|
A System =
Security Policy for=20
You David Milford April 25, 2001
1. I ntroduction
1.1 Purpose
The =
purpose of=20
this document is to meet the requirements of the GIAC Security =
Essentials assignment and to provide other interested parties =
with a=20
reference document that they can use to get their System =
Security=20
Policy (SSP) document=20
started.
1.2 Introduction
The first thing the auditor =
asks is=20
"Please provide me with a copy of your System Security =
Policies and=20
Security Operating Procedures". Then it starts "we =
haven’t got round=20
to that yet" or "we have them but they are only at draft" or =
"we don’t=20
have a policy just some notes on guidance" or "we tried to put =
one=20
together but the person left the company before the task was=20
completed" or " we have them but they have not been =
implemented yet",=20
well there are any number of excuses for not having or not=20
implementing a System Security Policy and the associated =
security=20
operating procedures.
If you have no security policy =
why are you=20
applying security measures and what are you applying them to? =
Why do=20
auditors ask for a written policy? Why do the International =
Standards=20
Organisation (ISO), the Orange Book (US DoD) and the =
Communication=20
Electronic Steering Group (UK Government organisation) all =
stress the=20
need for a written security policy.
Simply this, if you do not have =
a written=20
and approved SSP then how do you apply the correct security =
measures=20
to an IT System or network in a consistent and auditable =
manner? How=20
do you know what measures have to be implemented? How do you =
define=20
and delegate responsibilities? Where is your authority for=20
implementing security measures that may constrain how people =
interact=20
with the system and network?
The System Security Policy is =
the basis for=20
the legitimate application of security measures designed to =
protect=20
your network from both internal and external threats. Without =
the=20
definition provided by the policy document there is a very =
good chance=20
that a security measure that should be implemented will be =
missed or=20
you will implement measures that are not required, expensive =
and the=20
cost can outweigh the benefit. Considering that for most =
companies=20
Security is considered a bottom line cost, this is to be =
avoided.=20
There is a saying that the job =
isn’t=20
finished till the paperwork is complete. With IT security it =
should be=20
reversed to say "don’t start the job until the paperwork =
is to hand".=20
2. Types of=20
Policy
2.1 Where to=20
begin
The hardest part about a System =
Security=20
Policy (SSP) is getting started. There are many security =
companies=20
that either offer to write the policy for you or train you to =
do it=20
yourself. The following Internet sites provide excellent =
information=20
about creating a policy document and what should go into it, =
but as=20
businesses are less forthcoming about providing example =
policies and=20
this is understandable as providing this service is how they =
make=20
their money. If at this stage in the document you would like =
to get a=20
better understanding of what is required to complete a =
security policy=20
document then try out the following=20
sites:
There are some government =
organisations=20
that publish their own SSP. These are also an excellent source =
of=20
information but remember the policy has been formatted and =
designed to=20
meet their requirements and what they consider is the threat =
to their=20
network or system.
If you are interested in seeing =
how the US=20
DoD deals with securing IT systems then the site URL below =
sets out=20
the requirements for establishing a trusted computer system =
evaluation=20
criteria (TCSEC). In the context of this document and for most =
commercial organisations the criteria detailed in TCSEC are =
too=20
onerous, however for financial institutions and where the care =
of=20
other peoples money is a priority the principles laid down in =
TCSEC=20
are relevant.
http://www.antionline.com/archives/text/rainbow_books/orange.html=20
2.2 ISO=20
17799
ISO 17799 is the International =
Standards=20
Organisations detailed security standard and is organised into =
10=20
major sections, it was derived from British Standard BS7799 =
and is=20
designed for implementation by companies in the commercial =
sector. It=20
is one of the most widely recognised security standards and is =
comprehensive in its coverage of security issues. However =
compliance=20
with ISO 17799 is far from trivial and is a difficult task =
even for=20
the most security conscious organisation, it requires =
commitment from=20
the top, CEO level, and the money to fund the effort. This URL =
will=20
take you to ISO information=20
http://www.riskserver.co.uk/iso17799/
After looking at all the =
available=20
information on putting an SSP together it seems a daunting =
task. Often=20
just the thought of having to put everything down on paper =
brings the=20
whole idea to a halt. Having looked at and used various =
sources of=20
information from BS7799, Communications Electronic Security =
Group=20
(CESG), a UK Government organisation, DERA the UK Defence =
Research=20
Agency, the Royal Airforce (RAF), the Orange book and other =
commercial=20
organisations. The following is a suggested SSP format that =
can be=20
tackled as you would eat an Elephant, one bite at a time. The=20
following format allows you to address each area into small =
logical=20
steps. The assumption made is that you know your system, it =
has been=20
baselined and a risk assessment has been carried out. This =
ensures=20
that the security measures to be implemented as part of the =
policy are=20
pertinent to your system.
