8.3. Generating Policies and Procedures

The policies and procedures your organization uses have a huge impact on your ability to manage a secure environment. Although your primary role isn't that of policy maker, you need to understand four critical areas to succeed. The following sections discuss human resource policies and business, certificate, and incident-response policies.

8.3.1. Human Resource Policies

Human resource policies help the organization set standards and enforce behaviors. From a security perspective, this is critical. As a security administrator, you won't generally be making policy decisions, but you have an impact on how policies are developed and enforced.

Human resource policies that consider security requirements will make your job easier. If the people the company hires are trustworthy, internal security problems will diminish. This will free up resources to address other aspects of the business that need attention. In the following sections, we'll look at each type of personnel security policy.

8.3.1.1. Hiring Policies

Hiring policies define how individuals are brought into an organization. They also establish the process used to screen prospective employees for openings. Your organizational hiring policies should establish expectations for both the interviewer and the prospective employee.

Most organizations that work with the government have mandatory drug-testing requirements. Experience and studies have shown that drug users have a tendency to perform inconsistently, have higher incidents of theft, and are vulnerable to social engineering or compromises such as blackmail.

Your organization should also investigate references, college degrees, certifications, and any other information that is provided as part of the screening process. Security professionals should be screened more thoroughly than many other employees. A special trust is being imparted to security professionals, and this trust should be given only to people who are worthy of it.

Policies should exist to define how users are added to a company's network when hired. Those policies should dictate who can add a new account as well as who can formally request one. They should also define who approves access to the system and the levels of access granted to initial accounts.

8.3.1.2. Termination Policies

Termination policies involve more than simply firing a person. Your organization needs to have a clear process for informing affected departments about voluntary and involuntary terminations. When an employee leaves a company, their computer access should be discontinued immediately.

If an involuntary termination occurs, you should back up the system they use as well as any files on servers before the termination occurs. Terminations are emotional times; if information is archived before the termination, there is less chance that critical records will be lost if the employee does something irrational. Most people won't do anything unusual, but you're better safe than sorry.

In many cases, ex-employees find themselves with time on their hands. That time could be spent trying to hurt the company that hurt them—through social engineering or other means. Your job is to make certain they can't use that time to find weaknesses in your system and cause harm.

Make sure your termination policies mandate that the appropriate staff is notified when a termination is about to occur so that accounts can be disabled, systems backed up, and any other measures taken that are deemed appropriate. Other accounts may be arguable, but you must always disable a privileged user account in the event of that user's termination.

8.3.1.3. Ethics Policies

Ethics is perhaps best described as the personnel or organizational rules about how interactions, relationships, and dealings occur. Ethics affect business practices, are the basis of laws, and are highly subjective. An ethics policy is the written policy governing accepted organizational ethics.

Many organizations define ethical behavior and the consequences of not behaving in an ethical manner. Most professional organizations have adopted codes of ethics or conduct for their members; in many cases, a violation of these ethics laws will result in suspension, expulsion, or censure by the organization.

One organization, the Computer Professionals for Social Responsibility (CPSR), has created the "Ten Commandments of Computer Ethics" in conjunction with the Computer Ethics Institute (CEI). These commandments (as found on the website www.cpsr.org) are listed here:

• Thou shalt not use a computer to harm other people.

• Thou shalt not interfere with other people's computer work.

• Thou shalt not snoop around in other people's computer files.

• Thou shalt not use a computer to steal.

• Thou shalt not use a computer to bear false witness.

• Thou shalt not copy or use proprietary software for which you have not paid.

• Thou shalt not use other people's computer resources without authorization or proper compensation.

• Thou shalt not appropriate other people's intellectual output.

• Thou shalt think about the social consequences of the program you are writing or the system you are designing.

• Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

This list, as you can see, outlines computer usage and ethical behavior for computer professionals. The commandments establish a code of behavior and trust that is important for security and computer-security professionals. This list is a good place to start in the development of both a personnel ethics code and an organizational ethics code.

8.3.1.4. Acceptable-Use Policies

Acceptable-use policies (AUP) deal primarily with computers and information provided by the company. Your policy should clearly stipulate what activities are allowed and what activities aren't allowed. This policy can be as simple as a blanket statement such as "Computers provided by the company are for company business use only."

From a security perspective, you should make sure the people using your systems and accessing your information aren't using them in ways inconsistent with the policy. This usually includes some type of monitoring package or log file examination.

