GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS

8/14/2019 GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS

1/30

A Guide to Security PolicyA Primer for Developing an Effective Policy


2/30

Table of Contents

Introduction 1

Why You Need a Security Policy 2

Develop an Effective Security Policy 5

Assess Secur it y Requirement s 7

Cover your assets 7

Def ine access requirements 7

Analyze security threats 8

Ident ify business risks 9

Invest igate new business opportunit ies 9

Explore prot ect ion and enablement opt ions 10Evaluate return on investment (ROI) 11

Writ e the Securit y Policy 12

Cover let ter 12

Purpose 12

Responsibilit ies and authority 12

Def init ions 12

Informat ion ownership and access rights 12

Computer system usage 12

Access cont rol 13

Elect ronic mail 14

Laptops, notebooks, and handhelds 14

Returning leased equipment 15

Equipment repairs 15

Disposal of removable media 15

Sof tware security 16

Internet security 17

Network security 18

Physical security 18

Audit ing and monitoring 18

Security t raining and awareness 18

Cont ingency planning 18

Disciplinary act ion 19

Implement the Securit y Policy 20

Communicate the policy 20

Enforce the policy 20

Reassess the policy 21

Summary 22

Poli cy Examples 23

About RSA Security Inc. 25

RSA Securi ty Inc.

A Guide t o Securi ty Policy


3/30

INTRODUCTION

As computer netw orks become more complex and corporate resources become more

distributed, the need for improved information security is increasing. While mostorganizations begin by deploying a number of individual security technologies to

count eract specif ic threats, the adopt ion of the Internet as the foundation fo r

e-business has turned securit y int o an enabling t echnology t hat is required for

business success.

At some point there becomes a clear need to tie together the techniques and

technologies that both protect and enable your business through security policy a

thought ful and consistent management approach to securit y practices across the

organization. RSA Securit y has nearly twent y years experience implement ing securit y

solutions, from developing highly secure products to developing policy to deploying

the tw o t ogether. It i s that experience and expertise that has led to t his guide to

help you develop your own ef fect ive securit y pract ices. We know the quest ions youneed to ask yourself.

If you are reading this guide, you probably already recognize the need for a

consistent approach to information security. This guide is intended to be the first

step, giving you an overview of the decision-making process necessary to develop an

eff ecti ve securi ty policy fo r your company.

Specifically, A Guide to Security Policy provides information about:

Your actual policy-making journey will involve classifying the corporate informationyou want to protect, identifying potential security threats and business risks, and

deciding what levels of protection will make it possible to do business online. While

airtight information securit y across the organization may be your goal start ing out ,

in reality you will be balancing securit y levels wi th t heir costs, as well as wi th your

business practices and corporate culture. The wri tt en pol icy document you come up

with will reflect the difficult decisions you make during this process regarding

inf ormat ion access, corporat e st rategy, resource allocation and employee behavior.

And it w ill never really be fi nished : your securi ty pol icy wi ll essentially become a

dynamic insurance policy that you will modify regularly to keep pace with changes in

technology and your business practices. However, by creating a security policy for

your organization, you are taking an import ant step t oward elevating yourinf ormat ion securi ty pract ices so your organization can prosper in todays evolving

e-business world.

RSA Security Inc. 1

The need for information securit y

The processof developing an effective securi ty policy

Implementing your securi ty pol icy

Information about what other companies are doing


4/30

2


WHY YOU NEED A SECURITY POLICY

The essence of secur it y policy is to establi sh standards and guidelines for accessing

your corporate information and application programs. Typically, organizations startwith informal and undocumented security policies and procedures; but as your

enterprise grows and your workf orce becomes more mobile and diverse, it becomes

especially impor tant even necessary for your securit y pol icies to be documented

in w rit ing. Doing so w ill help avoid misunderstandings and w ill ensure that

employees and cont racto rs know how to behave. It wil l provide explicit guidelines

for your security staff, making it easier for them to enforce security policies

consistentl y. Furt hermore, a securi ty po licy facili tates internal discussion about

securit y, and helps everyone become more aware of pot ential securit y th reats and

associated business risks. Youll fi nd that a wr it ten pol icy generally tends to enhance

the performance of your security systems and the e-business applications they

support. It provides the guidelines necessary in determining the proper configuration

of systems and a bar against which you can measure the effectiveness of your

security efforts. A deciding consideration is that having a written security policy may

be required by law .

The need for security is increasingly obvious

Since 1996 the Computer Security Institute, in conjunction with the FBI, has conducted

an annual survey to monit or computer crime t rends. This research project is one

of the few that provides benchmark readings of information security issues from

year-to -year. Some of the key point s f rom the most recent (2000) survey include:

Most organizations surveyed have been victims of computer crime. 90% of

respondents admitted that they had been victimized by computer security

breaches in the previous 12 mont hs, compared to 62% in t he 1999 survey and

64% in t he 1998 survey. When considered in ligh t of the fact that many, if not

most computer crimes go undetected, i t is clear that the issue of securi ty

breaches should be of concern to every organizat ion.

Computer crime causes signi f icant damage. Not all organizations that were

vict imized by computer securi ty breaches were able to quant if y their losses.

However, the losses of the 42% of survey respondents that could t otaled

$265,589,940. Notably, the theft of propriet ary informat ion resulted in t he

highest financial losses, continuing a rising trend, followed by financial fraud.

Computer crime is increasing. The problem of information securit y is not limit edto the United States; in fact, many of the crimes reported in the CSI/FBI research

orig inated out side t he Unit ed States. A quick review of press report s show s that

information security is a problem for organizations the world over Japan,

China, India, Russia, Europe and Latin America. Simply put, as the use of

comput ing increases in a society, so grow s the risk of inf ormat ion crime.