In the next section a suggested =
format for=20
an SSP is detailed.
3. The =
System Security=20
Policy
3.1 Basic =
Facts
The following details need =
to be in=20
this section
- Name of =
System/Project=20
- Location of System=20
- Key Target dates (if =
required)=20
3.2 Security=20
Responsibilities
Unless responsibilities are =
defined there=20
is a tendency for staff to claim that as nothing was written =
down it=20
was not their =
responsibility.
- System Manager/Project =
Manager=20
(originator of SSP)=20
- Prime Contractor (if =
relevant)=20
- System Administrator=20
- System Security=20
Officer/Administrator=20
- Database =
Administrator=20
3.3 Status of=20
Document
Just good housekeeping and =
configuration=20
control.
- Version Number=20
- Superseded documents=20
3.4 System=20
Description
This section is designed to =
enable the=20
Project Manager or System administrator to define exactly what =
they=20
are looking after and for any third party to be able to =
quickly=20
understand their =
responsibilities.
- Role of system. The role of =
the system=20
in terms of data processing, data storage and communications =
as=20
follows:
- Type of information to be =
held on the=20
system and output from system=20
- Types of user =
(administration, normal=20
user, print controller etc)=20
- Number of users=20
- Classification of data =
(Finance Only,=20
HR Only, Project Eyes Only, if required)=20
- Quantity of data =
(Nbytes)=20
- System Configuration. A =
description of=20
the working elements of the system that carry out specific=20
tasks.
- Number of terminals =
- Number of control =
consoles=20
- Number and types of =
terminals=20
(intelligent, dumb, print etc)=20
- Media loading =
arrangements=20
- Software (OS and version=20
number)=20
- Interconnections (LAN and =
WAN)=20
3.5 Security=20
Requirements and Measures
This section consists of a =
statement of the=20
security requirements to be met and the measures needed to =
achieve=20
them. This should be agreed with a higher authority usually =
referred=20
to as an Accreditor, and should be broken down as=20
follows:
- Threats to confidentiality, =
integrity=20
and availability of data. The nature and resources of =
possible=20
attackers and the attractiveness of the system and data as a =
target.=20
- What will the impact be if =
the data is=20
accidentally disclosed. =
3.6 Security=20
Domains
This is a key element of this =
policy=20
document, by defining the security domains for the system it =
is=20
possible to break down the policy into manageable pieces that =
can be=20
completed domain by domain until the document is fit for =
purpose. For=20
this type policy there are three domains, Global Security =
Environment=20
(GSE), Local Security Environment (LSE) and the Electronic =
Security=20
Environment (ESE).
They are defined as=20
follows:
- GSE is the area in which the =
system is=20
located in which the security relevant factors are defined =
that are=20
considered to be outside of the control of the project=20
manager/system administrator. E.g. control of access to the =
building=20
which is usually the responsibility of the security company =
or=20
facilities manager.=20
- LSE this consists of the =
security=20
environment under the control of the project/system manager =
and the=20
security boundaries with the GSE.=20
- ESE deals with the security =
aspects of=20
the system and its interfaces with the LSE and GSE.=20
By using domains to break down =
each section=20
of the policy to be worked on it will be easier to put =
together in=20
small logic steps that follow a consistent pattern throughout =
the=20
document. It will also ensure that by following this pattern =
defence=20
in depth is achieved.