Many companies have developed comprehensive policies concerning Web access, e-mail usage, and private usage. Acceptable-use policies should also include rules regarding telephone-system usage, information usage, and other related issues. Having an acceptable-use policy in place eliminates any uncertainty regarding what is and what isn't allowed in your organization. After these policies are put into place, enforcing them is critical. If an employee is using your corporate computer systems for an unacceptable purpose such as downloading pornography, you must consistently enforce company policy to stop the behavior and discourage future abuses. If your organization fails to enforce its policies consistently, it's opening itself to potential lawsuits because inconsistent enforcement could be perceived to be linked to discriminatory practices.

8.3.1.5. Privacy and Compartmentalized Information Policies

Privacy policies for corporate information are essential. You must clearly state what information can and can't be disclosed. Privacy policies must also specify who is entitled to ask for information within the organization and what types of information are provided to employees.

The process of establishing boundaries for information sharing is called compartmentalization. It's a standard method of protecting information.

Your policies must clearly state that employees should have no expectations of privacy. Employers are allowed to search desks, computers, files, and any other items brought into the building. Your policy should also state that e-mails and telephone communications can be monitored and that monitoring can occur without the employee's permission or knowledge. Many employees wrongly assume they have a right to privacy when in fact they don't. By explicitly stating your policies, you can avoid misunderstandings and potentially prevent employees from embarrassing themselves.

8.3.1.6. Need-to-Know Policies

Need-to-know policies allow people in an organization to withhold the release of classified or sensitive information from others in the company. The more people have access to sensitive information, the more likely it is that this information will be disclosed to unauthorized personnel. A need-to-know policy isn't intended to prohibit people from accessing information they need; it's meant to minimize unauthorized access.

Many naturally curious individuals like to gain sensitive information just for the fun of it. No doubt you've known someone who is a gossip—they will tell everybody the secrets they know. This can prove embarrassing to the organization or the people in the organization.

8.3.1.7. Conducting Background Investigations

Background investigations potentially involve more than checking references. A good background investigation should include credit history and criminal-record checks as well as information about work experience and education. These checks must be done with the permission of the employee or prospective employee. Refusing to agree to this type of investigation doesn't mean that the individual has a problem in their background; it may mean they value their privacy.

It's a good idea for employees who deal with sensitive information, such as security professionals, to have a thorough background investigation. This ensures that employees are who they say they are and have the education they say they do. A background check should weed out individuals who have misrepresented their background and experiences.

8.3.2. Business Policies

Business policies also affect the security of an organization. They address organizational and departmental business issues as opposed to corporate-wide personnel issues. When developing your business policy, you must consider these three primary areas of concern:

• Separation of duties

• Physical access control

• Document destruction

The following sections discuss these three areas.

8.3.2.1. Separation-of-Duties Policies

Separation-of-duties policies are designed to reduce the risk of fraud and prevent other losses in an organization. A good policy will require more than one person to accomplish key processes. This may mean that the person who processes an order from a customer isn't the same person who generates the invoice or deals with the billing.

Separation of duties helps prevent an individual from embezzling money from a company. To successfully embezzle funds, an individual would need to recruit others to commit an act of collusion (an agreement between two or more parties established for the purpose of committing deception or fraud). Collusion, when part of a crime, is also a criminal act in and of itself.

In addition, separation-of-duties policies can help prevent accidents from occurring in an organization. Let's say you're managing a software development project. You want someone to perform a quality assurance test on a new piece of code before it's put into production. Establishing a clear separation of duties prevents development code from entering production status until quality testing is accomplished.

Many banks and financial institutions require multiple steps and approvals to transfer money. This helps reduce errors and minimizes the likelihood of fraud.

8.3.2.2. Due Care Policies

Due care policies identify the level of care used to maintain the confidentiality of private information. These policies specify how information is to be handled. The objectives of due care policies are to protect and safeguard customer and/or client records. The unauthorized disclosure of this information creates a strong potential for liability and lawsuits. Everyone in an organization must be aware of and held to a standard of due care with confidential records.

One of the leading ways to handle due care policies is to implement best practices. Best practices are based on what is known in the industry and how others would respond to similar situations.

8.3.2.3. Physical Access Control Policies

Physical access control policies refer to the authorization of individuals to access facilities or systems that contain information. Implementing a physical access control policy helps prevent theft and unauthorized disclosure of information and keeps other problems from cropping up. Many organizations limit office hours of employees to prevent them from accessing computer systems during odd hours. (This may not be appropriate for some positions, but it may be essential in others.) What would happen in your company if a payroll clerk decided to give himself a raise? In all probability, he wouldn't do this under the supervision of the payroll manager—he would do it when no one was around. By limiting access to the physical premises and computer systems, you reduce the likelihood that an individual will be tempted to commit a crime.