5/30

Insiders pose as sign if icant a threat as outsiders. It is common t o think of

securit y in t erms of prot ecting network perimeters from hosti le out siders

attempting to gain access. But inappropriate insider behavior can be a bigger

threat, both more common and often causing greater financial losses than

out sider att acks. The 2000 survey report s that 71% of respondents detected

unauthorized access by insiders. In addition, simple abuse of Internet accessprivileges which af fected t he majorit y of companies in the CSI/FBI study

costs the enterp rise money in t erms of reduced product ivit y and wasted

network bandwidth.

There are many costs associated w it h securit y breaches

Direct f inancial loss. Customers credit card numbers, the companys merchant

account passwords, and employees personal checking account numbers are all

prime t argets fo r t hieves. And w hether or not the criminal is brought to justice,

indirect legal fees or fines resulting from the crime can add significantly to the

costs, especially in industries like banking and finance.

Lost sales and reduced compet it ive advant age. When proprietary sales

proposals, business plans, product designs or other inf ormat ion are stolen,

altered or destroyed, it can give compet itors a dist inct advant age. Lost sales

can result, and the impact can be felt long after the incident occurs.

Damage to your corporate reputation and brand. You work hard to build and

maintain your corporate image and t o establish t rusted relationships wi th your

customers and business partners. If proprietary or private information is

compromised, your corporate credibili ty and business relationships can be

severely damaged.

RSA Secur ity Inc. 3

The 2000 CSI/FBI Computer Crime and Security Survey


6/30

Privacy violation. Employees trust you to keep their personal information

private. Similarly, customers t rust you t o keep t heir credit card numbers and

credit histories confidential. If that privacy is violated, legal and other

consequences can result.

Business disrupt ion. When a service disruption occurs, your IT staff needs to

address the problem immediately. Hopefully, theyll be able to restore data from

backup files, and return systems to service without significant downtime.

However, in the case of mission critical systems, any downtime can be

catastrophic. And other times, lost data may have to be painstakingly

reconst ructed by manual means, prolonging t he t ime t hat systems are

functioning below acceptable levels.

A security policy mitigates your legal exposure

Your securit y poli cy guides the behavior of your employees and ensures that theyknow what you expect of them. Having a w rit ten po licy is mandatory if you expect

to be able hold t hem account able for their actions. In many count ries around t he

world , CEOs and senior management may be legally responsible for crimes involving

their organization. Punishment can include both fines and imprisonment. To avoid

thi s liabilit y, corporat ions generally need to be able to prove a good f aith eff ort to

deter criminal activity that utilizes their computer systems and networks. A

comprehensive securi ty poli cy will help reduce this exposure i t is expected t o

include w rit ten po licies and procedures to deter crime, securit y awareness programs,

discipl inary standards, monit oring systems consistent w ith current indust ry pract ices,

and immediate reporting of any detected crimes to law enforcement agencies.

Note that in the United States, good faith guidelines no longer consider simplepassword-only user ident if icat ion schemes to be adequate. Two-factor

authentication, consisting of something you know (a password or PIN) plus

something you possess (a physical authenticator), is now considered the industry

norm w hen evaluating the ef fect iveness of a securit y program. Under U.S. Federal

Sentencing Guidelines, an organizat ion s culpabilit y is lessened by having an eff ect ive

program to detect and prevent security violations.

In other countries the rules relating to computer security may be even more strict.

For example, in China the government has extremely demanding regulations relating

to encryption, which prevents some common software from being used in China. An

organization that t ranscends borders can use a policy to help maintain legal securit y

practi ces that dif fer f rom country t o country.

A security policy forces you to make return-on-investment decisions

Securit y threats have the pot ential t o exploit a vulnerabilit y in your organizations

comput er practices, wi th the potential f or damaging your inf ormation assets. The

threats you identif y wi ll run t he gamut from nat ural disasters to malicious hackers

penetrating your netw ork. Your job in developing a securit y policy will be to make

int elligent business decisions about the cost -effect iveness of reducing or elim inat ing

each of the threats and to base your decisions not on the fact the threat exists,

but rather on the associated r isks to your business. We ll discuss this assessment

process further in a subsequent section.


4


7/30

DEVELOPING AN EFFECTIVE SECURITY POLICY

The process for develop ing a wr it ten securi ty policy typically involves a task f orce

with representatives from a variety of functional groups. Be sure to include some business people, and not just IT, engineering and securit y staff . These business

people whether sales, fi nance or op erations wi ll ensure t hat the policy you develop

supports business practices rather than hinder them. Ultimately, it w ill be very

important for you to get senior management involved, and to get the CEO to endorse

your security policy. Upper management needs to send a clear message to everyone

in t he organization t hat inf ormation securit y is vitally import ant t o the company.

During this process, keep in mind t hat your securi ty policy cant be so st rict t hat it

incapacitates your business. And it needs to be enforceable; ot herw ise, your

employees wi ll i gnore it . Also consider t he role of out siders cont ractors and

business partners may require access to your information assets. Your task forces

ini t ial job wi ll be to assess securit y threats to your organizations inf ormat ion assetswit h respect to each of the following f undamental areas:

As the securit y task f orce makes decisions relating t o t he above securit y topics, it w ill

also need to balance four distinct business factors:

the information access requirements of different constituencies, both inside and

out side your company,

the value of the information stored,

the liability of the transactions available, and

the budgetary impact of implementing that securit y both the in iti al costs and

the recurring costs, like staff time.

RSA Security Inc. 5

Authentication ensuring that a user is who he says he is.

Authorization controlling what informationand applications a user can access.

Privacy and data integrity preventing unauthorized usersf rom seeing certain information, and prevent ing t hem from

making unauthor ized changes or deletions.

Non-repudiation making sure t hat part ies in a t ransact ioncant deny what t hey said or w hat t hey did.

