GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
-
Upload
lasitha2005d -
Category
Documents
-
view
216 -
download
0
Transcript of GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
1/30
A Guide to Security PolicyA Primer for Developing an Effective Policy
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
2/30
Table of Contents
Introduction 1
Why You Need a Security Policy 2
Develop an Effective Security Policy 5
Assess Secur it y Requirement s 7
Cover your assets 7
Def ine access requirements 7
Analyze security threats 8
Ident ify business risks 9
Invest igate new business opportunit ies 9
Explore prot ect ion and enablement opt ions 10Evaluate return on investment (ROI) 11
Writ e the Securit y Policy 12
Cover let ter 12
Purpose 12
Responsibilit ies and authority 12
Def init ions 12
Informat ion ownership and access rights 12
Computer system usage 12
Access cont rol 13
Elect ronic mail 14
Laptops, notebooks, and handhelds 14
Returning leased equipment 15
Equipment repairs 15
Disposal of removable media 15
Sof tware security 16
Internet security 17
Network security 18
Physical security 18
Audit ing and monitoring 18
Security t raining and awareness 18
Cont ingency planning 18
Disciplinary act ion 19
Implement the Securit y Policy 20
Communicate the policy 20
Enforce the policy 20
Reassess the policy 21
Summary 22
Poli cy Examples 23
About RSA Security Inc. 25
RSA Securi ty Inc.
A Guide t o Securi ty Policy
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
3/30
INTRODUCTION
As computer netw orks become more complex and corporate resources become more
distributed, the need for improved information security is increasing. While mostorganizations begin by deploying a number of individual security technologies to
count eract specif ic threats, the adopt ion of the Internet as the foundation fo r
e-business has turned securit y int o an enabling t echnology t hat is required for
business success.
At some point there becomes a clear need to tie together the techniques and
technologies that both protect and enable your business through security policy a
thought ful and consistent management approach to securit y practices across the
organization. RSA Securit y has nearly twent y years experience implement ing securit y
solutions, from developing highly secure products to developing policy to deploying
the tw o t ogether. It i s that experience and expertise that has led to t his guide to
help you develop your own ef fect ive securit y pract ices. We know the quest ions youneed to ask yourself.
If you are reading this guide, you probably already recognize the need for a
consistent approach to information security. This guide is intended to be the first
step, giving you an overview of the decision-making process necessary to develop an
eff ecti ve securi ty policy fo r your company.
Specifically, A Guide to Security Policy provides information about:
Your actual policy-making journey will involve classifying the corporate informationyou want to protect, identifying potential security threats and business risks, and
deciding what levels of protection will make it possible to do business online. While
airtight information securit y across the organization may be your goal start ing out ,
in reality you will be balancing securit y levels wi th t heir costs, as well as wi th your
business practices and corporate culture. The wri tt en pol icy document you come up
with will reflect the difficult decisions you make during this process regarding
inf ormat ion access, corporat e st rategy, resource allocation and employee behavior.
And it w ill never really be fi nished : your securi ty pol icy wi ll essentially become a
dynamic insurance policy that you will modify regularly to keep pace with changes in
technology and your business practices. However, by creating a security policy for
your organization, you are taking an import ant step t oward elevating yourinf ormat ion securi ty pract ices so your organization can prosper in todays evolving
e-business world.
RSA Security Inc. 1
The need for information securit y
The processof developing an effective securi ty policy
Implementing your securi ty pol icy
Information about what other companies are doing
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
4/30
2
A Guide t o Securi ty Policy
WHY YOU NEED A SECURITY POLICY
The essence of secur it y policy is to establi sh standards and guidelines for accessing
your corporate information and application programs. Typically, organizations startwith informal and undocumented security policies and procedures; but as your
enterprise grows and your workf orce becomes more mobile and diverse, it becomes
especially impor tant even necessary for your securit y pol icies to be documented
in w rit ing. Doing so w ill help avoid misunderstandings and w ill ensure that
employees and cont racto rs know how to behave. It wil l provide explicit guidelines
for your security staff, making it easier for them to enforce security policies
consistentl y. Furt hermore, a securi ty po licy facili tates internal discussion about
securit y, and helps everyone become more aware of pot ential securit y th reats and
associated business risks. Youll fi nd that a wr it ten pol icy generally tends to enhance
the performance of your security systems and the e-business applications they
support. It provides the guidelines necessary in determining the proper configuration
of systems and a bar against which you can measure the effectiveness of your
security efforts. A deciding consideration is that having a written security policy may
be required by law .
The need for security is increasingly obvious
Since 1996 the Computer Security Institute, in conjunction with the FBI, has conducted
an annual survey to monit or computer crime t rends. This research project is one
of the few that provides benchmark readings of information security issues from
year-to -year. Some of the key point s f rom the most recent (2000) survey include:
Most organizations surveyed have been victims of computer crime. 90% of
respondents admitted that they had been victimized by computer security
breaches in the previous 12 mont hs, compared to 62% in t he 1999 survey and
64% in t he 1998 survey. When considered in ligh t of the fact that many, if not
most computer crimes go undetected, i t is clear that the issue of securi ty
breaches should be of concern to every organizat ion.
Computer crime causes signi f icant damage. Not all organizations that were
vict imized by computer securi ty breaches were able to quant if y their losses.
However, the losses of the 42% of survey respondents that could t otaled
$265,589,940. Notably, the theft of propriet ary informat ion resulted in t he
highest financial losses, continuing a rising trend, followed by financial fraud.
Computer crime is increasing. The problem of information securit y is not limit edto the United States; in fact, many of the crimes reported in the CSI/FBI research
orig inated out side t he Unit ed States. A quick review of press report s show s that
information security is a problem for organizations the world over Japan,
China, India, Russia, Europe and Latin America. Simply put, as the use of
comput ing increases in a society, so grow s the risk of inf ormat ion crime.