3.7 Definition of=20
Security Measures
In this section of the security =
policy the=20
measures to be taken to achieve security should be described. =
The list=20
below is not necessarily comprehensive and others maybe =
required to=20
meet specific system security requirements. As a minimum the =
following=20
headings are recommended:
- Identification and =
Authentication -=20
establishment of a claimed identity=20
- Access Control - the control =
and=20
authorisation of access to information by a user=20
- Integrity – prevention =
of unauthorised=20
amendment or deletion of information=20
- Accounting - the recording =
of an account=20
holder’s security related actions=20
- Audit - the monitoring of =
security=20
related events=20
- Reliability of Service - the =
preservation of availability=20
- Data Exchange - the =
protection of=20
inter-communication.=20
- Non-repudiation - to render =
an event=20
undeniable
In order to ensure consistency =
throughout=20
the document each section dealing with the security measures =
should=20
start with the following =
headings:
- Definition of the =
Term=20
- Security principle to be =
upheld=20
- General security risks to be =
countered
- If required specific =
examples of risks=20
that need to be considered can be detailed =
- Assertions – an =
explicit statement in a=20
SSP that security measures in one domain constitute and =
adequate=20
basis for security measures in another.=20
4. Example using=20
Domains
In order to show how the use =
of domains=20
and security measures are put together in small logical steps to =
build=20
up to a complete policy, the following is how a single section =
of the=20
document "Access Control" would be put=20
together.
4.2 Access/Access=20
Control
4.3 Definition
Access is =
defined as the=20
condition where the potential exists for information to flow =
between=20
entities. Access Control is control over the flow of =
information=20
between entities.
4.4 Security=20
Principle
Access to =
business sensitive=20
information should be limited to persons with the appropriate =
rights=20
and need to know.
4.5 Security=20
Risk
Individuals, =
without the=20
correct clearance or need-to-know, may intentionally or =
accidentally=20
gain unauthorized access to business sensitive information. =
Business=20
sensitive information may be sent to destinations not =
authorised to=20
receive it.
4.6 Assertions
Access to the GSE is under the =
control of=20
the local Security Guard and reception=20
staff.
Users protect all business =
sensitive=20
information passed from the systems to the GSE in accordance =
with its=20
classification.
Access to system hardware is =
restricted to=20
those authorized to do so.
All unescorted individuals =
within the LSE=20
are known and trusted by The Company.
SyOPs specify the procedures =
associated=20
with managing user access rights, and define procedures for=20
:
- identification, marking, =
recording and=20
handling and storage of magnetic media=20
- handling of system hard copy =
outputs=20
- disposal and repair of =
faulty or surplus=20
equipment containing memory. =
System Administration staffs =
are=20
responsible for maintaining systems security, using permitted=20
administrative functions.
The System Administration staff =
functions=20
are identified by roles and associated permissions. Such roles =
control=20
access to, and use of, the systems Administration functions. =
These=20
controls are restricted to what is authorized and necessary =
for the=20
performance of their tasks. The roles=20
include:
- Network System =
Manager=20
- System Administrators =
- Site Support=20
- System Security =
Officer=20
- Audit Administrator (The =
role of the=20
Audit Administrator is carried out by the Security=20
Administrator).
4.7 GSE=20
Measures
Reception staff or Security =
Guards shall=20
control access by personnel to buildings in which a system is=20
installed. Physical security of sites is the responsibility of =
The=20
Company.
Workstations, printers, =
graphical scanners=20
and optical device readers shall be placed in office space =
within the=20
GSE.
Automatic virus detection shall =
be=20
installed on server to ensure any magnetic media intended to =
hold or=20
holding User data is virus checked.
The Security Guards shall =
ensure that=20
offices are left secure at the end of the working day and all =
desks=20
are cleared, where =
possible.
4.8 LSE=20
Measures
Servers, routers, Firewalls and =
where=20
possible control consoles shall be accommodated in the secure =
computer=20
room. Access to the computer room shall be limited to =
authorized=20
personnel and shall be re-verified on a periodic =
basis.
SyOPs shall define user =
responsibilities=20
with regard to use of the systems. Users shall not be admitted =
to the=20
systems until they have been adequately trained in the use of =
the=20
system and security features.
System Administration staff =
shall ensure=20
that administrative functions are not made available to normal =
users.
Access to the Configuration =
Management (CM)=20
system and its data shall only be allowed to personnel =
authorized to=20
carry out CM tasks.
User permissions shall be set =
up and=20
maintained as per the site specific security =
procedures.
Removable classified material =
shall be=20
secured in lockable containers, when not in use.