Disaster recovery & contingency planning

Physical security


8/30

Obviously, it can be a dif f icult task t o establish a po licy that meets your desired

securi ty goals and your budget const raint s, and i s acceptable to all users. It is

important to get the right people on your policy-making task force. After assessing

user access needs, business risks, securi ty threats and p rot ect ion costs, this team w il lneed t o make objective ROI-based decisions based on tradeoff s bet ween risks and costs.

Having a wri t ten securit y policy in place, however, is just t he f irst step. You wi ll need

to effectively communicate that policy to employees, contractors and others. And

your staff will need to enforce the policy. Enforcement will involve managing access

control lists and authentication systems, monitoring networks and computer systems

for possible securit y breaches, and reacting appropriat ely when securit y violat ions

occur. You should also reevaluate your pol icy on a regular basis, as changes in t echnology

and business practices uncover new threats or reveal new onl ine business opport unit ies.

In the rest of this section we will provide some guidelines that should help you

organize the security policy-making process. The general sequence of steps yoursecurit y task force will fo llow wi ll be:

Assess requirements understand information assets, user access requirements,

business risks, security threats, protection techniques and ROI.

Writ e the securit y pol icy

Implement the securit y policy communicate it , enforce it consistentl y, and

reassess it regularly to address new security threats and take advantage of new

prot ection tools.

The Security Policy Cycle


6


9/30


10/30


Access required by users (1=highest need):

Asset Mktg Sales Admin Mfg Supp R&D QA IT

Sales database 1 1 2 1

Product draw ings 3 1 1 1 1 1

Product specif icat ions 2 2 1 1 1 1 1

Order database 2 1 1 2 1

Web sit e 1 2 2 1

Once you understand how users access inf ormat ion, you w ill need to evaluate each

assets relati ve import ance, and t he ri sks associated w it h i ts being stolen, damaged or

destroyed. Note that t he owner of t he information has the f inal say as to the value

of that information. The value of information assets may even be dynamic, changing

weekly, daily or even hourly.

Analyze security threats

Youre now ready to ascertain t he areas of vulnerabilit y for your netw ork and

computing platforms. During this phase many companies elect to get an outside

securi ty consult ant involved, in o rder to get an expert assessment of specif ic securit y

threats for t heir computer systems and netw orks. You may find it useful t o t hink in

terms of whether the threats originat e inside or out side your organization, or bot h;

keep in mind that research shows that insiders are as a serious threat as outsiders

if not more so.

Common threats to information security include social engineering, passwordcracking, netw ork monit oring, abuse of administrat ive tools, man in the m iddle,

denial of service, trojan horse, virus and address spoofing. Details on these common

threats are available in RSA Securi tys publi cat ion , A Guide to Secur it y Technologies.

Blindly applying technology to protect against every conceivable t hreat

is not the smartest way to deal w it h securit y. A better way is to identifyhow much business risk each threat poses howvulnerable are you, really, if a part icular t hreat occurs? This way of thinking

helps you minimize security implementation costs, andprovides the flexibility youll need to help you evaluate new threats.

By considering the business risks, as well as the out-of-pocket

expenses and t ime required to f ix each new vulnerabilit y, youl l be able to make

an intelligent business decision about whether it makes sense to

mit igate the threat . Note that your exposure is proportional tohow long it takes to f ix the problem, mult iplied by the level of risk involved.

8


11/30

Identi fy business risks

The risks to your business were covered previously, and include direct financial loss,

lost sales and reduced competitive advantage, damage to your corporate reputation

and brand, pr ivacy violat ion and business disruption. As part of your risk analysis,

you may w ant to quanti fy the business risks in t erms of expected, worst-case and

best-case scenarios to assist in your decision-making process.

For example, if all of your conf ident ial customer records are stolen, you could

log ically conclude that there will be di rect f inancial costs, some lost sales, legal and

PR costs, staff time to fix the problem, and security improvements. Knowing how

many customers you have, and estimating the various business costs, you might

est imate the worst case scenario t o cost your company up to $5M, t he expected

scenario to cost you $500K, and the best case still to cost $100K.

As another example, if your sales prospect database is stolen, you migh t def ine

the worst case scenario as losing all of the expected sales to those prospects, theexpected case as losing 50% of expected sales, and the best case as losing 20% of

the sales. Note t hat as part of this analysis, youd need to decide upon t he value

of a typical sale, and factor in the percentage of prospects that actually become

customers. The po int in doing this analysis is to assign numbers to each of the

perceived risks, so you can make some decisions about their relative importance.

You could define a spreadsheet to assist in this process, estimating the business costs

associated w ith each of your assets. You m ight def ine r isk f actors for the best-case

and worst-case scenarios, which get applied to your expected costs, such as:

Risk factor: 500% 100% 20% Expected cost ($000):

Worst Best Direct Comp Lost StaffAsset case Expect case $ loss loss sales Legal t ime

Prospect database $600 $120 $24 = $0 $20 $50 $20 $30

Product draw ings $1000 $200 $40 = $0 $50 $50 $0 $100

Product specs $850 $170 $34 = $0 $50 $40 $0 $80

Order dat abase $2425 $485 $97 = $300 $10 $50 $50 $75

Web site $350 $70 $14 = $0 $30 $10 $10 $20

Invest igate new business opportuni ties

As you assess your requirement s, keep in mind that securi ty i snt just about th reats

and ri sks. For example, t here are a number of st rategic e-business opport unit ies that

just wouldnt be practical without adequate information security. Secure Sockets

Layer (SSL) encrypt ion and digit al cert if icates prevent sensit ive inf ormat ion f rom

being compromised as it passes between Internet clients and servers. These

technologies let your customers order products and services safely, di rectl y f rom your

Web sit e. Similarly, these tools and ot hers give you the abilit y to develop a suppl ier

extranet that w ill let your purchasing agents issue purchase orders and t rack

incoming orders online, saving them time and improving your just-in-time inventory

availabil it y. And an encrypt ed Virt ual Private Network (VPN) can make sensit ive price

lists, sales report s and compet it ive insights available 24/7 t o your authorized sales

representatives around the world . All o f these e-business opportuni t ies are feasible

because of i nf ormat ion securi ty.