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
5/30
Insiders pose as sign if icant a threat as outsiders. It is common t o think of
securit y in t erms of prot ecting network perimeters from hosti le out siders
attempting to gain access. But inappropriate insider behavior can be a bigger
threat, both more common and often causing greater financial losses than
out sider att acks. The 2000 survey report s that 71% of respondents detected
unauthorized access by insiders. In addition, simple abuse of Internet accessprivileges which af fected t he majorit y of companies in the CSI/FBI study
costs the enterp rise money in t erms of reduced product ivit y and wasted
network bandwidth.
There are many costs associated w it h securit y breaches
Direct f inancial loss. Customers credit card numbers, the companys merchant
account passwords, and employees personal checking account numbers are all
prime t argets fo r t hieves. And w hether or not the criminal is brought to justice,
indirect legal fees or fines resulting from the crime can add significantly to the
costs, especially in industries like banking and finance.
Lost sales and reduced compet it ive advant age. When proprietary sales
proposals, business plans, product designs or other inf ormat ion are stolen,
altered or destroyed, it can give compet itors a dist inct advant age. Lost sales
can result, and the impact can be felt long after the incident occurs.
Damage to your corporate reputation and brand. You work hard to build and
maintain your corporate image and t o establish t rusted relationships wi th your
customers and business partners. If proprietary or private information is
compromised, your corporate credibili ty and business relationships can be
severely damaged.
RSA Secur ity Inc. 3
The 2000 CSI/FBI Computer Crime and Security Survey
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
6/30
Privacy violation. Employees trust you to keep their personal information
private. Similarly, customers t rust you t o keep t heir credit card numbers and
credit histories confidential. If that privacy is violated, legal and other
consequences can result.
Business disrupt ion. When a service disruption occurs, your IT staff needs to
address the problem immediately. Hopefully, theyll be able to restore data from
backup files, and return systems to service without significant downtime.
However, in the case of mission critical systems, any downtime can be
catastrophic. And other times, lost data may have to be painstakingly
reconst ructed by manual means, prolonging t he t ime t hat systems are
functioning below acceptable levels.
A security policy mitigates your legal exposure
Your securit y poli cy guides the behavior of your employees and ensures that theyknow what you expect of them. Having a w rit ten po licy is mandatory if you expect
to be able hold t hem account able for their actions. In many count ries around t he
world , CEOs and senior management may be legally responsible for crimes involving
their organization. Punishment can include both fines and imprisonment. To avoid
thi s liabilit y, corporat ions generally need to be able to prove a good f aith eff ort to
deter criminal activity that utilizes their computer systems and networks. A
comprehensive securi ty poli cy will help reduce this exposure i t is expected t o
include w rit ten po licies and procedures to deter crime, securit y awareness programs,
discipl inary standards, monit oring systems consistent w ith current indust ry pract ices,
and immediate reporting of any detected crimes to law enforcement agencies.
Note that in the United States, good faith guidelines no longer consider simplepassword-only user ident if icat ion schemes to be adequate. Two-factor
authentication, consisting of something you know (a password or PIN) plus
something you possess (a physical authenticator), is now considered the industry
norm w hen evaluating the ef fect iveness of a securit y program. Under U.S. Federal
Sentencing Guidelines, an organizat ion s culpabilit y is lessened by having an eff ect ive
program to detect and prevent security violations.
In other countries the rules relating to computer security may be even more strict.
For example, in China the government has extremely demanding regulations relating
to encryption, which prevents some common software from being used in China. An
organization that t ranscends borders can use a policy to help maintain legal securit y
practi ces that dif fer f rom country t o country.
A security policy forces you to make return-on-investment decisions
Securit y threats have the pot ential t o exploit a vulnerabilit y in your organizations
comput er practices, wi th the potential f or damaging your inf ormation assets. The
threats you identif y wi ll run t he gamut from nat ural disasters to malicious hackers
penetrating your netw ork. Your job in developing a securit y policy will be to make
int elligent business decisions about the cost -effect iveness of reducing or elim inat ing
each of the threats and to base your decisions not on the fact the threat exists,
but rather on the associated r isks to your business. We ll discuss this assessment
process further in a subsequent section.
A Guide t o Securi ty Policy
4
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
7/30
DEVELOPING AN EFFECTIVE SECURITY POLICY
The process for develop ing a wr it ten securi ty policy typically involves a task f orce
with representatives from a variety of functional groups. Be sure to include some business people, and not just IT, engineering and securit y staff . These business
people whether sales, fi nance or op erations wi ll ensure t hat the policy you develop
supports business practices rather than hinder them. Ultimately, it w ill be very
important for you to get senior management involved, and to get the CEO to endorse
your security policy. Upper management needs to send a clear message to everyone
in t he organization t hat inf ormation securit y is vitally import ant t o the company.
During this process, keep in mind t hat your securi ty policy cant be so st rict t hat it
incapacitates your business. And it needs to be enforceable; ot herw ise, your
employees wi ll i gnore it . Also consider t he role of out siders cont ractors and
business partners may require access to your information assets. Your task forces
ini t ial job wi ll be to assess securit y threats to your organizations inf ormat ion assetswit h respect to each of the following f undamental areas:
As the securit y task f orce makes decisions relating t o t he above securit y topics, it w ill
also need to balance four distinct business factors:
the information access requirements of different constituencies, both inside and
out side your company,
the value of the information stored,
the liability of the transactions available, and
the budgetary impact of implementing that securit y both the in iti al costs and
the recurring costs, like staff time.
RSA Security Inc. 5
Authentication ensuring that a user is who he says he is.
Authorization controlling what informationand applications a user can access.
Privacy and data integrity preventing unauthorized usersf rom seeing certain information, and prevent ing t hem from
making unauthor ized changes or deletions.
Non-repudiation making sure t hat part ies in a t ransact ioncant deny what t hey said or w hat t hey did.
