Relevant Technologies: Security Policies 101

< Back to Article List

Security Policies 101
By: Laura Taylor
January 6, 2003

If you are trying to keep your network secure from unauthorized access, creating security policies is an exercise in understanding what needs to be secured. Security policies serve many purposes and are the foundation of your security framework.

Why Your Organization Needs Security Policies
Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference point to numerous security tasks in your organization including:

Securing applications

Configuring user access controls

Defining management duties and responsibilities

Assuring standardization and consistency

Retaining confidential and proprietary information

Designing enterprise architecture

Mitigating risk

Responding to security incident investigations

Disciplining employees for breach of policy

Minimizing liabilities to customers and shareholders

Assisting auditors in understanding security intentions

Establishing a sense of awareness and training

Avoiding disputes with different technical teams

Expediting procurement and deployment of new systems

Without security policies, no enforcement of security configurations or standards can be made. By establishing a policy, you are implying that enforcement can or will follow. Without security policies, enforcement of them is not possible.

Security Policy Basics
Security policies are high-level laws of the land regarding your security infrastructure. They are not procedures. (Procedures tell you how to implement security policies.) Upper management needs to hold someone accountable for drafting the security policies, overseeing their review, and implementing them. Without support from upper management, security policies often fall by the way side and never get written, understood, or implemented. The person being held responsible for security policies could be the Director of Information Security, the Chief Security Officer, the Director of Information Technology, the Chief Information Officer, or a knowledgeable employee appointed to be the information security officer.

Security is typically distributed, and security mechanisms should be built into all layers of the enterprise infrastructure. Security policies should describe the rules of the road for the following types of technology systems:

Encryption mechanisms

Access control devices

Authentication systems

Virtual Private Networks (VPNs)

Firewalls

Messaging systems

Anti-virus systems

Web sites

Gateways

Mission critical applications

End-user desktops

DNS servers

Routers and switches

All security policies need to be written down. Policies that exist in someone's head are not really policies. When your organization has finished developing security policies, and right when you think you can breathe easy, it will be time to update your security policies. Since most IT organizations are deploying new technology continuously and retiring old systems, you will have to make sure your security policies still make sense for your new infrastructure. Similarly, when you are evaluating new equipment for possible procurement, you will want to make sure that the new equipment can properly be configured to meet your security requirements — if it can't, you may want to consider procuring alternative products.

Some products and modules built into operating systems are designed specifically to configure and enforce security policies. Windows 2000 uses security templates (also called .inf files) to automatically configure security policies on servers and desktops. There are also third-party enterprise management tools that are designed specifically for security policy configuration, distribution, and enforcement. These products should undergo a thorough evaluation and analysis process before expensive procurement decisions are made.

Security controls are mechanisms put into place to enforce security policies.

Administrative Policies vs. Technical Policies
Technical security policies describe how technology should be configured and used, and administrative security policies describe how people (end-users and management) should behave. The intended security rules for technology systems and data should be explicitly described in technical security policies. Technical security policies describe a rule or regulation pertaining to a piece of equipment, facility, or data.

Administrative security policies describe the intended behavior rules for people. Serving as a guide for both end-users and management, administrative policies should spell out the roles and responsibilities for all users of technology systems in the organization. It is very important to inform end-users and other management team members of administrative security policies. Users cannot be expected to follow policies if they do not know what they are. After reviewing the administrative policies, it is a good idea to get the user to sign the policy document attesting to the fact that they have read it, understand it and will abide by it.

Many organizations take the time to define technical security policies, while administrative security policies are often overlooked. While many technical security policies can be audited with online scanning tools, administrative security policies can only be audited with an in-person review. Auditors who review administrative policies will typically ask to see the actual formal policy document. Efficient auditors will also interview end-users and management to see if they understand their roles and responsibilities.

Administrative Security Policy Samples

Users must change their passwords each quarter.

A designated employee should securely maintain a master list of passwords.

End-users will update their virus signatures at least once a week.

Users will not e-mail passwords across the corporate infrastructure.

Users must use a card-key to enter the data center.

Employees shall not use dial-out modems from their desktops.

All users must read, sign and abide by the end-user security policies.

Users will report suspicious network activity to the security officer.

The security officer will manage and respond to all security incidents.

Company information marked Proprietary must be used only for legitimate business purposes.

If your organization was being audited, here are some questions that an auditor might ask in regards to your administrative security policies:

Are employees informed about reporting security incidents? How would they know what to report, and to whom to report it? Where can employees turn for information to guide them on how to handle security incidents?

Are there security policies associated with change-management?

Who is responsible for risks associated with third-party vendors and partners?

Are there regular security reviews of IT systems? Are reports generated to capture the current security posture and make recommendations for corrective action? (You should assume that if an auditor asks if reports exist they will ask to see them.)

Is there a policy that defines acceptable use of the Internet?

What authorization is needed to change user IDs?

Are procedures for the disposal of media documented?

Who is responsible for enforcing policy breaches?

What are the reasons for allowing employees remote access?

How are employees made aware of security policies and procedures?

Technical Security Policy Samples

Servers will be configured to expire passwords once every quarter.

Anti-virus software will be installed and properly configured on all user desktops.

A card-key system will be installed at every data center entrance.

All data and information must be assigned a custodial owner.

All access control systems must be monitored for compliance.

Online penetration tests should be conducted twice a year.

Accounts must initiate a lock out after four unsuccessful attempts to login.

Encryption is used to prevent access to sensitive and proprietary information.

Incoming attachments must be scanned for viruses on the boundary server.

Passwords must be at least 8 characters long and include upper and lower case characters and at least one numeric character.

If your organization was being audited, here are some questions that an auditor might ask in regards to your technical security policies:

Are stored passwords on the Web site encrypted? How?

How is the logical access to the Web site server controlled?

What controls are in place to protect audit log files?

Is there a master backup of router and firewall configuration files?

What outbound and inbound connections and services are being allowed through the firewall?

What is the process for authenticating firewall administrators?

Are Web servers protected from buffer overflow attacks? How?

What security controls exist to protect credit cards numbers? Are the credit card number encrypted?

How is the security of dial-up connections controlled?

Does the enterprise system architecture documentation include all physical and logical (VLAN) connections?

A Word to the Wise
Writing security policies take a long time and a lot of thought. It may be useful to have your human resources department review the administrative policies since many of these policies are associated with employee behavior. It is possible that human resources will want to include some of the administrative policies into job descriptions or other employee policies.

The technical teams that are responsible for administering servers, routers, switches and applications should review the appropriate technical policies that are related to their respective responsibilities. Before etching the security policies in stone, the security officer should make sure that they undergo sufficient peer review. Organizations without security policies are putting themselves at risk and exposing themselves to numerous liabilities. If your organization has anything at stake as far as proprietary information goes, financial information, customers or shareholders, writing security policies are worth the trouble.