RSA Securi ty Inc. 9


12/30


13/30

Evaluate return on investment (ROI)

Knowing the threats to your information and your options for mitigating those

threats, you now need to evaluate the return on your security investment, balancing

prot ect ion costs against your business risk costs. Complete prot ect ion wi ll not be

feasible. An appropriate level of security involves implementing enough protection

so as to minimize your business risks, simi lar t o t he following graph:

As part of your ROI analysis, you may decide t hat the cost of implementing a

solu tion t o a part icular threat out weighs your w orst-case exposure. In that case, itobviously doesnt make good business sense to address that particular threat. For

example, it may not wor th investing in biometr ic authentication f or access to your

corporate intranet, since its information is intended for all employees, is not

especially conf ident ial, and the business risks of inf ormat ion loss or damage are

relatively minimal.



14/30

WRITE THE SECURITY POLICY

Once youve assessed your security requirements and understand the return on

investment (ROI) issues, its time to draft your security policy. Typical security policiesaddress most of the follow ing topics. There may be some overlap betw een your

securit y policy and your general comput er usage policy. Youll not ice that some

of the topics mentioned in this section, such as prohibiting employees from making

copies of commercial sof tware f or personal use, arent st rictly securi ty-related. But

they are an important part of establishing a do the right t hing mind-set among

your computer users and mitigate your legal exposure.

Cover lett er. A letter from the CEO will emphasize and reinforce the fact that security

is vitally import ant t o your organization.

Purpose. This sect ion i s typically a general overview or mission statement fo r t he

security policy document that explains its goals, to whom it applies, to what

information and equipment it applies, and the underlying business reasons for

having a security policy.

Responsibilities and authority. Your securit y poli cy should clearly define the

responsibilities for developing and enforcing the policy. This will typically include

defining w ho i s responsible f or reviewing and approving t he policy (probably an

information security committee), for establishing and maintaining the policy (possibly

a director of security), and for administering the security policy (typically IT staff and

system admin ist rato rs). In addit ion to defin ing everyones roles, this sect ion could

indicate that department managers are responsible for ensuring that their staff

understand and adhere to the securi ty policy.

Definitions. It s useful to def ine t he technical terms used in t he securi ty policydocument for non-technical readers; this may take the form of a glossary of terms at

the end of the security policy document.

Information ownership and access rights. This will be a general statement defining

the ownership and access rights for the information stored on your computers or

transmit ted via your network. You may want t o relate th is policy to related HR

policies. The intent is to let your employees know that you have the right to monit or

their e-mail or f iles, should you so choose.

Computer system usage. This sect ion def ines the primary purpose of your companys

computer systems as being for your business purposes only. It may stipulate whether

your employees can utilize your computers and network infrastructure for personaluse, and the conditions under which they may do so. A general statement about user

accountability is appropriate for this section, to make employees aware that they are

fully responsible for maintaining the secrecy of their user ID and password, as well as

all ot her proprietary company inf ormat ion, and possession of any securit y devices,

such as authentication devices and smart cards.

12



15/30

Access cont rol . This section should include information about the administrative

controls and procedures for providing access to your companys computer systems

and netw orks. The access cont rol sect ion will typically d iscuss the f ollow ing poin ts:

Identification and authentication. Users will need at least a valid user ID and

password to gain access to your network. You may choose to restrict access to

standalone, non-networked comput ers in a similar way. St rong, or tw o-factor

authentication e.g., tokens or smart cards in addition to a user ID and

password has become t he requisite prot ection for sensit ive information and

systems. You should identify which of your users need access to sensitive

information and systems, and will need to use strong authentication.

Keeping user IDs and passwords secure. This section should discuss basic

guidel ines for keeping users IDs and passwords secure, such as how to choose a

good password (e.g. six to t welve characters, mixed upper and lowercase,

includes numbers, doesnt have any personal i nf ormat ion, doesnt consist of a

dictionary word, isnt descriptive of their work activity, etc.), never sharing or

revealing a user name or password, and not storing unencrypted passwords on

comput er media.

Account administration. Someone typically authorized security staff, system

administrators or IT staff will need to assign and maintain login accounts,

work group pr ivileges, e-mail addresses, any authenti cation devices and digit al

certificates across a variety of computer systems and networks.

Privileged access. You wi ll need rules about w ho gets root , super-user or

admin access to your computer systems. Generall y, th is pri vileged access shou ld

be reserved str ictly f or the system administ rator.

Access by non-company personnel. If cont ractors, customers or vendors will be

allowed to access your computer systems and network, you will need to define

the condit ions for t heir access.

Remote access and telecommuting. You should define who will be permitted to

access your computer netw ork remot ely. Department managers are usually

responsible fo r aut hori zing remote access fo r t elecommuting w orkers, sales

personnel and ot hers with a valid business need. Staff requirements for remote

access should be reviewed on a regular basis. You w ill also need to def ine how

remot e users gain access to your networks for example, by dialing in to a

dedicated securit y server, but not by direct modem access to any individual

desktop computer on your network. If appropriate, you should emphasize the

importance of user authentication for remote access, and make people aware

that an audit t rail w ill be recorded f or t heir remot e access sessions.

Unatt ended computers. When users walk away from their desks, their logged-on

computer presents a netw ork securit y risk. Discuss any requirements for logg ing

off the netw ork w hen users leave their desk, or for using soft ware that w ill

prevent access (by blanking the screen and/or locking the keyboard) i f a users

comput er remains idle f or some period of time.

