Contents: What are security policies? Security policy framework Writing security policies Summary Resources About the author Rate this article Subscriptions: dW newsletters dW Subscription (CDs and downloads)

Amanda M. Andress (mandy@arcsec.com)
CEO and Founder, ArcSec Technologies, Inc.
01 Dec 2000

In this article, Mandy covers the basics of implementing a security infrastructure in a company. She starts by discussing the importance of a defined, formal security policy and gives examples of what should be included in such a policy. Often, companies that access the Internet have no security in place. The primary policies discussed here are based on security best practices and should be in place regardless of Internet access. These issues become more important when the Internet enters the picture. Mandy shows how an operation should analyze its business requirements in the policy development phase.

So, you've connected your internal network of computers to the Internet. How do you secure your computers from unauthorized users, denial of service attacks, and other malicious activity? That's easy -- you need a firewall, right? Well, what exactly is a firewall? It is a program that separates your company's internal network from the Internet, filtering traffic to allow only authorized users to pass. Firewalls analyze each packet and determine whether or not it should be forwarded to its destination. Many different firewalls exist on the market today, ranging from small SOHO devices to large enterprise servers.

But before you go plugging in a firewall and speeding across the Internet, a few other things need to happen first. Security policies need to be defined and business uses need to be analyzed to help create a security architecture that specifically addresses your company's needs.

What are security policies?
Security policies are the most important component of any security architecture; without polices, you have no security framework. In general, policies define what behavior is allowed and what is not allowed, and help define which tools and procedures are needed for the organization. Many of the security policy examples described in this article are recommended, regardless of whether the company accesses the Internet, but become critical when that access is provided.

How do you develop these security policies? First, you need to create a policy development team. This team should be comprised of end users, security professionals, and management representatives. Ideally, all people affected by the policy should be involved in the development process, but this is infeasible in most organizations. One person, usually a security professional, is designated as the official policy writer. The writer is the leader of the development team and formulates written policies based on the discussions held in the policy development team meetings. These written policies are then reviewed and modified by the rest of the development team.

Policies are very high-level documents; technology and implementation specifics are not detailed in the policy document. This information is detailed in the company's procedures, or implementation of the policy. For example, a remote access policy may give all employees remote access to check their corporate e-mail accounts. The procedure for remote access specifies that employees are given a remote access username and password to dial in to the company's RAS server to check their e-mail.

Make sure the policy development team has been very thorough in defining what employees can and cannot do. The team should consider all internal areas, not just Internet access. For example, if only HR employees can access the payroll system, this should be defined in the Acceptable Use policy. Should all employees have access to production systems? For Internet access, are there any sites employees cannot access? Any technologies they cannot use, such as Napster, streaming media, ICQ, Yahoo Messenger, FTP, Telnet, etc.?

Policies also need to be reviewed on a periodic basis to ensure they are still representative of what is in place. Most companies review their security policies on an annual basis and update the information as necessary.

Policies often become a political battle within a company. Employees feel security policies impede their ability to perform their job duties and allow the company to monitor their every move. Making users a part of the policy development process goes a long way towards curbing this hostility. Communication is also critically important; it keeps employees informed and educated on security issues, and helps them understand the need for security policies. In addition, management must advocate and practice the security policies implemented by the company in order for them to be enforceable. Always practice what you preach.

Security policy framework
Before writing the specifics of any policy, the framework should contain three components: scope, purpose, and violations.

Scope
The policy scope is a brief statement describing who is covered by the policy. An example of a scope statement is:

The following document outlines guidelines for processing, storage, and transmission of information by XYZ Co. employees.

Purpose
The purpose of the policy is a brief statement describing the reason the policy is needed. An example of a purpose statement is:

The purpose of this policy is to ensure that sensitive and proprietary information is appropriately protected from modification or disclosure.

Violations
The violations statement is the most critical element of the policy structure. This statement details how violations of the policy will be dealt with and becomes important if the company ever goes to trial over employee violations of the policy. An example of a violations statement is:

The management team will review violations of this policy. The management team will determine disciplinary action based on the severity of the violation.

Writing security policies
Now comes the fun part -- writing security policies. Every organization should have a few basic policies in place. Other policies can be implemented on an as-needed basis. These four policies, listed below, are detailed in the following sections of this article.

• Acceptable computer use
• User account
• Remote access
• Information protection

Additional policies that many organizations implement in addition to those listed above are:

• Firewall management
• Network connection

The above-listed polices are just a starting point and guideline. A company can develop any policy it feels is necessary. Also, policies can be combined and renamed. Many companies have one large information security policy that incorporates all the smaller policies mentioned above.

Acceptable computer use policy
The acceptable use policy defines appropriate use of the company's computing resources, regardless of whether or not they are connected to the Internet. This policy should, at a minimum, include the following considerations, modified as necessary to fit your company's needs.

Note: The term "users" refers to company employees and contractors using company computing systems and facilities.

General protection of company resources
The first four policies are general internal security policies that should be in place whether or not you are building company access to the Internet or a firewall around the access you may already have. They are just more important when you have company access to the Internet.