Disaster recovery & contingency planning
Physical security
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
8/30
Obviously, it can be a dif f icult task t o establish a po licy that meets your desired
securi ty goals and your budget const raint s, and i s acceptable to all users. It is
important to get the right people on your policy-making task force. After assessing
user access needs, business risks, securi ty threats and p rot ect ion costs, this team w il lneed t o make objective ROI-based decisions based on tradeoff s bet ween risks and costs.
Having a wri t ten securit y policy in place, however, is just t he f irst step. You wi ll need
to effectively communicate that policy to employees, contractors and others. And
your staff will need to enforce the policy. Enforcement will involve managing access
control lists and authentication systems, monitoring networks and computer systems
for possible securit y breaches, and reacting appropriat ely when securit y violat ions
occur. You should also reevaluate your pol icy on a regular basis, as changes in t echnology
and business practices uncover new threats or reveal new onl ine business opport unit ies.
In the rest of this section we will provide some guidelines that should help you
organize the security policy-making process. The general sequence of steps yoursecurit y task force will fo llow wi ll be:
Assess requirements understand information assets, user access requirements,
business risks, security threats, protection techniques and ROI.
Writ e the securit y pol icy
Implement the securit y policy communicate it , enforce it consistentl y, and
reassess it regularly to address new security threats and take advantage of new
prot ection tools.
The Security Policy Cycle
A Guide t o Securi ty Policy
6
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
9/30
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
10/30
A Guide t o Securi ty Policy
Access required by users (1=highest need):
Asset Mktg Sales Admin Mfg Supp R&D QA IT
Sales database 1 1 2 1
Product draw ings 3 1 1 1 1 1
Product specif icat ions 2 2 1 1 1 1 1
Order database 2 1 1 2 1
Web sit e 1 2 2 1
Once you understand how users access inf ormat ion, you w ill need to evaluate each
assets relati ve import ance, and t he ri sks associated w it h i ts being stolen, damaged or
destroyed. Note that t he owner of t he information has the f inal say as to the value
of that information. The value of information assets may even be dynamic, changing
weekly, daily or even hourly.
Analyze security threats
Youre now ready to ascertain t he areas of vulnerabilit y for your netw ork and
computing platforms. During this phase many companies elect to get an outside
securi ty consult ant involved, in o rder to get an expert assessment of specif ic securit y
threats for t heir computer systems and netw orks. You may find it useful t o t hink in
terms of whether the threats originat e inside or out side your organization, or bot h;
keep in mind that research shows that insiders are as a serious threat as outsiders
if not more so.
Common threats to information security include social engineering, passwordcracking, netw ork monit oring, abuse of administrat ive tools, man in the m iddle,
denial of service, trojan horse, virus and address spoofing. Details on these common
threats are available in RSA Securi tys publi cat ion , A Guide to Secur it y Technologies.
Blindly applying technology to protect against every conceivable t hreat
is not the smartest way to deal w it h securit y. A better way is to identifyhow much business risk each threat poses howvulnerable are you, really, if a part icular t hreat occurs? This way of thinking
helps you minimize security implementation costs, andprovides the flexibility youll need to help you evaluate new threats.
By considering the business risks, as well as the out-of-pocket
expenses and t ime required to f ix each new vulnerabilit y, youl l be able to make
an intelligent business decision about whether it makes sense to
mit igate the threat . Note that your exposure is proportional tohow long it takes to f ix the problem, mult iplied by the level of risk involved.
8
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
11/30
Identi fy business risks
The risks to your business were covered previously, and include direct financial loss,
lost sales and reduced competitive advantage, damage to your corporate reputation
and brand, pr ivacy violat ion and business disruption. As part of your risk analysis,
you may w ant to quanti fy the business risks in t erms of expected, worst-case and
best-case scenarios to assist in your decision-making process.
For example, if all of your conf ident ial customer records are stolen, you could
log ically conclude that there will be di rect f inancial costs, some lost sales, legal and
PR costs, staff time to fix the problem, and security improvements. Knowing how
many customers you have, and estimating the various business costs, you might
est imate the worst case scenario t o cost your company up to $5M, t he expected
scenario to cost you $500K, and the best case still to cost $100K.
As another example, if your sales prospect database is stolen, you migh t def ine
the worst case scenario as losing all of the expected sales to those prospects, theexpected case as losing 50% of expected sales, and the best case as losing 20% of
the sales. Note t hat as part of this analysis, youd need to decide upon t he value
of a typical sale, and factor in the percentage of prospects that actually become
customers. The po int in doing this analysis is to assign numbers to each of the
perceived risks, so you can make some decisions about their relative importance.
You could define a spreadsheet to assist in this process, estimating the business costs
associated w ith each of your assets. You m ight def ine r isk f actors for the best-case
and worst-case scenarios, which get applied to your expected costs, such as:
Risk factor: 500% 100% 20% Expected cost ($000):
Worst Best Direct Comp Lost StaffAsset case Expect case $ loss loss sales Legal t ime
Prospect database $600 $120 $24 = $0 $20 $50 $20 $30
Product draw ings $1000 $200 $40 = $0 $50 $50 $0 $100
Product specs $850 $170 $34 = $0 $50 $40 $0 $80
Order dat abase $2425 $485 $97 = $300 $10 $50 $50 $75
Web site $350 $70 $14 = $0 $30 $10 $10 $20
Invest igate new business opportuni ties
As you assess your requirement s, keep in mind that securi ty i snt just about th reats
and ri sks. For example, t here are a number of st rategic e-business opport unit ies that
just wouldnt be practical without adequate information security. Secure Sockets
Layer (SSL) encrypt ion and digit al cert if icates prevent sensit ive inf ormat ion f rom
being compromised as it passes between Internet clients and servers. These
technologies let your customers order products and services safely, di rectl y f rom your
Web sit e. Similarly, these tools and ot hers give you the abilit y to develop a suppl ier
extranet that w ill let your purchasing agents issue purchase orders and t rack
incoming orders online, saving them time and improving your just-in-time inventory
availabil it y. And an encrypt ed Virt ual Private Network (VPN) can make sensit ive price
lists, sales report s and compet it ive insights available 24/7 t o your authorized sales
representatives around the world . All o f these e-business opportuni t ies are feasible
because of i nf ormat ion securi ty.
