Transcript Security Policies

Security Policies
A practical part of your digital
defense system
By Oscar Ladron de Guevara
Purpose of Policy
Sets practices and procedures
 Protects valuable company information
assets
 Minimizes damage and maintains quality
control
 Rules and regulations

What is a Policy?
A policy is a published document in
which the organization's philosophy,
strategy, policies and practices with
regard to confidentiality, integrity and
availability of information and
information systems are laid out.
Thus, a policy is a set of mechanisms
by means of which your information
security objectives can be defined and
attained.
Information Security Objectives
Confidentiality
 Integrity
 Availability

Confidentiality is about ensuring that only
the people who are authorized to have
access to information are able to do so. It's
about keeping valuable information only in
the hands of those people who are intended
to see it.
Integrity is about maintaining the value and
the state of information, which means that it is
protected from unauthorized modification.
Information only has value if we know that it's
correct. A major objective of information
security policies is thus to ensure that
information is not modified or destroyed or
subverted in any way.
Availability is about ensuring that information
and information systems are available and
operational when they are needed. A major
objective of an information security policy
must be to ensure that information is always
available
a policy is a set of mechanisms by
means of which your information
security objectives can be defined and
attained.
Mechanism through which theses
objectives can be achieved
Philosophy
 Strategy
 Policies
 Practices

Philosophy
This is the organization's approach towards
information security, the framework, the
guiding principles of the information security
strategy. The security philosophy is a big
umbrella under which all other security
mechanisms should fall. It will explain to
future generations why you did what you did.
Strategy
The strategy is the plan or the project plan of
the security philosophy. A measurable plan
detailing how the organization intends to
achieve the objectives that are laid out, either
implicitly or explicitly, within the framework
of the philosophy.
Policies
Policies are simply rules. They're the dos and
the don'ts of information security, again,within
the framework of the philosophy.
Practices
Practices simply define the how of the
organization's policy. They are a practical
guide regarding what to do and how to do it.
What benefits do policies offer?
Provide a paper trail in cases of due
diligence
 Exemplify an organization's commitment to
security

Practical Benefits of Security
Policies
Benchmark for progress measurement
 Help ensure consistency
 Serve as guide to information security
 Define acceptable use
 Give security staff the backing of
management

Defining Objectives in an
Organization
Objectives are essential to all organizations.
 Security administrators need to define
objectives for their particular organization,
based on the value of that information and
the specific risks that information faces.

What are policies actually
protecting?
Each organization has a certain level of risk
 Risk consists of a combination of
information resources that have value and
vulnerabilities that are exploitable.
 Objective is to limit and restrict risk to an
acceptable level.

Creating a Supportive
Environment
Policies are ineffective by
themselves; their effectiveness is
highly linked to the support they
receive from the organization
Management plays a key role in the
success and efficacy of the security
policy
Management must ensure that all staff
comply with regulations
Management must understand the
significance of security and its policy
Organizational Structure
All organizations have some level of
structure.
 They may differ in title but the roles, duties
and obligations are fairly consistent
throughout.
 Thus, each level of a structure must be
responsible for their part in the effectiveness
of security policies.

A policy should always have an
owner.
As an owner of the policy, the owner
has a number of responsibilities which
include the management and
distribution of the security policy.
SAMPLE Proposed Organizational Structure
STF - Security Task Force
PM - Project Manager
In addition to management support
and organizational structure, financial
commitment is also needed to create a
supportive environment.
The security process will always
require an investment in time, human
resources and finance.
Administrators should always consider
strategies that creates and promotes an
organizational culture that will place primacy
on security.
User education
 Focus on managers
 Be up front with staff
 Positive reinforcement
 Negative reinforcement
 Acceptance and Sign off

Formal Classification
The Bell-LaPadula Model
relies on the fact that there exists a partial
ordering of security classifications /
clearances.
 user-friendly and appropriate to the
commercial organizational environment.

The Bell-LaPadula Model
If c(O) is the classification of the (data) object
and c(S) is the clearance of the (user) subject then
two simple rules (known as "properties") apply.
1. The Simple Security Property (ss): A subject (S)
may have read access to an object (O) only if c(O)
< c(S)
2. The "*" Property (star): A subject (S) who has read
access to an object (O) may have write access to
another object (P) only if c(O) < c(P)

First Rule: no one may receive a piece of
information unless their clearance is at least
as high as the classification of the
information they are accessing

Second Rule: that information obtained
from an object may only be passed to
another object if the classification of the
target object is at least as high as that of the
source object.
Security Levels
One define and describes levels of classification
that make sense and are appropriate to your
organization
Unclassified
 Shared
 Company Only
 Confidential

Unclassified: Considered publicly accessible.
There are no requirements for access control or
confidentiality.
Shared: Resources that are shared within groups
or with people outside of your organization.
Company Only: Access to be restricted to your
internal employees only.
Confidential: Access to be restricted to a specific
list of people. For someone to have access to
data or resources classified as 'Confidential' they
must be cleared at this level and they must be
included in the access list for this resource.
The owner of the object (data or computer) is
responsible for managing the access lists.
Formulating a Security Policy
Creating Appropriate Policies
Defining what is important
 Defining acceptable Behavior
 Identifying Stakeholders
 Defining Appropriate outlines
 Policy development


Defining What is important: The first step
in creating organizational policy is to define
which policies are important to the
organization.

Defining Acceptable Behavior: Employee
behaviors differs from organization to
organization. The culture of the
organization and it’s expectations must be
taken into account regarding it’s employees
when defining acceptable behavior.

Identifying Stakeholders: Advisement and
recommendations should be sought from
members of the organization. Those
affected by the policy should be included in
the process of developing the policy .

Defining Appropriate Outlines: The
development of a good policy starts out
with a good outline.

Policy Development: Security should drive
the development of security policies.
Security should take ownership of the
project and see that it gets done. Many
meetings and drafts
References:
http://www.securityfocus.com
Network Security E-Book
Deploying Policy
Gaining Buy In: Every department of the
organization that is affected by the policy
must buy into the concepts behind it.
 Education: Employees affected by a new
policy must be educated as to their
responsibilities
 Implementation: Working with other
departments to make change as easily as
possible.
