Task 1.2: Determining Which Security Policy Is Most Important

Security policies are the lifeblood of any organization. Once you’ve performed a risk assessment, you can begin to lock in these findings in the security policy. The policy should spell out what should be protected, how it should be protected, and what value it has to senior management. Be sure to specify these concerns in written documents. You must also verify that the policies comply with all federal, state, and local laws.

Policies play such an important role because they put everyone on the same page and make it clear where senior management stands on specific issues. Policies help define how security is perceived by those within an organization. Policies must flow from the top of the organization because senior management is ultimately responsible.

Scenario

Management was pleased with your recent risk assessment, and you have been asked to make some basic security policy recommendations. Any given company has only a limited amount of funds, so your real task is to determine where the funds you can spend on security will have the most benefit. The risk assessment process is one way to assign a value to assets and to the threats those assets face.

Scope of Task

Duration

This task should take about 10 minutes.

Setup

For this task you need only to read through the scenario and determine what you think is the best solution.

Caveat

Well-written policies should spell out who is responsible for security, what needs to be protected, and what constitutes an acceptable level of risk. When creating policies, make sure that what you write is something that users can really do. For example, if you write a policy that states users must select complex passwords, you must make sure that the operating system will support that feature.

Procedure

In this task, you will learn to rate security issues based on level of concern and determine where to start in the security-policy process.

Equipment Used

For this task, you must have:

• A pen or pencil

Details

This task will introduce you to basic policy design and help you understand the importance of specific policies to the organization. The following organization and company profile will be used to complete this task.

Company Profile

Your company has all of its potential pinned to several unique products in FDA-approved trials. If the products are approved for use, the company will be able to obtain additional funding. Recently, a sensitive internal document was found posted on the Internet. The company is worried that some of this information may have ended up in the hands of a competitor. If key proprietary information was leaked, it could endanger the future of the company.

Company Overview

Your talks with senior management revealed the following: The company is betting everything on the success of these products. Most of its key employees have been stolen away from competing firms. These employees were originally attracted by the promise of huge stock options. Human Resources (HR) has all these records, and they have to keep track of any payouts if they occur.

The company has been lucky—venture capital has poured in. All of this capital has been invested in research and development (R&D). Once a design is pulled together, the company locks in the documentation. It doesn’t actually build the product in the United States; a subsidiary in South Korea assembles the design. The finished product returns to the United States for final tests, and then the product is submitted for FDA trials.

Because the company is new and poised for growth, the rented office and lab space are full. There are several entrances to the building, and people can come and go through any of them. Employees often work from home. Employees connect to the office from home via virtual private networks (VPNs). They have been required to sign an acceptable-use policy that specifies for what purposes they can use the network and its resources.

There is no full-time network administrator; those responsibilities fall on a research assistant who has experience managing systems in a college environment (but not in a high-security environment). The network consists of one large local area network (LAN) connected to the Internet through a firewall appliance—except for the VPNs, where the firewall still has its factory-default configuration. Employees must use two-factor authentication to log into local computers, and laptops have biometric authentication.

Because a storm last year wiped out a competitor, the company called in a disaster-recovery expert and backup policies were developed. The company also contracted with a service bureau for its backup services, should the network go down because of a disaster. This led the company to set up policy templates for other major areas, but policies have not been completed.

Policy Development Overview

Once an organization has decided to develop security polices, the question that usually comes to mind is, “What’s next?” The best place to start is to frame the policies within some type of existing framework.

Two examples of such a framework are ISO 17799 and BS 7799. BS 7799 is a recognized standard that breaks security policy into 10 categories. These include the following:

Business Continuity Planning This category addresses business continuity and disaster recovery.

System Access Control This category addresses control of information, protection of network resources, and the ability to detect unauthorized access.

System Development and Maintenance This category addresses the protection of application data and the safeguards associated with confidentiality, integrity, and availability of operational systems.

Physical and Environmental Security This category addresses the physical protection of assets and the prevention of theft.

Compliance This category addresses the controls used to prevent the breach of any federal, state, or local law.

Personal Security This category addresses the protection of individuals and the protection from human error, theft, fraud, or misuse of facilities.

Security Organization This category addresses the need to manage information within the company.

Computer and Network Management This category addresses the need to minimize the risk of system failure and protect network systems.

Asset Classification and Control This category addresses the need to protect company assets.

Security Policy This category addresses the need for adequate policies to maintain security.

A more specialized set of guidance documents would be the NIST Special Publications 800 series documents. These are of general interest to the computer security community.

Based on the information provided in the “Details” section of this task and the BS 7799 categories, you should complete Table 1.6. In the table you will find a listing for each of the BS 7799 categories. Beside each category, list the level of importance of each of these items. Use the following scale:

• 1—Low importance, should not be an immediate concern
• 2—Medium importance, requires attention
• 3—High importance, should be a priority

TABLE 1.6 Policy Action Items

Answers will vary but should be similar to what is found in Table 1.7.

TABLE 1.7 Policy action items—answers

The SANS Institute has a great resource that can be used to develop specific policies. You’ll find it at www.sans.org/resources/policies/. Best of all, it’s free!

Criteria for Completion

You have completed this task when you have completed Table 1.7 and determined which security concerns are most important.