RSA Securi ty Inc. 9
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
12/30
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
13/30
Evaluate return on investment (ROI)
Knowing the threats to your information and your options for mitigating those
threats, you now need to evaluate the return on your security investment, balancing
prot ect ion costs against your business risk costs. Complete prot ect ion wi ll not be
feasible. An appropriate level of security involves implementing enough protection
so as to minimize your business risks, simi lar t o t he following graph:
As part of your ROI analysis, you may decide t hat the cost of implementing a
solu tion t o a part icular threat out weighs your w orst-case exposure. In that case, itobviously doesnt make good business sense to address that particular threat. For
example, it may not wor th investing in biometr ic authentication f or access to your
corporate intranet, since its information is intended for all employees, is not
especially conf ident ial, and the business risks of inf ormat ion loss or damage are
relatively minimal.
RSA Securi ty Inc. 11
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
14/30
WRITE THE SECURITY POLICY
Once youve assessed your security requirements and understand the return on
investment (ROI) issues, its time to draft your security policy. Typical security policiesaddress most of the follow ing topics. There may be some overlap betw een your
securit y policy and your general comput er usage policy. Youll not ice that some
of the topics mentioned in this section, such as prohibiting employees from making
copies of commercial sof tware f or personal use, arent st rictly securi ty-related. But
they are an important part of establishing a do the right t hing mind-set among
your computer users and mitigate your legal exposure.
Cover lett er. A letter from the CEO will emphasize and reinforce the fact that security
is vitally import ant t o your organization.
Purpose. This sect ion i s typically a general overview or mission statement fo r t he
security policy document that explains its goals, to whom it applies, to what
information and equipment it applies, and the underlying business reasons for
having a security policy.
Responsibilities and authority. Your securit y poli cy should clearly define the
responsibilities for developing and enforcing the policy. This will typically include
defining w ho i s responsible f or reviewing and approving t he policy (probably an
information security committee), for establishing and maintaining the policy (possibly
a director of security), and for administering the security policy (typically IT staff and
system admin ist rato rs). In addit ion to defin ing everyones roles, this sect ion could
indicate that department managers are responsible for ensuring that their staff
understand and adhere to the securi ty policy.
Definitions. It s useful to def ine t he technical terms used in t he securi ty policydocument for non-technical readers; this may take the form of a glossary of terms at
the end of the security policy document.
Information ownership and access rights. This will be a general statement defining
the ownership and access rights for the information stored on your computers or
transmit ted via your network. You may want t o relate th is policy to related HR
policies. The intent is to let your employees know that you have the right to monit or
their e-mail or f iles, should you so choose.
Computer system usage. This sect ion def ines the primary purpose of your companys
computer systems as being for your business purposes only. It may stipulate whether
your employees can utilize your computers and network infrastructure for personaluse, and the conditions under which they may do so. A general statement about user
accountability is appropriate for this section, to make employees aware that they are
fully responsible for maintaining the secrecy of their user ID and password, as well as
all ot her proprietary company inf ormat ion, and possession of any securit y devices,
such as authentication devices and smart cards.
12
A Guide t o Securi ty Policy
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
15/30
Access cont rol . This section should include information about the administrative
controls and procedures for providing access to your companys computer systems
and netw orks. The access cont rol sect ion will typically d iscuss the f ollow ing poin ts:
Identification and authentication. Users will need at least a valid user ID and
password to gain access to your network. You may choose to restrict access to
standalone, non-networked comput ers in a similar way. St rong, or tw o-factor
authentication e.g., tokens or smart cards in addition to a user ID and
password has become t he requisite prot ection for sensit ive information and
systems. You should identify which of your users need access to sensitive
information and systems, and will need to use strong authentication.
Keeping user IDs and passwords secure. This section should discuss basic
guidel ines for keeping users IDs and passwords secure, such as how to choose a
good password (e.g. six to t welve characters, mixed upper and lowercase,
includes numbers, doesnt have any personal i nf ormat ion, doesnt consist of a
dictionary word, isnt descriptive of their work activity, etc.), never sharing or
revealing a user name or password, and not storing unencrypted passwords on
comput er media.
Account administration. Someone typically authorized security staff, system
administrators or IT staff will need to assign and maintain login accounts,
work group pr ivileges, e-mail addresses, any authenti cation devices and digit al
certificates across a variety of computer systems and networks.
Privileged access. You wi ll need rules about w ho gets root , super-user or
admin access to your computer systems. Generall y, th is pri vileged access shou ld
be reserved str ictly f or the system administ rator.
Access by non-company personnel. If cont ractors, customers or vendors will be
allowed to access your computer systems and network, you will need to define
the condit ions for t heir access.
Remote access and telecommuting. You should define who will be permitted to
access your computer netw ork remot ely. Department managers are usually
responsible fo r aut hori zing remote access fo r t elecommuting w orkers, sales
personnel and ot hers with a valid business need. Staff requirements for remote
access should be reviewed on a regular basis. You w ill also need to def ine how
remot e users gain access to your networks for example, by dialing in to a
dedicated securit y server, but not by direct modem access to any individual
desktop computer on your network. If appropriate, you should emphasize the
importance of user authentication for remote access, and make people aware
that an audit t rail w ill be recorded f or t heir remot e access sessions.
Unatt ended computers. When users walk away from their desks, their logged-on
computer presents a netw ork securit y risk. Discuss any requirements for logg ing
off the netw ork w hen users leave their desk, or for using soft ware that w ill
prevent access (by blanking the screen and/or locking the keyboard) i f a users
comput er remains idle f or some period of time.