Unauthorized computers. Many users own personal computers. You should

def ine t he circumstances under w hich users are permit ted to br ing personal

computers into the office, and the conditions under which they can connect

them to your netw ork.



16/30

Non-netw ork connections. Its generally not a good idea to allow non-network

communications (direct modem access) between individual computers on your

network. And especially not with computers outside of your company.

Non-netw orked computers. All standalone computers should have appropriate

access controls.

Electronic mail. You need to emphasize to users that e-mail makes it all t oo easy to

make your p roprietary corporate information visible t o t he public. Your general

e-mail policy should clearly state whats permissible content. In addition to not

sharing sensit ive corporate inf ormat ion, you should probably ban messages wh ich

contain threats, racial slurs, sexual harassment or which circulate chain letters.

Some specific e-mail security issues include:

Privacy. Emphasize that corporate information needs to be kept private, and t hat

employees are not permitted to access or share information that doesnt relate

to their jobs. Discuss the fact that sensitive corporate information should beencrypted t o ensure privacy whi le the information is in transit.

Message encryption. Discuss the specific e-mail encryption tools and techniques

which you recommend or require, including guidelines for managing public and

private encrypt ion keys.

Monitoring. As mentioned above, you should point out to employees that t heir

e-mail messages are corporate inf ormat ion, and that they may be scrut inized by

corporate management. Discuss any restrictions on employees using your

corporate e-mail capabilities to communicate with family and friends outside

your organization.

Message forw arding. You should advise users to exercise caution whenforwarding e-mail messages that may contain sensitive corporate information

which should only be viewed by certain people. You might want to place

restrictions on forwarding internal messages to outsiders, and to prohibit

bulk e-mailings.

Message archiving. Received e-mail messages tend to accumulate and take up

valuable storage space. You may want to def ine ru les fo r w hen users un -needed

messages should be purged, and what their responsibilit ies are in t his area. Will

old messages be deleted automatically, or do users need to manage this process?

It w ould be appropriate to define your corporate backup pol icies wi th respect to

users archived messages.

Laptops, notebooks and handhelds. Port able computers designed for use by mobi leprofessionals present some unique issues, and require both physical and electronic

securi ty precaut ions. You should discuss the responsibilit ies of por table comput er

users, including what happens when their portable computer is lost or stolen.

Specific security issues include:

Theft prevention. You may want to suggest techniques for preventing t heft ,

such as using a locking cable and/or an alarm, and never leaving port able

comput ers unatt ended.

Identification. You should use inventory control labels or engraved markings to

identify portable devices as being the property of your company. You should

define who will maintain the inventory records for portable devices, especially if

these devices are shared by multiple people.


14


17/30


Propert y checkout procedures. You may want to have a checkout pol icy in p lace

for devices which are shared among multiple people, or which employees

remove from your f acilit ies.

Loss or t heft reporti ng. If a port able device is lost or stolen, t he user needs to

report t hat fact prompt ly.

Access control. Since sensitive information will likely reside on the portable

computer, you may want to requ ire access cont rol sof tware, so t hat users have

to enter a user ID and password or two-factor tokencode in order to use

the system. It may also be a good idea to require use of a screen saver that

blanks the screen and requires users to reenter their ID and password whenever

the system has been idle for awhile. As part of the property check-out process,

security staff may need to configure each portable devices user ID, password

and screen saver.

Preventing unauthor ized observation . Wit h improvements in t he viewing anglesof computer displays, you should caut ion users to shield their po rt able devices

f rom the curious eyes of airline passengers in neighboring seats.

File encryption. To protect sensitive information on portable computers, even if

they are stolen, you may want to require encryption sof tw are to be installed and

used on these devices.

Virus detection. Since portable computers are somewhat more li kely to be

exposed to computer viruses, its appropriate to require virus detection software

to be installed, properly configured and updated regularly.

Returning leased equipment. From t ime t o t ime employees may need to lease

equipment that stores information (such as a laptop computer). You should makeemployees aware t hat they need to remove any sensit ive inf ormat ion (sales

presentat ions, price lists, business plans), from the leased equipment prior to

returning it . You may need to define guidelines fo r how to delete fil es so as to

prevent their cont ents from being recovered.

Equipment repairs. Computers do fail, and sometimes need to be sent to an outside

vendor f or repair . You may want to requi re users to encrypt any sensit ive fil es to

minimize t he possibly t hat outsiders can view proprietary inf ormation stored on

broken comput er hardware whi le it is being repaired.

Disposal of removable media. You should make users aware that sensitive

information stored on floppy disks and other removable media can be recovered

even aft er the f iles have been deleted. You may want to requi re users to dispose of

all removable media by returning the media to your IT department , where it can be

bulk-erased and/or physically destroyed.

Sof tw are securit y. You will need to discuss who has access to application software

and its associated data, software licensing issues, computer virus prevention, and

software updates and version control.


18/30

Access cont rol for app lications and data. Application sof tw are residing on

servers may be accessible to anyone on the network, so you may need to

establish specific access control requirements for these programs. Similarly,

the data files used by these applications will need to be protected fromunaut hori zed access by users not running the application.

Sof tw are license agreements. You need to ensure t hat employees understand

and adhere to the terms of software manufacturers license agreements, and to

make them aware that all soft ware is prot ected by copyright.

Personal use. Employees should not be permit ted to make copies of

company-purchased sof tware for their personal use, as this typically violates

sof tw are license agreement s. You may even want to go so f ar as to prohibi t

employees from using any software on your company computers for

personal purposes.

Installing unauthorized software. All of your software commercial, public-domain or shareware should be installed by appropriate IT staff , and should

only be used for its intended purpose.