SyOPs shall define procedures=20
for:
- access control, recording, =
supervision=20
and escorting of personnel in the Computer Room=20
- control of Protectively =
Marked=20
material=20
- recording of actions =
undertaken by=20
System Administration personnel.=20
Magnetic Media and Paper =
Output: Access=20
to systems magnetic media shall be restricted to authorized =
staff. The=20
following shall be =
marked:
- Magnetic media for the =
storage of system=20
and archived user data=20
- Systems hard copy outputs =
shall be=20
marked and handled as for the highest data protective =
marking for=20
the systems or server, unless the owner of the data can =
assert that=20
it should be of a lower data protective marking.=20
4.9 ESE=20
=
Measures
The user profile shall define =
the set of=20
facilities each user is authorized to access. The systems =
shall=20
constrain the profile by password mediation to only those =
facilities=20
that the User is authorized to use.
The System Administration =
facilities=20
shall be:
- issuing initial =
passwords=20
- maintenance of user and =
role=20
accounts=20
- maintenance of hardware=20
accounts=20
- Domain management =
(controlled at=20
corporate level)=20
- management of system =
addresses=20
- setting password =
expiration=20
period=20
- management of =
groups=20
- creation and distribution =
of new=20
software packages=20
- update site or system =
inventory=20
- perform back-up and =
restore=20
- configuration of =
workstation or=20
server=20
- unlock workstation=20
- set system time=20
- management of print =
resources=20
- close down and start-up of =
system=20
- monitor system =
performance=20
- perform diagnostic =
routines=20
- check software =
integrity=20
- examine and analyze the =
accounting=20
logs=20
- maintain accounting =
filters=20
- administer audit =
alarms=20
- allow the operator to =
archive and=20
delete an accounting log.=20
The Security Administration =
facilities=20
shall be:
- Audit User accounts =
- Audit security logs =
- Audit of password =
logs=20
- Audit of Administrative=20
accounts =
All users shall have =
automatic virus=20
detection software installed on their workstations and/or=20
Laptops.
4.10 Configuration of Electronic=20
Mail
E-mail shall be provided =
internally for=20
all users of the systems as requested. User responsibilities =
shall=20
be as stated in SyOPs.
All Email shall be virus=20
checked.
4.11 Remote Access=20
Control
Only the Company systems =
staff,=20
authorized by the System Manager shall be permitted remote =
access to=20
the systems.
The SecurID security =
application shall be=20
implemented on the network to ensure secure User =
authentication for=20
remote access. No other forms of remote access shall be =
permitted.=20
The application shall maintain an encrypted list of =
authorized=20
users, their passwords and profiles for identification and=20
authentication before access is permitted.
Remote access shall be =
implemented by the=20
use of a Remote Access Server with integral auto switching, =
a=20
security application and systems=20
Interface.
4.12 Internet Access & Firewall=20
=
Configuration
Firewalls shall be employed =
to ensure=20
data are only accessed by individuals with a need to know, =
and with=20
the correct access privileges.
All Firewalls shall implement =
a Default=20
Deny security strategy. That is a strategy that states "that =
which=20
is not expressly permitted is denied". The Firewall security =
policy=20
is maintained as a separate document.
Where deemed necessary, an =
encrypted VPN=20
shall be implemented using a minimum of 56bit, and where =
possible=20
128bit encryption, for secure communication over the=20
Internet.
In order to facilitate =
changes in client=20
access requirements to shared resources, the System Manager, =
on the=20
authority of the Security Manager, shall be able to permit =
access to=20
the systems via the Firewall without the requirement to =
re-submit=20
this document to the Accreditation Authority. This =
interconnection=20
shall be subject to the provisions of a Partner to Partner=20
Interconnection =
Policy.
4.13 Putting it=20
all Together
Once you have completed =
Access control it=20
is a simple matter of selecting another Security Measure =
from the=20
list and applying exactly the same process as you have =
above. Add=20
them all together with the detail as outlined in paragraphs =
3.1 to=20
3.4 and you will have your SSP and be ready to move on to =
the=20
Security Operating=20
Procedures.
5. Security Operating=20
Procedures (SyOPs)
5.1 Where =
SyOPs fit=20
in
The role of Security =
Operating=20
Procedures (SyOPs) is to look downwards to those who must =
enforce the=20
SSP. SyOPs are the means by which the System or Project =
Manager can=20
ensure that the responsibilities he/she has accepted are =
actually=20
carried out in the day to day operation of the =
system.