Unauthorized computers. Many users own personal computers. You should
def ine t he circumstances under w hich users are permit ted to br ing personal
computers into the office, and the conditions under which they can connect
them to your netw ork.
RSA Securi ty Inc. 13
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
16/30
Non-netw ork connections. Its generally not a good idea to allow non-network
communications (direct modem access) between individual computers on your
network. And especially not with computers outside of your company.
Non-netw orked computers. All standalone computers should have appropriate
access controls.
Electronic mail. You need to emphasize to users that e-mail makes it all t oo easy to
make your p roprietary corporate information visible t o t he public. Your general
e-mail policy should clearly state whats permissible content. In addition to not
sharing sensit ive corporate inf ormat ion, you should probably ban messages wh ich
contain threats, racial slurs, sexual harassment or which circulate chain letters.
Some specific e-mail security issues include:
Privacy. Emphasize that corporate information needs to be kept private, and t hat
employees are not permitted to access or share information that doesnt relate
to their jobs. Discuss the fact that sensitive corporate information should beencrypted t o ensure privacy whi le the information is in transit.
Message encryption. Discuss the specific e-mail encryption tools and techniques
which you recommend or require, including guidelines for managing public and
private encrypt ion keys.
Monitoring. As mentioned above, you should point out to employees that t heir
e-mail messages are corporate inf ormat ion, and that they may be scrut inized by
corporate management. Discuss any restrictions on employees using your
corporate e-mail capabilities to communicate with family and friends outside
your organization.
Message forw arding. You should advise users to exercise caution whenforwarding e-mail messages that may contain sensitive corporate information
which should only be viewed by certain people. You might want to place
restrictions on forwarding internal messages to outsiders, and to prohibit
bulk e-mailings.
Message archiving. Received e-mail messages tend to accumulate and take up
valuable storage space. You may want to def ine ru les fo r w hen users un -needed
messages should be purged, and what their responsibilit ies are in t his area. Will
old messages be deleted automatically, or do users need to manage this process?
It w ould be appropriate to define your corporate backup pol icies wi th respect to
users archived messages.
Laptops, notebooks and handhelds. Port able computers designed for use by mobi leprofessionals present some unique issues, and require both physical and electronic
securi ty precaut ions. You should discuss the responsibilit ies of por table comput er
users, including what happens when their portable computer is lost or stolen.
Specific security issues include:
Theft prevention. You may want to suggest techniques for preventing t heft ,
such as using a locking cable and/or an alarm, and never leaving port able
comput ers unatt ended.
Identification. You should use inventory control labels or engraved markings to
identify portable devices as being the property of your company. You should
define who will maintain the inventory records for portable devices, especially if
these devices are shared by multiple people.
A Guide t o Securi ty Policy
14
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
17/30
RSA Securi ty Inc. 15
Propert y checkout procedures. You may want to have a checkout pol icy in p lace
for devices which are shared among multiple people, or which employees
remove from your f acilit ies.
Loss or t heft reporti ng. If a port able device is lost or stolen, t he user needs to
report t hat fact prompt ly.
Access control. Since sensitive information will likely reside on the portable
computer, you may want to requ ire access cont rol sof tware, so t hat users have
to enter a user ID and password or two-factor tokencode in order to use
the system. It may also be a good idea to require use of a screen saver that
blanks the screen and requires users to reenter their ID and password whenever
the system has been idle for awhile. As part of the property check-out process,
security staff may need to configure each portable devices user ID, password
and screen saver.
Preventing unauthor ized observation . Wit h improvements in t he viewing anglesof computer displays, you should caut ion users to shield their po rt able devices
f rom the curious eyes of airline passengers in neighboring seats.
File encryption. To protect sensitive information on portable computers, even if
they are stolen, you may want to require encryption sof tw are to be installed and
used on these devices.
Virus detection. Since portable computers are somewhat more li kely to be
exposed to computer viruses, its appropriate to require virus detection software
to be installed, properly configured and updated regularly.
Returning leased equipment. From t ime t o t ime employees may need to lease
equipment that stores information (such as a laptop computer). You should makeemployees aware t hat they need to remove any sensit ive inf ormat ion (sales
presentat ions, price lists, business plans), from the leased equipment prior to
returning it . You may need to define guidelines fo r how to delete fil es so as to
prevent their cont ents from being recovered.
Equipment repairs. Computers do fail, and sometimes need to be sent to an outside
vendor f or repair . You may want to requi re users to encrypt any sensit ive fil es to
minimize t he possibly t hat outsiders can view proprietary inf ormation stored on
broken comput er hardware whi le it is being repaired.
Disposal of removable media. You should make users aware that sensitive
information stored on floppy disks and other removable media can be recovered
even aft er the f iles have been deleted. You may want to requi re users to dispose of
all removable media by returning the media to your IT department , where it can be
bulk-erased and/or physically destroyed.
Sof tw are securit y. You will need to discuss who has access to application software
and its associated data, software licensing issues, computer virus prevention, and
software updates and version control.
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
18/30
Access cont rol for app lications and data. Application sof tw are residing on
servers may be accessible to anyone on the network, so you may need to
establish specific access control requirements for these programs. Similarly,
the data files used by these applications will need to be protected fromunaut hori zed access by users not running the application.
Sof tw are license agreements. You need to ensure t hat employees understand
and adhere to the terms of software manufacturers license agreements, and to
make them aware that all soft ware is prot ected by copyright.
Personal use. Employees should not be permit ted to make copies of
company-purchased sof tware for their personal use, as this typically violates
sof tw are license agreement s. You may even want to go so f ar as to prohibi t
employees from using any software on your company computers for
personal purposes.
Installing unauthorized software. All of your software commercial, public-domain or shareware should be installed by appropriate IT staff , and should
only be used for its intended purpose.