Virus cont rol. IT staff are typically responsible for installing anti-virus software on

corporate computer systems, and for configuring it properly and keeping its virus

definition files up-to-date.

Change control. Your IT staff should have a sof tware upgrade policy. When a

new sof tw are version comes out , it wil l need to be tested f or compatibilit y and

security prior to its being installed on the appropriate computers.

Internet security. In addition to creating new business opportunities, widespread

desktop Internet connectivity via e-mail, Web and other services has associatedsecurity risks.

Uploading and dow nloading fi les. Files downloaded or received as e-mail

att achment s need to be checked f or comput er viruses prior t o use. You may want

stricter controls for downloaded application programs, perhaps requiring them

to fi rst be tested on non-networked comput ers to ensure they won t delete files

or o therw ise damage the involved machine. You may also w ant to rest rict users

from uploading certain types of files, or attaching them to e-mail messages

software applications, proprietary source code or other intellectual property,

and unencrypted sensitive corporate information.

Access cont rol. Your networked computers may support anonymous file transfer

protocols (FTP) to exchange data and applications. You should caution users tonot put sensitive internal company information into these systems publicly

accessible directories unless doing so has been approved by management. And

you may want to establish a policy of removing all pub lic informat ion f rom t hese

directories on a regular basis, to minimize the possibility of inappropriate

informat ion t ransfer. St ricter access cont rol via username/password, and possibly

authentication devices, may be appropriate.

Encryption. Users may attach sensitive information to e-mail messages, enter

it int o Web page forms, or up load i t to remote servers via FTP. In each of these

cases, it is a good idea to require encrypting the info rmation appropriately to

prevent it from being intercepted. Your policy should discuss appropriate

encryption methods and guidelines, such as using Secure Sockets Layer (SSL)prot ocols and digi tal certif icates from an approved cert if icate authorit y.


16


19/30

Privacy. All users should be aware that t heir electron ic communications may be

viewed by t hird part ies; users should either encrypt sensit ive company

information, or just not send it via e-mail.

Personal Internet use. Typically, users are expected t o use the companys

infrastructure to access or exchange information only for appropriate business

reasons. If you want to allow employees to access Internet services for personal

purposes, you w ill need to def ine personal Int ernet usage guidelines. For

example, employees may be allow ed to surf the Web or send personal e-mail

messages f rom their deskt ops on their own t ime, as long as doing so doesnt

disrupt other company business; but they should generally not be permitted to

access inappropriate Internet resources (adult Web sit es), conduct non-

company business activities, or do bulk e-mailings.

Publ ic representat ion . Ensure t hat employees understand t hat publ ic statement s

they make on behalf of your company in e-mail, newsgroups, mailing lists,

bulletin boards or chat rooms may need to be cleared ahead of time with

management. They should clearly indicate when opinions are their own (not

your companys), and t hey should be cautioned t o avoid any libelous statement s.

Netw ork securit y.

Rout ers and fi rew alls. All connections from the public Internet to int ernal

company networks should be protected by router/firewall systems which deny

services not explicitly permitted. In addition, you may decide to configure the

fi rewall t o only perm it services which can be o f fered securely. For example, you

may want to permit TCP, DNS, mail and news feeds from specific news servers,

but to block all ping queries and non-authenticated Telnet log-ins. Your policyshould define w ho has the responsibilit y for maintaining and conf iguring your

networks rout ers and f irewalls, and emphasize the need f or strict access cont rol

for these systems.

Internetworking. When connecting separate company LANs or WANs, you may

want to also require t he use of fi rewalls to isolate t hem and make their

information available only to certain employees on a need-to-know basis. Also,

any virtual private netw ork (VPN) connections via the insecure pub lic Internet

should u ti lize encryption to insure information privacy and integrit y.

Standalone netw orks. Standalone netw orks which arent connected t o t he public

Internet or to other company networks still require appropriate access control

and aut hentication techniques.

Modem use. Generally, modem access to corporate netw orks should only be via

managed modem pools using access cont rol and aut hent icat ion. Modems should

not be connected direct ly to users net worked computers. Remote users should

not gain modem access to the network via computers that are also connected to

some other netw ork.



20/30

Physical security.

Workstations. You may want to consider methods cables, locks, bolts for

attaching equipment to desktops to prevent users from removing comput er

workstations and associated peripherals.

Laptops. As discussed previously, laptops are easily stolen. You may want to

require use of a locking cable or an alarm, and t o caut ion users to never leave

port able comput ers unatt ended.

Servers. In general, workgroup and Web servers should be isolated and made

accessible only to system admin ist rato rs and appropr iate IT staff . Depending on

the nature of the inf ormation stored on the servers, it may be appropriate to

locate the server in a locked room or o ther access-cont rol led environment .

Network infrastructure. In a similar fashion, routers, firewalls and other

inf rast ructure systems should be isolated and available only to appropriate

IT staff .

Auditing and monitoring.

Audit trails. Its a good idea to maintain an audit trail of user acti vity, both at

firewalls and on Web and application servers. Audit trail log files should be

examined on a regular basis by security staff to determine if unauthorized

act ivit y has taken place; these log f iles should t ypically be archived for a year

or so.

Intrusion detection. Netw ork monit oring sof tw are tools can be used to sound

alarms, alerting security staff when suspicious activity occurs.

Securit y t raining and aw areness. Your securi ty pol icy should include a general

discussion about the importance of your security training program, and should

emphasize each employees responsibilit y f or att ending t raining sessions and

increasing their security awareness.

Cont ingency planning. Like natural d isasters, inevitably a securi ty at tack w ill take

place and disrupt your no rmal business operat ions. It s import ant to have a plan in

place so everyone understands how to recover and resume normal bu siness operat ions.