Once again it is not the =
intention to=20
include a complete document but as an example and to show that =
SyOPs=20
are directly related to the SSP, the following is the section =
within=20
the SyOPs dealing with Access Control for an NT based=20
system:
5.2 Access =
Authorization
The LAN=20
Team leader and LAN Team Administrators shall have the ability =
to=20
restrict access to information to those Users/groups who have =
a=20
need-to-know. All maintenance engineers and visitors must be =
in=20
receipt of a valid visitor’s security =
pass.
5.3 System Access - Authorized=20
Users
All =
Users shall=20
be authorized, by the LAN Team Administrators to access the =
system via=20
a unique account and password.
The LAN Team Administrators =
shall maintain=20
a list of Authorized Users=20
including:
- Full name of the =
Authorized=20
User=20
- Name of =
Group/Office/Department=20
etc=20
- Authorized Userid allocated =
for The=20
Company=20
- Renewal date for access=20
permissions.
Authorized Users=20
shall be retired from the list by the LAN Team Administrators =
under=20
the following =
circumstances:
- Upon expiration of their =
authorization=20
- When advised by the Line =
Manager=20
- When advised by Human =
Resources=20
- Upon termination of =
employment or=20
contract.
5.4 New User Account =
Creation
This =
process shall be=20
carried out as documented in the local site IT Operations=20
Handbook.
5.5 Rights and Permission=20
Approval
Special =
rights,=20
permissions and privileges are granted to those whose job =
function=20
requires it and are to be monitored and controlled on an =
ongoing=20
basis. A formal request shall be submitted using a Company =
Request=20
form and signed by an authorized submitter stating =
justification for=20
all escalation of rights, permissions and privileges.=20
5.6 User Account Properties=20
Options
User Must Change Password at =
Next=20
Logon Default = =
OFF
After a new =
user account=20
is automatically generated by the system and the appropriate =
request=20
has been approved (see section titled "Joining the THE =
COMPANY_MASTER=20
Windows NT Domain in the Windows NT Policies and Procedure =
document),=20
an initial password will be automatically generated using a =
random=20
generator for each account. This option is initially turned on =
and=20
forces the user to change the initial password and avert any=20
unauthorized logons with the randomly generated password. =
After this=20
initial required reset, the option is turned off =
automatically.=20
User Cannot Change =
Password Default=20
= OFF
Account Disabled Default =
==20
Off
This option =
is turned off=20
by default except in cases of misconduct, suspicion of a =
breach in=20
security or simply because a user goes on vacation or on =
temporary=20
leave. User accounts may also be disabled if the activity =
status of=20
the account shows that it has been inactive for 30 days or =
more. The=20
ON setting prevents anyone, other than an administrator or =
account=20
operator, from accessing the user=20
account.
Account Locked =
Out Default ==20
Off
This option =
appears if an=20
account locks because there were too many failed logon =
attempts. This=20
last option is an indication that someone has attempted to =
break into=20
an account unless the user simply forgot the password. Only a =
domain=20
administrator can remove the =
lock.
Logon To: Here =
you specify=20
the names of the computers that the user can log on to. This =
is an=20
important security feature, because it forces users to log on =
to=20
systems where their activities can be physically monitored. It =
also=20
prevents hackers from logging on to an account from their base =
of=20
operation, which might be outside your company. The Company =
will not=20
limit the machines a user can log onto except in situations =
where the=20
limitation is warranted. Each user and manager will be =
notified in=20
advance if such a situation becomes necessary.
One user=20
account for each member of staff: The Company =
standard is=20
that each member of staff should only have one user account. =
The=20
exception is for Administrators and other power users who are =
allowed=20
to have two accounts, one for everyday tasks and another for=20
administrative =
functions.
5.7 Locked User =
Accounts
The =
LAN Team=20
Administrators shall investigate all occurrences of locked =
accounts.=20
The LAN Team Administrators or designee, who shall ensure the =
correct,=20
User-id is being input, shall assist users with failed =
log-ins. If the=20
User again fails to log-in a password change shall be=20
initiated.
The LAN =
Team=20
Administrators under the authority of the LAN Team Leader =
shall=20
proactively lock accounts for administrative and/or security=20
reasons.
5.8 Password =
Standard
Alpha, numeric with at least =
one=20
capital
Maximum Password Age - 45=20
days
This is the =
period of=20
time that a user is allowed to use a password before Windows =
NT=20
requires that the user change the password. The Company =
require that=20
you set this value to =
45.