Virus cont rol. IT staff are typically responsible for installing anti-virus software on
corporate computer systems, and for configuring it properly and keeping its virus
definition files up-to-date.
Change control. Your IT staff should have a sof tware upgrade policy. When a
new sof tw are version comes out , it wil l need to be tested f or compatibilit y and
security prior to its being installed on the appropriate computers.
Internet security. In addition to creating new business opportunities, widespread
desktop Internet connectivity via e-mail, Web and other services has associatedsecurity risks.
Uploading and dow nloading fi les. Files downloaded or received as e-mail
att achment s need to be checked f or comput er viruses prior t o use. You may want
stricter controls for downloaded application programs, perhaps requiring them
to fi rst be tested on non-networked comput ers to ensure they won t delete files
or o therw ise damage the involved machine. You may also w ant to rest rict users
from uploading certain types of files, or attaching them to e-mail messages
software applications, proprietary source code or other intellectual property,
and unencrypted sensitive corporate information.
Access cont rol. Your networked computers may support anonymous file transfer
protocols (FTP) to exchange data and applications. You should caution users tonot put sensitive internal company information into these systems publicly
accessible directories unless doing so has been approved by management. And
you may want to establish a policy of removing all pub lic informat ion f rom t hese
directories on a regular basis, to minimize the possibility of inappropriate
informat ion t ransfer. St ricter access cont rol via username/password, and possibly
authentication devices, may be appropriate.
Encryption. Users may attach sensitive information to e-mail messages, enter
it int o Web page forms, or up load i t to remote servers via FTP. In each of these
cases, it is a good idea to require encrypting the info rmation appropriately to
prevent it from being intercepted. Your policy should discuss appropriate
encryption methods and guidelines, such as using Secure Sockets Layer (SSL)prot ocols and digi tal certif icates from an approved cert if icate authorit y.
A Guide t o Securi ty Policy
16
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
19/30
Privacy. All users should be aware that t heir electron ic communications may be
viewed by t hird part ies; users should either encrypt sensit ive company
information, or just not send it via e-mail.
Personal Internet use. Typically, users are expected t o use the companys
infrastructure to access or exchange information only for appropriate business
reasons. If you want to allow employees to access Internet services for personal
purposes, you w ill need to def ine personal Int ernet usage guidelines. For
example, employees may be allow ed to surf the Web or send personal e-mail
messages f rom their deskt ops on their own t ime, as long as doing so doesnt
disrupt other company business; but they should generally not be permitted to
access inappropriate Internet resources (adult Web sit es), conduct non-
company business activities, or do bulk e-mailings.
Publ ic representat ion . Ensure t hat employees understand t hat publ ic statement s
they make on behalf of your company in e-mail, newsgroups, mailing lists,
bulletin boards or chat rooms may need to be cleared ahead of time with
management. They should clearly indicate when opinions are their own (not
your companys), and t hey should be cautioned t o avoid any libelous statement s.
Netw ork securit y.
Rout ers and fi rew alls. All connections from the public Internet to int ernal
company networks should be protected by router/firewall systems which deny
services not explicitly permitted. In addition, you may decide to configure the
fi rewall t o only perm it services which can be o f fered securely. For example, you
may want to permit TCP, DNS, mail and news feeds from specific news servers,
but to block all ping queries and non-authenticated Telnet log-ins. Your policyshould define w ho has the responsibilit y for maintaining and conf iguring your
networks rout ers and f irewalls, and emphasize the need f or strict access cont rol
for these systems.
Internetworking. When connecting separate company LANs or WANs, you may
want to also require t he use of fi rewalls to isolate t hem and make their
information available only to certain employees on a need-to-know basis. Also,
any virtual private netw ork (VPN) connections via the insecure pub lic Internet
should u ti lize encryption to insure information privacy and integrit y.
Standalone netw orks. Standalone netw orks which arent connected t o t he public
Internet or to other company networks still require appropriate access control
and aut hentication techniques.
Modem use. Generally, modem access to corporate netw orks should only be via
managed modem pools using access cont rol and aut hent icat ion. Modems should
not be connected direct ly to users net worked computers. Remote users should
not gain modem access to the network via computers that are also connected to
some other netw ork.
RSA Securi ty Inc. 17
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
20/30
Physical security.
Workstations. You may want to consider methods cables, locks, bolts for
attaching equipment to desktops to prevent users from removing comput er
workstations and associated peripherals.
Laptops. As discussed previously, laptops are easily stolen. You may want to
require use of a locking cable or an alarm, and t o caut ion users to never leave
port able comput ers unatt ended.
Servers. In general, workgroup and Web servers should be isolated and made
accessible only to system admin ist rato rs and appropr iate IT staff . Depending on
the nature of the inf ormation stored on the servers, it may be appropriate to
locate the server in a locked room or o ther access-cont rol led environment .
Network infrastructure. In a similar fashion, routers, firewalls and other
inf rast ructure systems should be isolated and available only to appropriate
IT staff .
Auditing and monitoring.
Audit trails. Its a good idea to maintain an audit trail of user acti vity, both at
firewalls and on Web and application servers. Audit trail log files should be
examined on a regular basis by security staff to determine if unauthorized
act ivit y has taken place; these log f iles should t ypically be archived for a year
or so.
Intrusion detection. Netw ork monit oring sof tw are tools can be used to sound
alarms, alerting security staff when suspicious activity occurs.
Securit y t raining and aw areness. Your securi ty pol icy should include a general
discussion about the importance of your security training program, and should
emphasize each employees responsibilit y f or att ending t raining sessions and
increasing their security awareness.
Cont ingency planning. Like natural d isasters, inevitably a securi ty at tack w ill take
place and disrupt your no rmal business operat ions. It s import ant to have a plan in
place so everyone understands how to recover and resume normal bu siness operat ions.
Backup and recovery. Mission-critical application software and data files on all
computer systems should be backed up regularly, so they can be restored in case
of a security disaster or system failure. Backup media should be tested
periodically, and the backup data analyzed to be sure that applications and data
f iles can be restored successfull y.