8.3.2.4. Document Disposal and Destruction Policies

Document disposal and destruction policies define how information that is no longer needed is handled. You should ensure that financial, customer, and other sensitive information is disposed of properly when it's no longer needed. Most organizations use mountains of paper, and much of it needs to be shredded or burned to prevent unauthorized access to sensitive information. Investigate the process that your organization uses to dispose of business records; it may need to be reevaluated.

Many large cities have businesses that do nothing but destroy paper for banks and other institutions. Using a truck that resembles a mobile shredder on wheels, they will come to your site and guarantee that the paper is destroyed. If your organization works with data of a sensitive nature, you should investigate the possibility of using such a service.

8.3.3. Certificate Policies

The advent of e-commerce has created a grave concern about trust. How does a customer know that they're working with a legitimate supplier? How does a retailer know they're dealing with a legitimate customer? One of the major problems facing e-commerce providers, as well as other businesses, is fraud. Fraud, theft, and other illegal transactions cost businesses billions of dollars a year.

There are ways to minimize if not eliminate the losses that organizations and individuals face. One method entails the use of digital certificates and certificate policies.

Certificates allow e-mails, files, and other transactions to be signed by the originator. This digital signing process usually carries close to the same weight as a hand signature. Using digital signatures allows business transactions to occur in a manner that provides a level of trust between the parties involved.

Certificate policies refer to organizational policies regarding the issuing and use of certificates. These policies have a huge impact on how an organization processes and works with certificates.

A certificate policy needs to identify which certificate authorities (CAs) are acceptable, how certificates are used, and how they're issued. An organization must also determine whether to use third-party CAs, such as VeriSign, or create its own CA systems. In either case, the policies have implications about trust and trusted transactions.

A trusted transaction occurs under the security policy administered by a trusted security domain. Your organization may decide that it can serve as its own trusted security domain and that it can use third-party CAs, thus allowing for additional flexibility. Third-party CAs are usually accredited. However, the process of having an internal CA accredited is difficult and requires compliance with the policies and guidelines of the accrediting organization.

Transactions require the involvement of a minimum of two parties. In the CA environment, the two primary parties are identified as the subscriber and the relying party. The subscriber is the individual who is attempting to present the certificate that proves authenticity. The relying party is the person receiving the certificate. The relying party is dependent on the certificate as the primary authentication mechanism. If this certificate comes from a CA, the CA is known as the third party. The third party is responsible for providing assurance to the relying party that the subscriber is genuine. Figure 8.8 illustrates these relationships between the parties.

If a dispute occurs, these terms will be used to identify all the parties in the transaction. Your certificate policies should clearly outline who the valid subscribers and third parties are in any transactions. These policies provide your organization with a framework to identify parties, and they provide the rules detailing how to conduct transactions using e-commerce, e-mail, and other electronic media.

The practices or policies that an organization adopts for the certificate process are as important as the process that uses them. Your organization needs to develop practices and methods for dealing with certificate validity, expiration, and management. These policies tend to become extremely complicated. Most CAs require a Certificate Practice Statement (CPS), which defines certificate issue processes, record keeping, and subscribers' legal acceptance of the terms of the CPS.

The CA should also identify certificate expiration and revocation processes. The CA must clearly explain the certificate revocation list (CRL) and CRL dissemination policies.

8.3.4. Incident-Response Policies

Incident-response policies define how an organization will respond to an incident. These policies may involve third parties, and they need to be comprehensive. The term incident is somewhat nebulous in scope; for our purposes, an incident is any attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. This includes systems failures and disruption of services in the organization.

It's important that an incident-response policy establish at least the following items:

• Outside agencies that should be contacted or notified in case of an incident

• Resources used to deal with an incident

• Procedures to gather and secure evidence

• List of information that should be collected about an incident

• Outside experts who can be used to address issues if needed

• Policies and guidelines regarding how to handle an incident

According to CERT, a Computer Security Incident Response Team (CSIRT) can be a formalized or ad hoc team. While you can toss a team together to respond to an incident after it arises, investing time in the development process can make an incident more manageable. Many decisions about dealing with an incident will have been considered in advance. Incidents are high-stress situations; therefore, it's better to simplify the process by considering important aspects in advance. If civil or criminal actions are part of the process, evidence must be gathered and safeguarded properly.

Let's say you've just discovered a situation where a fraud has been perpetrated internally using a corporate computer. You're part of the investigating team. Your incident-response policy lists the specialists you need to contact for an investigation. Ideally, you've already met the investigator or investigating firm, you've developed an understanding of how to protect the scene, and you know how to properly deal with the media (if they become involved).

Your policies must also clearly outline who needs to be informed in the company, what they need to be told, and how to respond to the situation. Incidents should not only include intrusions, but also attempts.