• Users shall not attempt to access any data or programs contained on XYZ Co. systems for which they do not have authorization or explicit consent of the owner of the data/program.
• Users are responsible for protecting any information used and/or data stored on/in their accounts.
• Users shall not share their computer or network account(s) passwords with anyone.
• Users shall not make copies of system configuration files (e.g. /etc/passwd or SAM file) for their own, unauthorized personal use or to provide to other people/users for unauthorized use.
• Users shall not make unauthorized copies of copyrighted software, except as permitted by law or by the owner of the copyright. (Not everything on the Internet is public domain; some of it is pirated or posted illegally. This last policy also refers to software the company uses on its own systems preventing employees from making illegal copies of software.)

External access security issues

• Users shall not set up or configure dialup or dial back modems unless authorized to do so. (This is included here because this threat exists whether or not the company is connected to the Internet.)
• Users shall not download, install, or run security programs or utilities that reveal weaknesses in the security of a system. For example, XYZ Co. users shall not run password-cracking programs on XYZ Co. computing systems. (This is also a threat whether or not the company is connected to the Internet. Employees could bring programs in from home on floppy disks or CDs.)

Inter- and intracompany (electronic) communications policies

• Users shall not purposely engage in activity with the intent to: harass other users; degrade the performance of systems; deprive an authorized XYZ Co. user access to an XYZ Co. resource; obtain extra resources beyond those allocated; circumvent XYZ Co. security measures or gain access to an XYZ Co. system for which proper authorization has not been given.
• Electronic communication and storage facilities including, but not limited to, e-mail and file servers are for company use only. Fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or otherwise unlawful or inappropriate messages and/or material shall not be sent from, to, or stored on XYZ Co. systems.
• Content of all communications should be accurate. Users should use the same care in drafting e-mail and other electronic documents as they would any other written communication. Anything created on the computer may, and likely will, be reviewed by others.

User account policy
The user account policy outlines the requirements for requesting and maintaining accounts on company systems. Many companies require users to sign this policy before being granted user accounts. This policy should, at a minimum, include the following clauses, modified as necessary to fit your company's needs:

• The chief technical officer (CTO) (or any other management representative) must approve new account requests.
• XYZ Co. employees are the only parties authorized to use accounts created on the computing systems unless special access is approved by the CTO.
• Each user has his/her own account; users are not allowed to share accounts.
• Accounts inactive for 30 days must be disabled.
• Accounts of users who were terminated or have resigned must be disabled on the date of departure.
• User account passwords should adhere to the following policy:
  • Passwords must be at least seven characters long and include a combination of alphanumeric and numeric characters.
  • Passwords must be changed every 60 days.
  • New passwords cannot be the same as the previous six passwords.

Remote access policy
The remote access policy defines acceptable methods of remotely connecting to the internal network. This policy should, at a minimum, include the following clauses, modified as necessary to fit your company's needs:

• All employees are granted remote access to check e-mail. Additional access must be approved by the CTO.
• Remote access to XYZ Co. computing facilities is restricted to XYZ Co. employees.
• Employees can connect to XYZ Co. systems through any means supported by the XYZ Co. remote access solution (i.e. dial-up directly to company network, dial-up ISP account, ISDN, cable modem, or XDSL).
• Employees connecting to XYZ Co. computing resources through an "always-on" broadband Internet connection (cable modem, XDSL) must install virus scanning software and implement security solutions on their home PC.

Information protection policy
The information protection policy outlines guidelines for processing, storage, and transmission of information. This policy should, at a minimum, include the following clauses, modified as necessary to fit your company's needs:

• Any third party must sign a nondisclosure agreement before receiving or discussing trade secrets or proprietary information.
• Sending, transmitting, or other dissemination of proprietary information, trade secrets, or confidential information of  XYZ Co. is strictly prohibited. Unauthorized dissemination of this information may result in substantial civil liability as well as severe criminal penalties under the Economic Espionage Act of 1996.
• Trade secrets and proprietary information should be stored on specified file servers. Trade secrets and proprietary information stored on personal machines (laptops, desktops, etc.) must be encrypted.
• Trade secrets and proprietary information transferred over public networks (i.e. Internet) must be encrypted and digitally signed.
• Files obtained from sources outside the company may contain viruses that can modify or destroy XYZ Co. computer files. Any files received from outside sources must be scanned with company-approved virus checking software.

Summary
In conclusion, security is one of the most important, but most often overlooked, components of a network. It is essential to any infrastructure and security policies are the foundation on which to build this infrastructure. Once security policies are defined and implemented, you are well on your way to building a security-conscious environment.

Resources

• Visit www.securityfocus.com, a useful Web site for security information.
  
  
• Another valuable security resource is www.sans.org.
  
  
• Visit www.security.kirion.net/securitypolicy/, a good source on developing an effective security policy
  

Rate this article This content was helpful to me: Strongly disagree (1) Disagree (2) Neutral (3) Agree (4) Strongly agree (5) Comments?

developerWorks > Security >