Off-site storage. Copies of backup media should be stored off-site, far enough
away to min imize the risk of damage from t he same natu ral or man-made
disaster. Off -sit e storage f acilit ies should meet appropriat e industry standards
and should provide adequate environmental and physical prot ection fo r your
backup media.
18
A Guide t o Securi ty Policy
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
21/30
Disaster recovery. It s w ise to establish a d isaster recovery plan for all comput er
systems and applications which you consider critical for doing business. In
general, the goal of th is plan is to expedit e the recovery of lost data and t he
resumpt ion of business operat ions, possibly using another computer system oreven at another facilit y. It s also a good idea to test your di saster p lan annually,
and modif y it appropriately if short comings become apparent .
Reporting security problems. Users should not if y secur it y staf f as soon as possible
when an intrusion or other security problem occurs even if a problem is simply
suspected. Users should report the loss or disclosure o f inf ormation t o
unauthorized parties, the loss or theft of passwords (or two-factor tokens), and
any unusual system behavior, such as missing files, system crashes or misrouted e-
mail, which could be caused by a computer virus. Users should be cautioned not
to discuss suspected security problems in detail with non-security personnel.
Contacts and inf ormation . Its import ant t o define whom employees should
cont act when t hey have securit y-related quest ions, to report securit y prob lems,
or t o obt ain a copy of your securit y policy or related documentation. It may be
appropriate for you to develop a security FAQ page on your corporate Intranet,
cont aining responses to employees typical securit y-related quest ions, and a
central repository for public security policy documents.
Discipli nary action. You should emphasize that you will take disciplinary action
against any employee, cont racto r, or other user of your comput er systems who
commi ts a securit y violat ion. This discipl inary act ion may include terminat ion of
their employment or contract, and those involved may also be subject to
criminal prosecution.
RSA Securi ty Inc. 19
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
22/30
IM PLEMENT THE SECURITY POLICY
Communicate the policyOnce you have wri tt en the securit y policy, you need t o put it in place wi thin
your o rganizat ion. To do so successfully, you will need to ensure t hat all employees,
contractors and other personnel who access your computer network not only
understand t he pol icy, but also w hy it is required. Basically, you w ill have an
ongoing need to sell your policy to the various constituencies within your enterprise
both upper management and staff through meetings, presentations, security
briefing documents, e-mail messages, posters, newsletter articles and whatever
other communication tools you can think o f t hat are appropriate for your
corporate culture.
As wi th any good marketing communication p rogram, you need to art iculate the
benefi ts of your product. In th is case, your product is securi ty. Typical benef it s
include minimizing financial loss, maintaining a positive public image, helping
prevent l it igation, and retaining your int ellectual property and competit ive
advantage, as well as just plain keeping the company viable so everyone has a job.
In addition to making everyone aware of the big picture, of course, you w ill need to
ensure that people are adequately info rmed about all t he details of your securit y
policy like how to choose a good password, when t o change it , what to do if you
detect a comput er virus, rules for personal Int ernet access, and what to do when
your laptop comput er is stolen. You w ill need t o f ully brief new employees on your
comput er securit y policy at the time they hire in .
Also keep in mind that your security policy will evolve and change. It will pay to
devise standard w ays of communicating these policy changes to your organization,
like regular security briefing meetings, company newsletter articles or written
securi ty pol icy upd ates. An underlying objecti ve of all of thi s recurring communication
is awareness making sure t hat everyone is thinking about computer securi ty and
understands its role in keeping your business healthy and successful. Addi t ionall y, it
becomes easier t o identi fy personal responsibilit ies wh ich in t urn usually enforcing
the policy easier.
Enforce the pol icy
Administering your security policy may require allocating additional human
resources. Your IT or security staff will likely have new responsibilities for accesscont rol and aut hent icat ion. They wil l need to manage user account s, passwords,
group membership, two-factor authentication devices and digital certificates. In
addition, they wi ll likely need to install and use network securit y tools to wat ch f or
suspicious activity. These tools will help them proactively test and verify servers,
f irewalls and rou ters to ident if y securit y holes or breaches. Similarly, they w ill
probably need to select, i nstall and use watchdog soft ware t hat monit ors netw ork
t raf fi c and/or OS commands and t riggers an alarm if an event occurs which is
contrary to your security policy. In addition, the security staff will need to spend time
analyzing log f iles f rom Web and appl icat ion servers, as well as checking audit t rails
when suspicious events occur. These tasks will typically be in addit ion to more
mundane responsibilit ies, like backup and recovery, installing new soft ware and
20
A Guide t o Securi ty Policy
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
23/30
updates, keeping everyones virus definitions up to date, repairing hardware, and
assist ing employees wi th t heir computer-relat ed problems. You should also
periodically test the enforcement mechanisms to verify theyre providing the
int ended levels of prot ection.
When violations of your securit y policy occur, it wi ll be impor tant fo r you t o t ake
appropriate and consistent discipl inary action. For employees, penalt ies may range
from loss of pay or privileges to fi ring, depending on the severity and number of the
violat ions. Malicious netw ork access or ot her violations by out siders should almost
always be reported to the appropriate authorities for possible criminal prosecution.
Reassess the policy
The reality is that once youve written the security policy and have begun
implementation, its probably time to reevaluate the policy. The rapid pace of
technology and the astronomical grow th of Internet use mean t hat new securit ythreats appear more and more f requently. In addition to the new securit y threats,
your organizations business strategy may shift. A new business focus can affect
your securit y pol icy by altering your analysis of t he business risks and return on
investment evaluations. These factors combine to make it mandatory for you to
continually reevaluate and update your written security policy at least quarterly,
if not mont hly.
