154 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
(SAT) program. e objective here is to make people aware of security, make sure
they understand the implications of being secure, and ensure that they are actually
complying with security policies, standards, procedures, and guidelines.
For the enterprise to comply with security, you must disseminate security
requirements within the enterprise. e documents that convey this information
are in policies, standards, procedures, and guidelines. A policy is a statement of
objectives for appropriate behavior. A standard species what to use to implement
and enforce policy. A procedure species how to use a standard to implement and
enforce policy. A guideline is less formal than the previous three and may oer
more suggestions than more emphatic statements of thou shall. e term guidance
refers collectively to policies, standards, procedures, and guidelines. e following
sections describe security guidance in more detail.
People and Compliance
e bottom line for compliance is to drive the behavior of people; the compli-
ance document puts forth guidance for appropriate behavior. Legislative guidance
describes appropriate behavior in the name of the greater good of society. Enterprise
policy describes appropriate behavior in the name of the greater good of the
enterprise. Some enterprise policy will reect legislative compliance; other enter-
prise policy will reect good business practice to optimize stakeholder value.
Enterprise Role of Policies, Standards,
Procedures, and Practice
Policies provide a description of acceptable behavior for those within the enterprise
and, at times, for those doing business with the enterprise. Policies may be thought
of as enterprise law. Policies reect both external mandates on appropriate behavior
as well as internal mandates for good business practice as determined by executives
and upper management. Standards are a description of uniformity; they are a speci-
cation of commonality to implement and enforce policy. Procedures are a specied
sequence of actions to achieve a desired end of eective and ecient use of standards
to implement and enforce policy. Policies, standards, and procedures describe what
should be; actual practice is reality. For enterprise personnel to behave as they should
requires awareness and training. Moreover, when assessing for compliance, you
should assess the presence and quality of policies, standards, and procedures, plus
assess actual practices to ensure that they reect the intent of the documentation.
Security Policies
Security policies provide a description of acceptable behavior with the intent of
minimizing risk to the organization—risk that may occur in the form of legisla-
tive and regulatory compliance, technical risk, environmental risk (e.g., clean and
Overseeing Compliance of Security Operations ◾ 155
© 2011 by Taylor & Francis Group, LLC
safe work environment), and the execution of processes and tasks. Security poli-
cies dene appropriate behavior within the enterprise to establish compliance with
security-related legislation, regulation, and internally imposed security controls.
e security governance function determines the scope that security policies should
address as well as the appropriate breadth and depth of security policies.
Policy Structure and Content
e structure is the outline of topics that will appear in the policy. All policies
should follow a similar structure so that all employees know where to look for par-
ticular details. e policy content will vary according to what the policy addresses.
e following is a sample policy structure:
◾ Dates
− Date issued, date eective, and date revised
◾ Sponsor
− Statement of management commitment
◾ Purpose
◾ Scope
− What the policy applies to
− Who is subject to adhere to the policy
◾ Denitions
− Clarify terms to ensure reader understanding
◾ Authority, roles, and responsibilities
− Include office responsible and official responsible (by title if not
actual name)
− Include who implements, who enforces, and an adjudication contact to
resolve conicts with policy details
◾ Implementation and enforcement
− Reference to repository containing associated standards and procedures
◾ Reporting requirements
e content of security policies will address a variety of areas. e following is a
partial list of potential enterprise security policies in no particular order:
◾ Conguration Policy
◾ Conguration Management Policy
− Change Management Policy
◾ Inventory Management
◾ Portable Media Policy
− Enterprise Issued
− Personal (PDAs, iPods, ash pens, cameras, portable hard drives, cell
phones, thumb drives, digital recorders)
156 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Wireless
◾ Access Control
− Privileged access (e.g., root, administrator)
− Remote access
◾ Portable Media
◾ Software
◾ Media Disposal
◾ Pre-hire
◾ Contracts and Agreements
◾ Incident Response
◾ Disciplinary Action
◾ Authentication
◾ Encryption
◾ Virtual Private Network (VPN)
◾ Anti-malware
◾ Acceptable Use
◾ Software Licensing
◾ Network Trac Management
− Inbound
− Outbound
− Priority
◾ Information Classication
− Proprietary
− Condential
− Public
◾ Nondisclosure Agreements
e following sections elaborate on details of some security policies.
