File000169

Module LVI - Security Policies

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: How to Stop the Grinch from Stealing your Corporate Data

Organizations are feeling the effects of data leakage every day: the average cost of a data breach for a publicly traded company is $6.3 million and the stock price drops five percent and it takes a full year to recover. Companies spend millions of dollars each year to protect their information from outside threats, but it is becoming more evident that they need to secure data from within by developing an effective Data Leakage Prevention (DLP) strategy. Safend, a leading provider of enterprise endpoint DLP solutions, has devised the top-five tips for keeping your data safe during the holidays and beyond. These tips include:

-- Employ a Sound Auditing Process: Portable storage devices such as iPods, PDAs, smart phones and other mobile devices, have become pervasive in the workplace. Allowing your employees to use their iPods at work may be a good way to increase morale but it also poses a security threat. Knowing what devices are connecting to what endpoints will help administrators monitor and avoid these threats.

–Written Data Security Policies: The major concern with portable devices is the fear that the device may be lost or stolen, putting the data it contains at serious risk. In order to truly ensure the security of confidential data stored on portable devices, effective DLP strategies and policies need to be deployed, including written usage policies.

-- Access Control: To make sure that users cannot easily circumvent security policies, it is important to first make sure the policies in place are flexible enough that they don't hinder productivity, but strong enough to prevent data leakage threats.

-- Encrypt Everything: Many enterprises feel that they have covered all their security bases with the implementation of security policies, employee training and endpoint protection technology and are reluctant to invest in another product or add another level of security.

Source: http://www.reuters.com/



Module Objective

• Access Control Policy • Administrative Security Policies & Procedures• Audit Trails and Logging Policies• Documentation Policy• Evidence Collection Preservation Policies• Information Security Policy• National Information Assurance (IA) Certification and

Accreditation ( C&A) Process Policy• Personal Security Policies & Guidance

This module will familiarize you with:



Module Flow

Evidence Collection and Preservation Policies

Information Security Policy

National Information Assurance(IA) Certification and Accreditation

( C&A) Process Policy

Personnel Security Policies & Guidance

Access Control Policy

Administrative Security Policies and Procedures

Audit Trails and Logging Policies

Documentation Policy



Access Control Policy

Access control policy is a permission for a user to perform a set of actions on set of resources

User cannot access a system unless, authorized through one or more access control policies

• Users: The one who uses the system• Resources: The objects that are to be protected• Actions: Activities performed by the user on resources• Relationships: Conditions that exists between users and

resources

Basic elements of an access control policy:



Access Control Policy (cont’d)

• Access group : Group of users to which the policy applies• Action group : Group of actions performed by the user on resources• Resource group : Resources controlled by the policy• Relationship : Each resource class can have a set of relationships associated

with it; each resource can have a set of users that fulfill each relationship

Basic elements of an access control policy:




• Access group to which a user belongs• Actions to which the user is permitted to perform on a specific

action group• How long the user can satisfy a particular relationship with

respect to the resource

Access group policy defines:

Example: [AllUsers,UpdateDoc,doc,creator] implies that the users can update a document, if they are the creator of the document




• Access groups• Implicit access group• Explicit access group• User groups

Member groups:

• Action groups

Action:

• Resources• Controller command resources• Data bean resources• Data resources

Resource category:

The different sections associated with access control:




• Implicit resource groups• Explicit resource groups

Resource groups:

• Relationship groups• Relationship chains

Relationships:




• Control access to information• Manage the allocation of access rights• Encourage responsible access practices• Control access to computer networks• Restrict access at operating system level• Manage access to application systems• Monitor system access and use• Protect mobile and teleworking assets

Steps involved in access control management:



Administrative Security Policies and Procedures

Administrative security practices describe the resources needed to achieve risk management

Specifies the responsibility to manage the information security risk of the organization

Organization security policies describes the way of maintaining security within the organization

Employees should understand and follow the organizational security policies

Policies may not be followed in certain circumstances because of business requirements

Policies are ignored in situations where they are difficult to be followed

Policies are to be included for the purpose of strong security although they are not followed or ignored every time



Administrative Security Policies and Procedures (cont’d)

Administrative security policy best practices:

• Describes the information sensitivity in an organization• Defines methods of proper storage, transmission, marking

to that information

Information Policy:

• Describes the security configurations and technical controls that are to be implemented on computer systems by the users and administrators

Security Policy:




• Also called an acceptable use policy• Identifies the authenticated uses and penalties for

misusing organizational systems • Identifies the standard method of installing software on

organizational computers

Use Policy:

• Describes the frequency of information backups and moving them to off-site storage

• These policies identify length of the time backups must be stored prior to reuse

Backup Policy:




Security policies help the employees in performing their duties and identify steps to respond to security incidents

The organizational security procedures are defined as follows:

• This procedure contains the information who can authorize access to an organization’s computer system

• Identifies the Information that is to be maintained by the system administrator to identify users calling for assistance

• Defines who has responsibility to inform system administrator to terminate an account

Procedure for user management:




• Defines the procedure to implement security policies in an organization

• Defines the procedure to manage patches and apply on systems

System administration procedures:

• Defines procedures to make changes in production systems• Changes can also include software and hardware upgrades,

initializing new systems and removing systems that are no longer used

Configuration management procedures:



Audit Trails and Logging Policies

Audit trails maintain a record of system activities such as computer events, applications, or user activities

They help to detect security violations, performance problems and flaws

• Audit Data Collector which collects the audit data

• Audit Data Analyzer that analyzes the audit data transferred to it by the Audit Data Collector

A simple auditing model consists of two parts:



Audit Trails and Logging Policies (cont’d)

Benefits of Audit trails in the area of computer security:

• Tracking Individual’s actions in an audit trail • Users are completely responsible for violating the security policies

Individual Accountability:

• Audit trails are used for reconstructing events after a problem has occurred• The amount of damage and reasons for occurring a problem can be known through

an audit trail

Reconstructing Events:

• Audit trails can be used as online tools for problem monitoring• This helps to detect disk failures and excess utilization of system resources

Problem Monitoring:

• Audit trail helps in discovering the route cause of a problem and assessing the damage due to an incident

Intrusion Detection:




System activity is examined by checking the logs

These logs are generated by systems and major software packages

Logs produced can record the users activity on a system or a network

Logging policies vary according to environment

It is impossible to log every command executed on a computer system

Logging policies should define the relevant events that are to be logged




Logging policies should include security relevant events in the logs

This could guaranty the forensic information and security violations that required to know how the security violations manifested themselves

• Logs should maintain auditing in a way consistent with the system that generates their entries

• Logs should provide sufficient information in order to support accountability and traceability for all privilege system commands

• Logs should maintain the details regarding user initiated, security-relevant activities

• Logs must be able to rebuild production information for databases

Other logging policy considerations include:



Documentation Policy

Documentation policy determines the documentation needs of an organization such as network and server documentation

Network Documentation defines the documentation about switch ports connected to rooms and computers

Server Documentation defines the documentation of configuration information and running services

• Who has the authority to access, read and change the network or server documentation

• Defines the authorized person to be notified about the changes made in the network or server

Both the server and network documentation policies defines:



Documentation Policy (cont’d)

• Name, location, and function of the server• Hardware components of the system• List of software running on the server• Configuration information about the sever• Types of data and the owners of the data stored on the server• Data on the server that is to be backed up• Users or groups having the access to the data stored on server and their

authentication process and protocols• Administrators on the server and the authentication process and protocols• Data and Authentication encryption requirements• User accessing data from remote locations• Administrators administrating the server from remote locations

In server documentation, the following list of items are to be documented and reviewed :



Documentation Policy (cont’d)

• Locations and IP addresses of all hubs, switches, routers, and firewalls on the network

• Various security zones on the network and devices that control access between them

• Locations of every network drop and the associated switch and port on the switch supplying that connection

• Interrelationship between all network devices showing lines running between the network devices

• All subnets on the network and their relationships• All wide area network (WAN) or metropolitan area network (MAN)• Network devices configuration information• DHCP server settings

Things to be documented in network documentation are as follows:



Evidence Collection and Preservation Policies

Evidence collection policies are required whenever a security incident occurs

A security incident is defined as an event where the security policy is breached

• Engage a Law Enforcement personnel holding your site’s security policy

• Make a note of time and the dates • Get prepared to be a witness outlining all the actions

along with time • Do not minimize or update the collected data • Analysis of data should be done after collection• Adopt a methodical approach

Guiding Principles of evidence collection:



Evidence Collection and Preservation Policies (cont’d)

• List out the systems from which evidence is to be collected

• Find the data which is relevant and acceptable• Obtain the relevant order of volatility for every system• Note the level of the system's clock drift• Think and guess the further evidences from the collected

data• Maintain a clear documentation of every step• Note the witness of the people involved in the incident

Steps involved in evidence collection:



Evidence Collection and Preservation Policies (cont’d)

• Evidence collected should be secured properly and the chain of custody should be documented

• Use a common storage media than a obscure storage media• Access to the evidence is to be restricted• Document the following details:

• Where, when and by whom the evidence was discovered• Where, when and by whom was the evidence handled or examined • Where the evidence was stored• Where and when the shipment of evidence occurred

Steps involved in preserving the evidence:



Information Security Policy

Information security policies strengthens the security of information resources

They lay foundation for information security within an organization

• Define the integrity, confidentiality, and availability requirements for the information being used

• Ensure that these requirements effectively communicate with the individuals who interact with the information

• Use, manage, and distribute such information in the way consistent with these requirements

The goal of information security policy is to :



Information Security Policy (cont’d)

Information security is achieved by the security practices such as the management of vulnerable points and securing system files

In the case of applications, information security is applied to data input and output by encoding information using electronic keys

• Identification of security controls• Input data validation• Control of internal processing• Message integrity• Output data validation• Cryptographic controls use policy• Key management• Operational software control• System test data Protection• Access control to program source code• Security in development and support processes• Vulnerability Management

The security requirements of information systems are as follows:



National Information Assurance (IA) Certification & Accreditation (C&A) Process Policy

NIACAP setup a standard national process, set of activities, general tasks, and a management structure

It certify and recognize systems which maintain information assurance and security posture of a system

This process accomplishes the requirements of documented security

Accredited security posture is maintained all through the system life cycle

The process comprises existing system certifications and product evaluations

Process users must arrange the process with their program strategies and incorporate the activities into their enterprise system life cycle



National Information Assurance (IA) Certification & Accreditation (C&A) Process Policy (cont’d)

Agreement between the IS program manager, Designated Approving Authority (DAA), certification agent (certifier), and user representative is the main aspect to NIACAP

Critical schedule, budget, security, functionality, and performance issues are determined by these individuals

System Security Authorization Agreement (SSAA) contains the documentation of NIACAP agreements

The results of Certification and Accreditation (C&A) are documented using SSAA

The objective is to use the SSAA to establish an evolving yet binding agreement on the level of security required before the system development begins or changes to



Personnel Security Policies & Guidance

Personnel security policies include the safety measures to be taken regarding company employees

It also concerns about the individuals visiting the place for business purposes

• Ensure trustworthiness of the people in the posts who require access to official information

• Protect the official information before granting them access

• Provide the terms and conditions to the employee accessing the official information

Manager should implement the personnel security policies to:



Personnel Security Policies & Guidance (cont’d)

Elements of personnel security:

• It is a pre-employment check while recruiting employees which involves the employees background check

• This is done as the employee is given access to the official information• While recruiting employee for a permanent staff position, he must be

checked for:• Satisfactory character referees• Accuracy of the curriculum vitae and qualifications

• Before appointing an employee verify his identity and character through referees and request a criminal background check report from police

• Similarly, Employee being recruited for a temporary staff position can be checked through an agency

Personal Screening:



Personnel Security Policies & Guidance (cont’d)

• The authority given to access official information• Chief executives should grant access to the permanent staff to access

official information after verifying their credentials through:• Pre-employment checks• Periodic reviews• Approval procedures• Sound terms & conditions of the employment

• Avoid granting access to the most sensitive sites as there are chances of indirect exposure by staff or visitors

• Access granted individuals must be issued a pass or access or identity card• A basic check can be done further after the pre-employment check, about

staff or contractors who needs a frequent access to sensitive sites

Granting access:



Summary

Access control policy is a permission for a user to perform a set of actions on set of resources

Administrative security practices describe the resources needed to achieve risk management

Backup Policy describes the frequency of information backups and moving them to off-site storage

Audit trails maintain a record of system activities like computer events, applications, or user activities

Documentation policy determines the requirements for documentation like networks and servers

Information security policies strengthens the security of information resources

File000169

Technology

Transcript of File000169