Minimum Password Age - 1=20
day
This =
setting can be used=20
to prevent a user from immediately reverting back to a =
previous=20
password after a change. It specifies how long a user must =
wait after=20
changing a password before the user can change it again. The =
Company=20
require that this value be set to=20
1.
Minimum Password Length - 8 Alphanumeric=20
characters
This is a =
critical=20
setting for security reasons. If users create short passwords, =
a=20
cracker is more likely to discover a password. The Company =
require=20
that this value is set to =
8.
Password Uniqueness -=20
10
This option =
can prevent=20
users from toggling among their favorite passwords and reduces =
the=20
chances that a hacker/password breach attempt will discover=20
passwords.
NOTE: Because =
of the way=20
passwords are saved in a table, users cannot reuse a password =
until=20
they have changed passwords n+2 times, where n is the =
number of=20
passwords remembered. So if Password Uniqueness is set to 10, =
users=20
cannot revert to the first password until they have changed =
their=20
passwords twelve times =
(10+2).
Account Lockout - after x bad logon =
attempts ==20
5
The Account =
lockout=20
feature is implemented to prevent brute force password=20
cracking/guessing attacks on the system. Each failure will then appear in the =
Security Event=20
Log, which can be viewed with the Event Viewer. The account =
that is=20
attempting log on and the machine where the logons are =
occurring are=20
listed in the log file. When enabled, the Account Lockout =
option in=20
the Account Policy dialog box allows the following=20
options:
Users must log on in order to =
change=20
password = Yes
This option =
prevents=20
users from changing their passwords if the passwords expire. =
They will=20
not be able to log on and will need to call an administrator =
to have=20
their password =
changed.
5.9 System =
Passwords
Any =
standard=20
passwords supplied with System e.g. SYSTEM, MASTER, GUEST etc. =
shall=20
be changed before the System is accessible to unprivileged =
Authorized=20
Users.
All =
System passwords=20
shall be treated as confidential and protected accordingly. It =
is the=20
responsibility of the User to ensure his/her password is =
secure at all=20
times. The password shall not be written down, except the copy =
written=20
down and held securely by the Security =
Administrator.
If a =
User feels his=20
password has been compromised in any way then action shall be =
taken=20
immediately to change the password. Under no circumstances =
shall a=20
User allow others to use his/her User-id and =
password.
Passwords that allow=20
access to System administration facilities shall be written =
down and=20
held securely by the Security Administrator.
The =
Security=20
Administrator and LAN Team Leader have overall responsibility =
for the=20
policing of User-id's and passwords and for maintaining a =
record of=20
all Users.
The =
initial User-id=20
and password is allocated by the Windows NT Administrator or =
designee,=20
when first used the System shall prompt for a password=20
change.
The =
Windows NT=20
Administrator or designee shall reinstate a locked out =
Authorized User=20
only when satisfied that an attempt to breach the security =
policy has=20
not taken place.
NOTE: Manually =
adding new=20
user accounts to the Windows NT security database on THE=20
COMPANY_MASTER is strictly prohibited without specific =
approval from=20
Server Engineering Manager.
Authorized User-id shall be =
considered for=20
retirement if the authorized Users have not logged on for a =
period of=20
two months.
Once =
authorized the=20
LAN Team Administrators shall assign privileges associated =
with the=20
User role for all Users prior to there having access to the =
system. If=20
a User-id is no longer required the LAN Team Administrators =
shall be=20
informed, and shall then initiate removal of that User-id from =
the=20
system.
Only authorized LAN Team =
administration=20
personnel shall have access to the OS. The Operating System =
shall be=20
backed up and periodically compared to the live version, =
anomalies=20
shall be investigated by the Company Security Manager in =
conjunction=20
with the LAN Team Leader and fully documented for audit=20
purposes.
The Administrator account is a =
built-in=20
account that is installed when a Windows NT system is set up. =
In a=20
domain environment, the Administrator account is set up =
simultaneously=20
with the primary domain controller in the domain. The person =
setting=20
up the system specifies the initial password for the =
Administrator=20
account.
The Administrator account can =
never be=20
disabled or deleted. This safeguard ensures that the =
Administrator can=20
never be locked out of the system, thus allowing for a total =
denial of=20
service assault. You cannot even set lockout features for the =
account=20
to prevent someone from trying multiple passwords in an =
attempt to=20
illegally access the account.