Security Policy General Practices
Policy management includes the following:
◾ Policy generation
− Policy structure and content
◾ Policy dissemination
◾ Policy awareness, understanding, and compliance
◾ Policy enforcement
e governance process determines relevant external compliance requirements
as well as appropriate behavior that represents good business practice within the
organization. Policies capture the details of this appropriate behavior and convey
Overseeing Compliance of Security Operations ◾ 157
© 2011 by Taylor & Francis Group, LLC
the details to all employees and contractors. Policy generation is an enterprise-
internal administrative aspect of compliance management. To help facilitate ease
of reading and understanding, develop a standard policy structure. is means
that all policies will have the same or very similar sections in the same order. e
content of all policies should include acceptable and unacceptable behavior in
clear language.
Policy dissemination is making the policies available to personnel and other
covered entities. is may mean an explicit push of the policy to each employee and
contractor, e.g., e-mail attachment. Dissemination may also be a passive pull of the
policy document from a policy repository located on an intranet Web site. Good
policy management will record the review and acceptance of the policies by all
personnel, including contractors; this record shows the person is aware of the pol-
icy. Subsequently testing knowledge of the policy and when and where the policy
applies will capture understanding of the policy. Monitoring for policy infractions
will capture policy compliance.
e rst challenge is the development of the policy; the second challenge is
enforcing the policy. Policy enforcement will occur at the management and opera-
tions level of the organization. Some policy enforcement will be automated, e.g.,
rewalls will enforce the appropriate use of the Internet, and disabling USB ports
will enforce a policy prohibiting the use of thumb drives. Other policy enforcement
is administrative, such as exposing new employees to indoctrination procedures
that adequately prepare them to function eectively and securely within the orga-
nizational environment.
Access Policy
Access policy describes the ability to enter, obtain, or use information, information
technology, or a facility. e access policy describes the access group, action group,
resource group, and relationship. e access group is the collection of users to which
the policy applies. e action group is the collection of activities performed by the
user on the resources. e resource group is the collection of physical or virtual enti-
ties covered by the policy. Resources may include documents (e.g., contracts), com-
puters, software applications (e.g., order entry), and command sets (e.g., database
backup commands are available to a backup operator, but not access to the data-
base administration commands). e relationship describes the association among
resources, users, and actions.
Access policy should distinctly cover privileged access. e UNIX operating envi-
ronment has a root account and Windows has an Administrator account. Both root
and Administrator accounts allow the user privileges to perform certain tasks that
no other user can perform. ese tasks include conguring the system for ecient
operations and secure operations. Modications of these conguration settings with-
out the skill to understand the implications or modications of these congurations
158 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
with the explicit purpose of subverting security are both undesirable. e access
control policy should restrict the number of privileged accounts and the assignment
of privileged accounts to qualied users, and restrict their use in operations.
Users without an explicit need for a privileged account should not be assigned
one. Any user assigned a privileged account should be vetted through an approval
process that includes multiple people reviewing and approving the account assign-
ment. Each person who possesses a privileged account should have at least one other
account with normal user capability. ey will then use the privileged account
for tasks explicitly requiring the inherent permissions of that account and use the
regular user account in everyday, normal activities. e number of existing privi-
leged accounts, the password strength associated with them, and the actual use of
privileged accounts should be part of the security audit process.
By default, privileged accounts have standard names like Administrator. A good
practice to hinder casual misuse attempts is to rename these default accounts as
something else that blends in with the structure of usual user accounts. For example,
if the practice is to use the rst letter of the rst name coupled with the rst seven
letters of the last name, then rename the privileged account using a ctitious name,
and make it an innocuous ctitious name like jsmith, not something associated with
privilege like gwizard. ere are relatively simple ways around this for a knowledge-
able hacker, but there are simple ways around a front door lock to a knowledgeable
thief. Simple deterrents deter the simple, but they are deterrents nonetheless.
One way to bypass the above is to be aware of security identication numbers
(SIDs). Windows creates a SID for each user and computer account. UNIX uses a
unique identication number (UID). e same SID is used for all Administrator
accounts, and there are other commonly known SIDs that can aid a hacker in iden-
tifying accounts. e URL http://support.microsoft.com/kb/243330 has a list of
commonly known SIDs. e Windows user account control (UAC) function runs
all applications in user mode, regardless of the privileges of the user executing the
command. Knowledge of these technical specics will help articulate access con-
trol standards, e.g., all enterprise nancial systems operating under the Windows
operating system will activate and enforce the use of a UAC to limit the running
of applications under privileged accounts. Policy states the intent, and standards
describe what to use to implement and enforce the intent. e section on Access
Control provides more details.
Remote Access Control
e access control policy should include a section on remote access. e remote
access policy applies to all employees, contractors, vendors, business partners, and
agents that connect to the enterprise network from outside enterprise-owned facili-
ties. Access may occur using a personally owned device or a company-issued device.
e policy should restrict remote access privileges according to job function and
business need. Access to e-mail may be the only necessary remote access. Others
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.