or L2TP VPN connections to the company network

Force all traffic to and from PC over VPN tunnel

Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min.

inactivity Only approved VPN client can be used

Virtual Private Network (VPN) Security Define the requirements for Remote Access

IPSec or L2TP VPN connections to the company network

Force all traffic to and from PC over VPN tunnel

Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min.

inactivity Only approved VPN client can be used

25

Connection PolicyConnection Policy

Wireless Communication Defines standards for wireless systems

used to connect to the company network Access Points and PC Cards

Register and approved by InfoSec Approved Technology

Use approved products and security configurations

Encryption and Authentication Drop all unauthenticated and unencrypted traffic

Setting the SSID Should not contain any identifying informaiton

Wireless Communication Defines standards for wireless systems

used to connect to the company network Access Points and PC Cards

Register and approved by InfoSec Approved Technology

Use approved products and security configurations

Encryption and Authentication Drop all unauthenticated and unencrypted traffic

Setting the SSID Should not contain any identifying informaiton

26

ReferenceReference

The SANS Security Policy Project http://www.sans.org/resources/policies

Information Security Policies & Computer Security Policy Directory http://www.information-security-policies-and-standards.com

RFC 1244 – Site Security Handbook http://www.faqs.org/rfcs/rfc1244.html

Google http://www.google.com

The SANS Security Policy Project http://www.sans.org/resources/policies

Information Security Policies & Computer Security Policy Directory http://www.information-security-policies-and-standards.com

RFC 1244 – Site Security Handbook http://www.faqs.org/rfcs/rfc1244.html

Google http://www.google.com

27

ReferenceReference

28

ReferenceReference

29

HomeworkHomework

1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented

2. Define presented usage of policies

Tips: Policy document’s format is located in slide

3 Policy’s usage are located in slide 4 You may find more information in SANS

1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented

2. Define presented usage of policies

Tips: Policy document’s format is located in slide

3 Policy’s usage are located in slide 4 You may find more information in SANS

30

QuestionsQuestions

Any questions?Any questions?