information security policies: user/employee use policies
Post on 21-Dec-2015
225 views
TRANSCRIPT
Information Security Policies:Information Security Policies:User/Employee use policiesUser/Employee use policies
2
OverviewOverview
Format of policiesUsage of policiesExample of policiesPolicy cover areasReferencesHomeworkQuestions
Format of policiesUsage of policiesExample of policiesPolicy cover areasReferencesHomeworkQuestions
3
Format of PoliciesFormat of Policies
Purpose The need of the policies
Scope Which part of the system is covering Who is applying to the policies
Policy What can or can’t use for the system
Enforcement Action can be taken once the policy is violated
Definitions Define keywords in the policy
Revision History Stated when and what have been changed
Purpose The need of the policies
Scope Which part of the system is covering Who is applying to the policies
Policy What can or can’t use for the system
Enforcement Action can be taken once the policy is violated
Definitions Define keywords in the policy
Revision History Stated when and what have been changed
4
Usage of PoliciesUsage of Policies
Policy A document that outlines specific
requirements or rules that cover a single area
Standard A collection of system-specific or
procedural-specific requirements that must be met by everyone
Guideline A collection of system specific or procedural
specific “suggestions” for best practice Not require, but strongly recommended
Policy A document that outlines specific
requirements or rules that cover a single area
Standard A collection of system-specific or
procedural-specific requirements that must be met by everyone
Guideline A collection of system specific or procedural
specific “suggestions” for best practice Not require, but strongly recommended
8
Policy cover areasPolicy cover areas
Acceptable Use Information Sensitivity Ethics E-mail Anti-Virus Password Connection
Acceptable Use Information Sensitivity Ethics E-mail Anti-Virus Password Connection
9
Acceptable Use PolicyAcceptable Use Policy
General outline for all others policies Protecting employees, partners and
companies from illegal or damaging actions
Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use
General outline for all others policies Protecting employees, partners and
companies from illegal or damaging actions
Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use
10
Information Sensitivity Policy
Information Sensitivity Policy
To determine what information can/can’t be disclosed to non-employee
Public Declared for public knowledge Freely be given to anyone without any possible
damage Confidential
Minimal Sensitivity: General corporate information; some personal and
technical information More Sensitive:
Business, financial, and most personnel information Most Sensitive:
Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company
To determine what information can/can’t be disclosed to non-employee
Public Declared for public knowledge Freely be given to anyone without any possible
damage Confidential
Minimal Sensitivity: General corporate information; some personal and
technical information More Sensitive:
Business, financial, and most personnel information Most Sensitive:
Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company
11
Ethics PolicyEthics Policy
Defines the means to establish a culture of openness, trust and integrity Executive Commitment
Honesty and integrity must be top priority Employee Commitment
Treat everyone fairly, have mutual respect Company Awareness
Promote a trustworthy and honest atmosphere Maintaining Ethical Practices
Reinforce the importance of the integrity message Unethical Behavior
Unauthorized use of company information integral to the success of the company will not be tolerated
Defines the means to establish a culture of openness, trust and integrity Executive Commitment
Honesty and integrity must be top priority Employee Commitment
Treat everyone fairly, have mutual respect Company Awareness
Promote a trustworthy and honest atmosphere Maintaining Ethical Practices
Reinforce the importance of the integrity message Unethical Behavior
Unauthorized use of company information integral to the success of the company will not be tolerated
12
E-mail PolicyE-mail Policy
General usage To prevent tarnishing the public image Prohibited use
Can’t used for any disruptive or offensive messages Personal Use
Can/Can’t use for personal usage Monitoring
No privacy for store, send or receive massages Monitor without prior notice
General usage To prevent tarnishing the public image Prohibited use
Can’t used for any disruptive or offensive messages Personal Use
Can/Can’t use for personal usage Monitoring
No privacy for store, send or receive massages Monitor without prior notice
13
E-mail PolicyE-mail Policy
Retention Determine how long for an e-mail to retain Four main classifications
Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read
Instant Messenger Correspondence Only apply to administrative and fiscal
correspondence Encrypted Communications
Stored in decrypted format
Retention Determine how long for an e-mail to retain Four main classifications
Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read
Instant Messenger Correspondence Only apply to administrative and fiscal
correspondence Encrypted Communications
Stored in decrypted format
14
E-mail PolicyE-mail Policy
Automatically Forwarding To prevent unauthorized or inadvertent
disclose of sensitive information When
Approved by the appropriate manger Sensitive information defined in Information
Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy
Automatically Forwarding To prevent unauthorized or inadvertent
disclose of sensitive information When
Approved by the appropriate manger Sensitive information defined in Information
Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy
15
Anti-Virus PolicyAnti-Virus Policy
To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in auto-
protect stage Scan a storage media for virus before use it Never open any e-mail from unknown
source Never download files from unknown source Remove virus-infected computers from
network until verified as virus-free
To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in auto-
protect stage Scan a storage media for virus before use it Never open any e-mail from unknown
source Never download files from unknown source Remove virus-infected computers from
network until verified as virus-free
16
Password PolicyPassword Policy
A standard for creation of string password Contain both upper and lower case
characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered
Frequency of change passwords
A standard for creation of string password Contain both upper and lower case
characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered
Frequency of change passwords
17
Password PolicyPassword Policy
Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an email
message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family
members
Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an email
message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family
members
18
Connection PolicyConnection Policy
Remote Access Defines standards for connecting to the
company’s network from any host or network externally
General Same consideration as on-site connection General Internet access for recreational use for
immediate household is permitted Requirement
Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or e-mail password to anyone Installed the most up-to-date anti-virus software
Remote Access Defines standards for connecting to the
company’s network from any host or network externally
General Same consideration as on-site connection General Internet access for recreational use for
immediate household is permitted Requirement
Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or e-mail password to anyone Installed the most up-to-date anti-virus software
19
Connection PolicyConnection Policy
Analog/ISDN Line Define standards for use of analog/ISDN
lines for Fax sending and receiving, and for connection to computer
Scenarios & Business Impact Outside attacker attached to trusted network
Facsimile Machines Physically disconnect from computer/internal
network Computer-to-Analog Line Connections
A significant security threat Requesting an Analog/ISDN Line
Stated why other secure connections can’t be use
Analog/ISDN Line Define standards for use of analog/ISDN
lines for Fax sending and receiving, and for connection to computer
Scenarios & Business Impact Outside attacker attached to trusted network
Facsimile Machines Physically disconnect from computer/internal
network Computer-to-Analog Line Connections
A significant security threat Requesting an Analog/ISDN Line
Stated why other secure connections can’t be use
20
Connection PolicyConnection Policy
Dial-in Access To protect information from being
inadvertently compromised by authorized personnel using a dial-in connection
One-time password authentication Connect to Company’s sensitive information
Reasonable measure to protect assets Analog and non-GSM digital cellular phones
Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months
Dial-in Access To protect information from being
inadvertently compromised by authorized personnel using a dial-in connection
One-time password authentication Connect to Company’s sensitive information
Reasonable measure to protect assets Analog and non-GSM digital cellular phones
Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months
21
Connection PolicyConnection Policy
Extranet Describes the third party organizations connect
to company network for the purpose of transacting business related to the company
In best possible way, Least Access Valid business justification
Approved by a project manager Point of Contact from Sponsoring Organnization
Pertain the Third Party Connection Agreement Establishing Connectivity
Provide a complete information of the proposed access
Extranet Describes the third party organizations connect
to company network for the purpose of transacting business related to the company
In best possible way, Least Access Valid business justification
Approved by a project manager Point of Contact from Sponsoring Organnization
Pertain the Third Party Connection Agreement Establishing Connectivity
Provide a complete information of the proposed access
22
Connection PolicyConnection Policy
Modifying Access Notifying the extranet management group Security and Connectivity evolve accordingly
Terminating Access Access is no longer required Terminating the circuit
Third Party Connection Agreement Defines the standards and requirements,
including legal requirements, needed in order to interconnect a third party organization’s network to the production network.
Must be signed by both parties
Modifying Access Notifying the extranet management group Security and Connectivity evolve accordingly
Terminating Access Access is no longer required Terminating the circuit
Third Party Connection Agreement Defines the standards and requirements,
including legal requirements, needed in order to interconnect a third party organization’s network to the production network.
Must be signed by both parties
24
Connection PolicyConnection Policy
Virtual Private Network (VPN) Security Define the requirements for Remote Access
IPSec or L2TP VPN connections to the company network
Force all traffic to and from PC over VPN tunnel
Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min.
inactivity Only approved VPN client can be used
Virtual Private Network (VPN) Security Define the requirements for Remote Access
IPSec or L2TP VPN connections to the company network
Force all traffic to and from PC over VPN tunnel
Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min.
inactivity Only approved VPN client can be used
25
Connection PolicyConnection Policy
Wireless Communication Defines standards for wireless systems
used to connect to the company network Access Points and PC Cards
Register and approved by InfoSec Approved Technology
Use approved products and security configurations
Encryption and Authentication Drop all unauthenticated and unencrypted traffic
Setting the SSID Should not contain any identifying informaiton
Wireless Communication Defines standards for wireless systems
used to connect to the company network Access Points and PC Cards
Register and approved by InfoSec Approved Technology
Use approved products and security configurations
Encryption and Authentication Drop all unauthenticated and unencrypted traffic
Setting the SSID Should not contain any identifying informaiton
26
ReferenceReference
The SANS Security Policy Project http://www.sans.org/resources/policies
Information Security Policies & Computer Security Policy Directory http://www.information-security-policies-and-standards.com
RFC 1244 – Site Security Handbook http://www.faqs.org/rfcs/rfc1244.html
Google http://www.google.com
The SANS Security Policy Project http://www.sans.org/resources/policies
Information Security Policies & Computer Security Policy Directory http://www.information-security-policies-and-standards.com
RFC 1244 – Site Security Handbook http://www.faqs.org/rfcs/rfc1244.html
Google http://www.google.com
29
HomeworkHomework
1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented
2. Define presented usage of policies
Tips: Policy document’s format is located in slide
3 Policy’s usage are located in slide 4 You may find more information in SANS
1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented
2. Define presented usage of policies
Tips: Policy document’s format is located in slide
3 Policy’s usage are located in slide 4 You may find more information in SANS