Because of the security risk to =
the=20
Administrator account, every possible precaution shall be =
taken to=20
ensure the account’s security. Select individuals are to =
be assigned=20
individual accounts with essentially the same permissions but =
without=20
the no-lockout feature built into the Administrator=20
account.
The original Administrators =
account is not=20
to be used except in emergency situations such as a denial of =
service=20
attack whereby all other administrative accounts are disabled, =
locked=20
out or deleted. The account will be renamed and given an =
alphanumeric=20
password. Copies of this password will be held securely by the =
Security Administrator. =
6. Summary
After having looked at and =
modified=20
various methods of putting an SSP together I consider that the =
use of=20
Domains to breakdown the structure of the document into =
manageable=20
sections makes the production and implementation of a reasonable =
and=20
effective security policy an achievable task.
The sections included at =
paragraph 3.7.1 are=20
by no means exhaustive but if completed diligently will ensure =
that the=20
requirements of Confidentiality, Integrity and Availability are=20
achieved.
The format of the SSP as =
presented can be=20
expanded or reduced depending on the assessed security measures =
required=20
for an individual system. The SANS organisation has a number of=20
excellent policy examples and the policy content as outline by =
Michele=20
Crabb-Guel is excellent for ensuring that all areas that need to =
be in a=20
policy are given due consideration. These can be found at=20
=
http://www.sans.org/newlook/resources/policies/policies.htm
Security is a bottom line expense =
and this=20
should always be borne in mind. Businesses need to be convinced =
of the=20
need to pay for security and often regard security more as a =
hindrance=20
than help in supporting or providing services to their users and =
customers. For a more flexible approach to implementing an SSP I =
have=20
therefore borrowed the term "Adaptive" used by the company =
Internet=20
Security Services at:
ht=
tp://www.iss.net/customer_care/resource_center/whitepapers/
The term "Adaptive" is used to =
ensure that=20
the SSP is flexible and ensures that the business is not a =
prisoner to a=20
Security Policy that is set in concrete. By allowing and =
documenting=20
exceptions to a policy it is possible to meet the requirements =
of=20
business and at the same time maintain the security stance =
required by=20
the CEO’s policy direction.
It is therefore recommended that=20
consideration is given to adding an "Exceptions Policy" in which =
any=20
variation to the security measures detailed in the SSP can be =
assessed=20
for risk, which is then written down. Based on the risk =
assessment the=20
exception to policy can be approved by the Accreditor or if the =
risk it=20
too great but the service is still required additional security =
measures=20
can be implemented. This action is then documented as part of =
the=20
Exception Policy and held with the =
SSP.
7. References and Cited=20
Sources
CESG =
Electronic Information=20
Systems (Infosec) Memorandum No 5: System Security Policies, =
Issue 3.0,=20
July 1994 Unclassified
CESG Computer =
Security=20
Memorandum No 1 – Glossary of Computer Security Terms, =
Issue 2.2,=20
November 1993
AP 3086 – =
RAF Manual of=20
Security 5th Edition
Department of =
Defense Trusted=20
Computer System Evaluation Criteria (TCSEC) also referred to as =
the=20
"Orange Book"
Internet Security =
Systems (ISS)=20
Creating, Implementing and Managing the Information Security=20
Lifecycle
Principles and =
Practice of=20
Computer Security, Admiral Management Services Ltd
Manual of Army =
Security Vol 4 –=20
Information Technology Security dated 1991.
Site Security =
Handbook RFC 1244=20
dated July 1991.
ht=
tp://www.iss.net/customer_care/resource_center/whitepapers/
http://www.information-security-policies-and-standards.com/weblin=
ks.htm
http://www.sun.com/software/white-papers/wp-security-devsecpolicy=20
http://csrc.nist.gov/se=
cplcy/doc-man.txt=20
US Dept of Commerce
http://csrc.nist.gov/=
policies/welcome.html=20
U.S.=20
Customs AIS Security Policy Manual
http=
://info.internet.isi.edu/in-notes/rfc/files/rfc2196.txt
www.=
sans.org/newlook/resources/policies/policies.htm
http://www.antionline.com/archives/text/rainbow_books/orange.html=20
|
|