84 Managing Network Vulnerability Assessment
as those discussed in the NIST Special Publication 800-12, “An Introduction
to Computer Security.”
The Information Security Policy should be approved by management,
published, and communicated, as appropriate, to all employees. It should
state management commitment and set out the organization’s approach to
managing information security. As a minimum, the following material should
be included:
A definition of information security
A statement of management intent, supporting the goals and principles of
information security
A definition of general and specific responsibilities
References to documentation that may support the policy
The Asset Classification Policy is developed to maintain appropriate pro-
tection of organizational assets. All major information assets should be
accounted for and have Owners identified. Accountability for assets (which
include information records, transactions, applications, network segments, etc.)
is the responsibility for implementing controls is assigned to the Owner, with
a Custodian responsible for implementing those controls.
Business continuity planning (BCP) and technology disaster recovery plan-
ning (DRP) are the next policies that need to be reviewed. The NIST Special
Publication 800-34, “Contingency Planning Guide for Information Technology
Systems,” is available at the NIST Web site (crcs.nist/gov/publications/nistpubs/)
and can provide the policy reviewer with the basic requirements needed in
a general policy regarding BCP and technology DRP
For topic-specific policies, the areas listed in Exhibit 1 should be addressed
and critiqued.
Review Elements
The written policy should clear up confusion, not generate new problems.
When preparing a document for a specific audience, remember that the writer
will not have the luxury to sit down with each reader and explain what each
item means and how it impacts the user’s daily assignments. Know the
audience for whom the policies are being developed. Remember the reading
and comprehension level of the average employee. When writing the policy,
remember the “5 Ws of Journalism 101”:
1. What: what is to be protected (the topic)
2. Who: who is responsible (responsibilities)
3. Where: where within the organization does the policy reach (scope)
4. How: how compliance will be monitored (compliance)
5. When: when does the policy take effect
6. Why: why the policy was developed
Policy Review (Top-Down) Methodology 85
Exhibit 1. Topic-Specific Policies
ISO 17799 Topic-Specific Policy Description
8.1.3 Incident
Management
Procedures
Implement standards and procedures to identify
incident management responsibilities and to
ensure a quick, effective, orderly response to
security incidents.
8.2.2 System
Acceptance
Implement procedures to establish acceptance
criteria for new systems, and that adequate tests
have been performed prior to acceptance.
8.3 Protection from
Malicious
Software
Implement anti-virus software
8.4.2 Operator Logs Implement standards and procedures so that
computer operators are required to maintain a log
of all work performed.
8.5.1 Network Controls Implement appropriate standards to ensure the
security of data in networks and the protection of
connected services from unauthorized access.
8.7.4 Security of
Electronic Mail
Implement standards and user training to reduce the
business and security risks associated with
electronic mail, to include interception,
modification, and errors.
8.7.5 Security of
Electronic Office
Systems
Implement a risk analysis process and resultant
standards to control business and security risks
associated with electronic office systems.
8.7.6 Publicly Available
Systems
Implement a formal policy to establish an
authorization process for information that is to be
made publicly available.
9.1.1 Access Control
Policy
Implement a risk analysis process to gather business
requirements to document access control levels.
9.4.1 Use of Network
Services
Implement procedures to ensure that network and
computer services that can be accessed by an
individual user or from a particular terminal are
consistent with business access control policy.
9.4.2 Enforced Path Implement standards that restrict the route between
a user terminal and the computer services that its
user is authorized to access.
9.4.3 User
Authentication
for External
Connections
Implement standards to ensure that connections by
remote users via public or nonorganization
networks are authenticated to prevent
unauthorized access to business applications.
9.4.4 Node
Authentication
Implement standards to ensure that connections by
remote computer systems are authenticated to
prevent unauthorized access to a business
application.
9.4.5 Remote
Diagnostic Port
Protection
Implement procedures to control access to
diagnostic ports designed for remote use by
maintenance engineers.
86 Managing Network Vulnerability Assessment
9.4.6 Network
Segregation
Implement standards to have large networks divided
into separate domains to mitigate the risk of
unauthorized access to existing computer systems
that use the network.
9.4.7 Network
Connection
Control
Implement standards to restrict the connection
capability of users, in support of access policy
requirements of business applications that extend
across organizational boundaries.
9.4.8 Network Routing
Control
Implement standards that identify routing controls
over shared networks across organizational
boundaries to ensure those computer connections
and information flows conform to the access policy
of business units.
9.4.9 Security in
Network
Services
Implement standards to clearly capture network
providers’ security attributes of all services used,
and use this information to establish the security
controls to protect the confidentiality, integrity, and
availability of business applications.
9.7.1 Event Logging
Implement standards to have audit trails record
exceptions and other security-relevant events,
and that they are maintained to assist in future
investigations and in access control monitoring.
9.7.2 Monitoring
System Use
Implement procedures for monitoring system use
to ensure that users are only performing processes
that have been explicitly authorized.
9.7.3 Clock
Synchronization
Implement standards to ensure that computer or
communications device clocks are correct and in
synchronization.
10.2.3 Message
Authentication
Implement standards to ensure that message
authentication is considered for applications that
involve the transmission of sensitive data.
10.3.1 Use of
Cryptographic
Controls
Implement policies and standards on the use of
cryptographic controls, including management of
encryption keys, and effective implementation.
10.4.1 Control of
Operational
Software
Implement standards. Strict control should be
exercised over the implementation of software on
operational systems.
10.5.1 Change Control
Procedures
Implement standards and procedures for a formal
change control procedure.
10.5.2 Technical Review
of Operating
System Changes
Implement procedures to review application
systems when changes to the operating systems
occur.
10.5.3 Restrictions on
Changes to
Software
Packages
Implement standards to restrict modifications to
vendor-supplied software.
Exhibit 1. Topic-Specific Policies (Continued)
ISO 17799 Topic-Specific Policy Description
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.