RSA Securi ty Inc. 21
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
24/30
SUMMARY
A securit y policy is a formal statement of the rules that employees and ot hers must
follow when using your companys computer systems and net works. Its purpose is tomake everyone aware of their responsibilit ies for prot ecting your organizations
information assets, and it should specify the details of how to do so. Developing the
security policy involves assessing your information assets, security threats, and
business risks; put ting appropr iate pol icies int o w rit ten form; implementing t hose
policies; and then repeating that cycle updating your written security policy on a
regular basis and ensuring that everyone in your organization remains mindful of
their inf ormation securit y obligations.
It is our hope that this guide has both convinced you that you need a security policy,
and provided some insight int o t he pol icy-development process. As your securit y
pol icy evolves, at some point you may decide t hat you requi re some expert out side
assistance. If so, RSA Securi tys wor ldwide services organizat ion of fers complet econsulting, design, implementation, training and support services.
22
A Guide t o Securi ty Policy
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
25/30
POLICY EXAMPLES
Follow ing are a few excerpts f rom various organizations securi ty poli cies:
Access cont rol ...
Securit y procedures must be implemented t o prevent unaut hori zed access to
computers, network resources and data. Only employees of [Company] and
contractors who have been briefed on the acceptable use policy of [Company] will be
given access to the network. Managers shall decide the level of access for each
employee. Final permission to access the netw ork will be the responsibilit y of the
Securi ty Commi t tee. Individuals w ill be issued a unique username. When an
employee terminates employment, Personnel will notify the Security Committee and
IT, and steps will be taken to disable that users accounts and access to internal and
external netw orks. Account logon and logof f in formation w ill be recorded for
security audits.
Warning notice...
The following not ice will be displayed to all users when t hey access [Company]
computer systems: Warning: Only [Company] author ized users only are allowed to
use this system. Access by anyone else is unauthorized and prohibited by law.
Monitoring fo r purposes of administrat ion and securit y may take place, to which you
consent by proceeding.
Passw ord management ...
Passwords wil l have a minimum of six alphanumeric characters. No common w ords
or phrases are acceptable. Passwords should be difficult for others to guess.
Administ rators will test for weak passwords. Passwords must be kept private. Do notshare t hem or w rit e them down. Passwords must be changed every 90 days. Af ter
th ree failed logon at tempt s, account access wi ll not be permit ted, and aut omatic
not if icat ion w ill be sent t o t he system administ rator. Highly sensit ive systems will
generate an alarm after excessive violations. Sessions will be suspended after twenty
minut es of inactivit y.
Strong authent ication...
Approved products will be used to gain remot e access to the netw ork, as well as to
highly sensitive systems. Keep strong authentication devices safe. Do not store them
with the computer to which they enable access. Report it immediately to the Security
Committee if an authentication device is lost or stolen, and administrators willdisable the device. The devices associated Personal Identification Number (PIN) or
password must be kept pr ivate. Do not share it o r w rit e it down.
Digit al signatures and cert if icates...
Only use Digital Certi f icates f rom [Company] approved Cert if icate Authori t ies. Use
digit al certif icates to identif y both the user and the server, and in conjunction w ith
SSL. Prot ect stored cert if icates and keys wi th st rong aut hent icat ion.
RSA Securi ty Inc. 23
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
26/30
Data encrypt ion f or data at rest and in t ransit ...
Encryption must be used to secure dat a sto red in non-secure locations or
transmit ted over open netw orks, including t he Internet. Encryption must be used to
secure at all times any data classified highly sensitive. [Company] approved
encrypt ion services and products must be used, wi th a min imum key length of
128-bits recommended for highly sensitive data. Note the use of any algorithm or
device must also comply wit h t he laws of t he count ry in w hich t hat data encryption
will be used, and may necessitate a shorter key length .
Encrypt ion keys...
The keys to be used for encryption must be generated by means that are not easily
reproducible by outside parties. Only [Company] approved hardware or software
random number generators will be used, to ensure security and interoperability.
Encryption keys will be treated as highly sensitive data with restricted access.
Encryption keys that must be transmitted, as in symmetrical or secret key systems,must be t ransmit ted by secure means: use of pub lic key-exchange algorit hms,
double-wrapped internal mail, double-wrapped courier mail. Encryption keys must be
changed at the same frequency as the passwords used to access information. All
encrypt ion keys must be made available t o management via [Company] approved
key recovery implementat ions.
Publ ic keys...
In publ ic-private key systems, publ ic keys must be dist ribu ted or stored so t hat they
are accessible to all users. Digital certificates may be used to distribute public keys via
Certi f icate Aut hor it ies. In publ ic-private key systems, private keys will be kept private
by users, subject to the same rules as user passwords.
24
A Guide t o Securi ty Policy
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
27/30
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
28/30
Worldw ide Service and Suppor t
RSA Securi ty of fers a full complement of world-class service and support of ferings
to ensure t he success of each customers project or deployment th rough a range of
ongoing customer support and professional services including security assessments,
project consult ing, implementation, education and training, and developer support .
RSA Professional Services consultants have years of hands-on experience helping
customers def ine and implement securit y poli cies, including:
Corporate security policy definition and systematic review planning.
IT security policy covering system hardening guidelines, password rules,
session t imeout parameters, and DMZ system administ rat ion.
Publi c Key Inf rast ructure (PKI) policy covering minimum key lengt hs, key expiry,
certificate revocation frequency, registration and authentication requirements,
key backup and recovery, and trusted signer certificate distribution.
Service Providers agreement review for denial of service and security
att ack provisions.
Comprehensive logging strategy definit ion including generating alerts fo r
outages and suspected security incidents.
Disaster recovery planning and t est ing.
Contact RSA Secur it ys Professional Services Group if your organization needs help
with your specific security policy issues.
26
A Guide t o Securi ty Policy
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
29/30
NOTES
RSA Securi ty Inc. 27
-
8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS
30/30
ACE/Server, SecurID, BSAFE and Keon are registered t rademarks, and RSA i s a trademark