Security Policies

University of SunderlandCSEM02

Harry R. Erwin, PhD

A Definition• The US and UK security communities define ‘policy’ differently.

• The US security community is concerned with the organizational security policies that the system must meet irrespective of risk.

• The UK security community is concerned with formally defined policy goals that the system must meet. This is lower-level. RFC 2196 takes a similar perspective, as does Microsoft. This is closer to a ‘security objective’ in the US sense.

• I will usually use the US definition—but be aware that the word is used in two different ways.

Examples of Policies

• Corporate policies– Reputation– Risks involving lives

• Legal policies:– EU Data Protection Directive– US Privacy Act– Protection of classified information– Protection of evidence– RIPA– Other legal liabilities

Typical Corporate Policies

• Reputation– The most valuable possession of a corporation or partnership.

– Most companies will fire you if you damage their reputation.

• Risks involving lives– No managing director wants to go to jail for corporate manslaughter.

– Companies that accept risks involving lives are likely to have their reputation damaged.

EU Data Protection Directive

• http://www.privacy.org/pi/intl_orgs/ec/final_EU_Data_Protection.html

• Protects the informational privacy of individuals as follows:

• 1. Member States shall provide that personal data must be:• (a) processed fairly and lawfully;• (b) collected for specified, explicit and legitimate purposes and not further processed in a

way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

• (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or for which they are further processed;

• (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

• (e) kept in a form which permits identification of data subjects for no longer that is necessary for the purposes for which the data were collected or for which they are further processed. Member Sates shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

EU DPD Considerations

• Applies to private groups, corporations, and individuals.

• Requires that data collection must be justifiable.

• Data on national origin, etc., cannot be collected except under certain circumstances.

• Data collectors must notify the individuals and the government and follow the law.

• Data collectors face potential liability.• Does not protect the individual against data collection by governmental agents.

US Privacy Act

• Applies only to the federal government, not to states, corporations, or private individuals.

• SCOTUS (Supreme Court of the US) has held there is a constitutional right to freedom of commercial speech. This trumps any individual right to informational privacy and allows non-governmental agents to collect information on anyone.

• This conflicts directly with the EU Data Protection Directive. No resolution is likely any time soon.

US Department of Defense Security

Policies• Individuals shall be held accountable for their actions.• Authorities shall be immediately notified of all threats

and vulnerabilities.• Information shall be used only for its authorized purposes.• Information shall be available to satisfy mission

requirements.• Guidance documentation shall be available defining

installation and use.• Only authorized persons and processes shall access

information.• Information shall retain its content integrity.• Information systems security shall be an integral part of

the system lifecycle.• Information shall be appropriately marked and labeled.• Information shall be physically protected to prevent

unauthorized disclosure.

Individuals shall be held accountable for

their actions.• Security mechanisms must enforce the following:– Individuals using the system must identify and authenticate (I&A) themselves, and

– A record of their actions (an audit trail), suitable for use in a court of law, shall be maintained.

• It is inadequate to enforce group responsibility.

• On the other hand, procedural I&A and audit trails are adequate to meet this.

Authorities shall be immediately notified of all

threats and vulnerabilities.• In part, this is a procedural

requirement— system administrators and security administrators must track potential threats and vulnerabilities.

• It also implies that the audit trail should be checked on a regular basis for developing problems.

• Intrusion detection may be required.

Information shall be used only for its

authorized purposes.• Unauthorized use must be precluded.• This can be done procedurally or by automatic enforcement (access control).

• This policy cannot be automatically enforced in most distributed system architectures since it requires a single-threaded security manager.

• Tough.

Information shall be available to satisfy mission requirements.

• Availability• Non-modification• Non-destruction• Clashes directly with confidentiality.

• Most military and intelligence systems incorporate a ‘battle short’.

Guidance documentation shall be available defining

installation and use.• In other words, both users and security administrators should have the manuals they need to manage and use the system.

• Should describe all the considerations in use.

• Should define how to install the system securely.

Only authorized persons and processes shall access information.

• To access information, a person or a process must identify itself so that its authorization can be checked. Mandates:– I&A– Access control– Audit

Information shall retain its content

integrity.• Only authorized users and processes may change it, and only when authorized to change it.

Information systems security shall be an

integral part of the system lifecycle.• In other words, plan for it

and manage it.• Start early.• Take it into account at all stages.

Information shall be appropriately marked and

labeled.• UNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET, TOP SECRET/CODEWORD or their UK equivalents.

• This is so users will know the sensitivity.

• Not usually applicable outside of classified environments.

• Painful.

Information shall be physically protected to prevent unauthorized

disclosure.• Again, UNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET, TOP SECRET/CODEWORD or its UK equivalent.

• Keep it in safes or the equivalent unless it is in use.

• Facilities need to be guarded and locked.• When in use, follow procedures.• Storage media with classified information need to be protected, too.

• Security violations tend to be unpleasant. At TRW, you had to meet with the division general manager on a Saturday at 5 AM.

Summary

• Organizational policies address vulnerabilities where no risk analysis is appropriate.

• They must be complied with.• Life is hard...