Backup and recovery. Mission-critical application software and data files on all

computer systems should be backed up regularly, so they can be restored in case

of a security disaster or system failure. Backup media should be tested

periodically, and the backup data analyzed to be sure that applications and data

f iles can be restored successfull y.

Off-site storage. Copies of backup media should be stored off-site, far enough

away to min imize the risk of damage from t he same natu ral or man-made

disaster. Off -sit e storage f acilit ies should meet appropriat e industry standards

and should provide adequate environmental and physical prot ection fo r your

backup media.

18



21/30

Disaster recovery. It s w ise to establish a d isaster recovery plan for all comput er

systems and applications which you consider critical for doing business. In

general, the goal of th is plan is to expedit e the recovery of lost data and t he

resumpt ion of business operat ions, possibly using another computer system oreven at another facilit y. It s also a good idea to test your di saster p lan annually,

and modif y it appropriately if short comings become apparent .

Reporting security problems. Users should not if y secur it y staf f as soon as possible

when an intrusion or other security problem occurs even if a problem is simply

suspected. Users should report the loss or disclosure o f inf ormation t o

unauthorized parties, the loss or theft of passwords (or two-factor tokens), and

any unusual system behavior, such as missing files, system crashes or misrouted e-

mail, which could be caused by a computer virus. Users should be cautioned not

to discuss suspected security problems in detail with non-security personnel.

Contacts and inf ormation . Its import ant t o define whom employees should

cont act when t hey have securit y-related quest ions, to report securit y prob lems,

or t o obt ain a copy of your securit y policy or related documentation. It may be

appropriate for you to develop a security FAQ page on your corporate Intranet,

cont aining responses to employees typical securit y-related quest ions, and a

central repository for public security policy documents.

Discipli nary action. You should emphasize that you will take disciplinary action

against any employee, cont racto r, or other user of your comput er systems who

commi ts a securit y violat ion. This discipl inary act ion may include terminat ion of

their employment or contract, and those involved may also be subject to

criminal prosecution.



22/30

IM PLEMENT THE SECURITY POLICY

Communicate the policyOnce you have wri tt en the securit y policy, you need t o put it in place wi thin

your o rganizat ion. To do so successfully, you will need to ensure t hat all employees,

contractors and other personnel who access your computer network not only

understand t he pol icy, but also w hy it is required. Basically, you w ill have an

ongoing need to sell your policy to the various constituencies within your enterprise

both upper management and staff through meetings, presentations, security

briefing documents, e-mail messages, posters, newsletter articles and whatever

other communication tools you can think o f t hat are appropriate for your

corporate culture.

As wi th any good marketing communication p rogram, you need to art iculate the

benefi ts of your product. In th is case, your product is securi ty. Typical benef it s

include minimizing financial loss, maintaining a positive public image, helping

prevent l it igation, and retaining your int ellectual property and competit ive

advantage, as well as just plain keeping the company viable so everyone has a job.

In addition to making everyone aware of the big picture, of course, you w ill need to

ensure that people are adequately info rmed about all t he details of your securit y

policy like how to choose a good password, when t o change it , what to do if you

detect a comput er virus, rules for personal Int ernet access, and what to do when

your laptop comput er is stolen. You w ill need t o f ully brief new employees on your

comput er securit y policy at the time they hire in .

Also keep in mind that your security policy will evolve and change. It will pay to

devise standard w ays of communicating these policy changes to your organization,

like regular security briefing meetings, company newsletter articles or written

securi ty pol icy upd ates. An underlying objecti ve of all of thi s recurring communication

is awareness making sure t hat everyone is thinking about computer securi ty and

understands its role in keeping your business healthy and successful. Addi t ionall y, it

becomes easier t o identi fy personal responsibilit ies wh ich in t urn usually enforcing

the policy easier.

Enforce the pol icy

Administering your security policy may require allocating additional human

resources. Your IT or security staff will likely have new responsibilities for accesscont rol and aut hent icat ion. They wil l need to manage user account s, passwords,

group membership, two-factor authentication devices and digital certificates. In

addition, they wi ll likely need to install and use network securit y tools to wat ch f or

suspicious activity. These tools will help them proactively test and verify servers,

f irewalls and rou ters to ident if y securit y holes or breaches. Similarly, they w ill

probably need to select, i nstall and use watchdog soft ware t hat monit ors netw ork

t raf fi c and/or OS commands and t riggers an alarm if an event occurs which is

contrary to your security policy. In addition, the security staff will need to spend time

analyzing log f iles f rom Web and appl icat ion servers, as well as checking audit t rails

when suspicious events occur. These tasks will typically be in addit ion to more

mundane responsibilit ies, like backup and recovery, installing new soft ware and

20



23/30

updates, keeping everyones virus definitions up to date, repairing hardware, and

assist ing employees wi th t heir computer-relat ed problems. You should also

periodically test the enforcement mechanisms to verify theyre providing the

int ended levels of prot ection.

When violations of your securit y policy occur, it wi ll be impor tant fo r you t o t ake

appropriate and consistent discipl inary action. For employees, penalt ies may range

from loss of pay or privileges to fi ring, depending on the severity and number of the

violat ions. Malicious netw ork access or ot her violations by out siders should almost

always be reported to the appropriate authorities for possible criminal prosecution.

Reassess the policy

The reality is that once youve written the security policy and have begun

implementation, its probably time to reevaluate the policy. The rapid pace of

technology and the astronomical grow th of Internet use mean t hat new securit ythreats appear more and more f requently. In addition to the new securit y threats,

your organizations business strategy may shift. A new business focus can affect

your securit y pol icy by altering your analysis of t he business risks and return on

investment evaluations. These factors combine to make it mandatory for you to

continually reevaluate and update your written security policy at least quarterly,

if not mont hly.



24/30

SUMMARY

A securit y policy is a formal statement of the rules that employees and ot hers must

follow when using your companys computer systems and net works. Its purpose is tomake everyone aware of their responsibilit ies for prot ecting your organizations

information assets, and it should specify the details of how to do so. Developing the

security policy involves assessing your information assets, security threats, and

business risks; put ting appropr iate pol icies int o w rit ten form; implementing t hose

policies; and then repeating that cycle updating your written security policy on a

regular basis and ensuring that everyone in your organization remains mindful of

their inf ormation securit y obligations.

It is our hope that this guide has both convinced you that you need a security policy,

and provided some insight int o t he pol icy-development process. As your securit y

pol icy evolves, at some point you may decide t hat you requi re some expert out side

assistance. If so, RSA Securi tys wor ldwide services organizat ion of fers complet econsulting, design, implementation, training and support services.

22



25/30

POLICY EXAMPLES

Follow ing are a few excerpts f rom various organizations securi ty poli cies:

Access cont rol ...

Securit y procedures must be implemented t o prevent unaut hori zed access to

computers, network resources and data. Only employees of [Company] and

contractors who have been briefed on the acceptable use policy of [Company] will be

given access to the network. Managers shall decide the level of access for each

employee. Final permission to access the netw ork will be the responsibilit y of the

Securi ty Commi t tee. Individuals w ill be issued a unique username. When an

employee terminates employment, Personnel will notify the Security Committee and

IT, and steps will be taken to disable that users accounts and access to internal and

external netw orks. Account logon and logof f in formation w ill be recorded for

security audits.

Warning notice...

The following not ice will be displayed to all users when t hey access [Company]

computer systems: Warning: Only [Company] author ized users only are allowed to

use this system. Access by anyone else is unauthorized and prohibited by law.

Monitoring fo r purposes of administrat ion and securit y may take place, to which you

consent by proceeding.

Passw ord management ...

Passwords wil l have a minimum of six alphanumeric characters. No common w ords

or phrases are acceptable. Passwords should be difficult for others to guess.

Administ rators will test for weak passwords. Passwords must be kept private. Do notshare t hem or w rit e them down. Passwords must be changed every 90 days. Af ter

th ree failed logon at tempt s, account access wi ll not be permit ted, and aut omatic

not if icat ion w ill be sent t o t he system administ rator. Highly sensit ive systems will

generate an alarm after excessive violations. Sessions will be suspended after twenty

minut es of inactivit y.

Strong authent ication...

Approved products will be used to gain remot e access to the netw ork, as well as to

highly sensitive systems. Keep strong authentication devices safe. Do not store them

with the computer to which they enable access. Report it immediately to the Security

Committee if an authentication device is lost or stolen, and administrators willdisable the device. The devices associated Personal Identification Number (PIN) or

password must be kept pr ivate. Do not share it o r w rit e it down.

Digit al signatures and cert if icates...

Only use Digital Certi f icates f rom [Company] approved Cert if icate Authori t ies. Use

digit al certif icates to identif y both the user and the server, and in conjunction w ith

SSL. Prot ect stored cert if icates and keys wi th st rong aut hent icat ion.



26/30

Data encrypt ion f or data at rest and in t ransit ...

Encryption must be used to secure dat a sto red in non-secure locations or

transmit ted over open netw orks, including t he Internet. Encryption must be used to

secure at all times any data classified highly sensitive. [Company] approved

encrypt ion services and products must be used, wi th a min imum key length of

128-bits recommended for highly sensitive data. Note the use of any algorithm or

device must also comply wit h t he laws of t he count ry in w hich t hat data encryption

will be used, and may necessitate a shorter key length .

Encrypt ion keys...

The keys to be used for encryption must be generated by means that are not easily

reproducible by outside parties. Only [Company] approved hardware or software

random number generators will be used, to ensure security and interoperability.

Encryption keys will be treated as highly sensitive data with restricted access.

Encryption keys that must be transmitted, as in symmetrical or secret key systems,must be t ransmit ted by secure means: use of pub lic key-exchange algorit hms,

double-wrapped internal mail, double-wrapped courier mail. Encryption keys must be

changed at the same frequency as the passwords used to access information. All

encrypt ion keys must be made available t o management via [Company] approved

key recovery implementat ions.

Publ ic keys...

In publ ic-private key systems, publ ic keys must be dist ribu ted or stored so t hat they

are accessible to all users. Digital certificates may be used to distribute public keys via

Certi f icate Aut hor it ies. In publ ic-private key systems, private keys will be kept private

by users, subject to the same rules as user passwords.

24



27/30


28/30

Worldw ide Service and Suppor t

RSA Securi ty of fers a full complement of world-class service and support of ferings

to ensure t he success of each customers project or deployment th rough a range of

ongoing customer support and professional services including security assessments,

project consult ing, implementation, education and training, and developer support .

RSA Professional Services consultants have years of hands-on experience helping

customers def ine and implement securit y poli cies, including:

Corporate security policy definition and systematic review planning.

IT security policy covering system hardening guidelines, password rules,

session t imeout parameters, and DMZ system administ rat ion.

Publi c Key Inf rast ructure (PKI) policy covering minimum key lengt hs, key expiry,

certificate revocation frequency, registration and authentication requirements,

key backup and recovery, and trusted signer certificate distribution.

Service Providers agreement review for denial of service and security

att ack provisions.

Comprehensive logging strategy definit ion including generating alerts fo r

outages and suspected security incidents.

Disaster recovery planning and t est ing.

Contact RSA Secur it ys Professional Services Group if your organization needs help

with your specific security policy issues.

26



29/30

NOTES



30/30

ACE/Server, SecurID, BSAFE and Keon are registered t rademarks, and RSA i s a trademark

GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS

Documents

Transcript of GUIDELINES TO SECURITY POLICY FROM RSA. LEARN FROM THE PEOPLE WHO IS IN BUSSINESS