|Getting to know your needs and putting security policies in place|
Amanda M. Andress (firstname.lastname@example.org)
CEO and Founder, ArcSec Technologies, Inc.
01 Dec 2000
In this article, Mandy covers the basics of implementing a security infrastructure in a company. She starts by discussing the importance of a defined, formal security policy and gives examples of what should be included in such a policy. Often, companies that access the Internet have no security in place. The primary policies discussed here are based on security best practices and should be in place regardless of Internet access. These issues become more important when the Internet enters the picture. Mandy shows how an operation should analyze its business requirements in the policy development phase.
So, you've connected your internal network of computers to the Internet. How do
you secure your computers from unauthorized users, denial of service attacks,
and other malicious activity? That's easy -- you need a firewall, right? Well,
what exactly is a firewall? It is a program that separates your company's
internal network from the Internet, filtering traffic to allow only authorized
users to pass. Firewalls analyze each packet and determine whether or not it
should be forwarded to its destination. Many different firewalls exist on the
market today, ranging from small SOHO devices to large enterprise servers.
But before you go plugging in a firewall and speeding across the Internet, a few
other things need to happen first. Security policies need to be defined and
business uses need to be analyzed to help create a security architecture that
specifically addresses your company's needs.
What are security policies?
Security policies are the
most important component of any security architecture; without polices, you have
no security framework. In general, policies define what behavior is allowed and
what is not allowed, and help define which tools and procedures are needed for
the organization. Many of the security policy examples described in this article
are recommended, regardless of whether the company accesses the Internet, but
become critical when that access is provided.
How do you develop these security policies? First, you need to create a policy
development team. This team should be comprised of end users, security
professionals, and management representatives. Ideally, all people affected by
the policy should be involved in the development process, but this is infeasible
in most organizations. One person, usually a security professional, is
designated as the official policy writer. The writer is the leader of the
development team and formulates written policies based on the discussions held
in the policy development team meetings. These written policies are then
reviewed and modified by the rest of the development team.
Policies are very high-level documents; technology and implementation specifics
are not detailed in the policy document. This information is detailed in the
company's procedures, or implementation of the policy. For example, a remote
access policy may give all employees remote access to check their corporate e-mail
accounts. The procedure for remote access specifies that employees are given a
remote access username and password to dial in to the company's RAS server to
check their e-mail.
Make sure the policy development team has been very thorough in defining what
employees can and cannot do. The team should consider all internal areas, not
just Internet access. For example, if only HR employees can access the payroll
system, this should be defined in the Acceptable Use policy. Should all
employees have access to production systems? For Internet access, are there any
sites employees cannot access? Any technologies they cannot use, such as Napster,
streaming media, ICQ, Yahoo Messenger, FTP, Telnet, etc.?
Policies also need to be reviewed on a periodic basis to ensure they are still
representative of what is in place. Most companies review their security
policies on an annual basis and update the information as necessary.
Policies often become a political battle within a company. Employees feel
security policies impede their ability to perform their job duties and allow the
company to monitor their every move. Making users a part of the policy
development process goes a long way towards curbing this hostility.
Communication is also critically important; it keeps employees informed and
educated on security issues, and helps them understand the need for security
policies. In addition, management must advocate and practice the security
policies implemented by the company in order for them to be enforceable. Always
practice what you preach.
Security policy framework
Before writing the specifics of
any policy, the framework should contain three components: scope, purpose, and
The policy scope is a brief statement describing who is covered by
the policy. An example of a scope statement is:
The following document outlines guidelines for processing, storage, and
transmission of information by XYZ Co. employees.
The purpose of the policy is a brief statement describing the
reason the policy is needed. An example of a purpose statement is:
The purpose of this policy is to ensure that sensitive and proprietary
information is appropriately protected from modification or disclosure.
The violations statement is the most critical element of the
policy structure. This statement details how violations of the policy will be
dealt with and becomes important if the company ever goes to trial over employee
violations of the policy. An example of a violations statement is:
The management team will review violations of this policy. The management
team will determine disciplinary action based on the severity of the violation.
Writing security policies
Now comes the fun part --
writing security policies. Every organization should have a few basic policies
in place. Other policies can be implemented on an as-needed basis. These four
policies, listed below, are detailed in the following sections of this article.
Acceptable computer use
Additional policies that many organizations implement in addition to those
listed above are:
The above-listed polices are just a starting point and guideline. A company can
develop any policy it feels is necessary. Also, policies can be combined and
renamed. Many companies have one large information security policy that
incorporates all the smaller policies mentioned above.
Acceptable computer use policy
The acceptable use policy defines
appropriate use of the company's computing resources, regardless of whether or
not they are connected to the Internet. This policy should, at a minimum,
include the following considerations, modified as necessary to fit your company's
Note: The term "users" refers to company employees and contractors using company
computing systems and facilities.
General protection of company resources
The first four policies are
general internal security policies that should be in place whether or not you
are building company access to the Internet or a firewall around the access you
may already have. They are just more important when you have company access to
Users shall not attempt to access any data or programs contained on XYZ Co.
systems for which they do not have authorization or explicit consent of the
owner of the data/program.
Users are responsible for protecting any information used and/or data stored on/in
Users shall not share their computer or network account(s) passwords with anyone.
Users shall not make copies of system configuration files (e.g. /etc/passwd or
SAM file) for their own, unauthorized personal use or to provide to other people/users
for unauthorized use.
Users shall not make unauthorized copies of copyrighted software, except as
permitted by law or by the owner of the copyright.
(Not everything on the Internet is public domain; some of it is pirated or
posted illegally. This last policy also refers to software the company uses on
its own systems preventing employees from making illegal copies of software.)
External access security issues
Users shall not set up or configure dialup or dial back modems unless authorized
to do so.
(This is included here because this threat exists whether or not the company
is connected to the Internet.)
Users shall not download, install, or run security programs or utilities that
reveal weaknesses in the security of a system. For example, XYZ Co. users shall
not run password-cracking programs on XYZ Co. computing systems.
(This is also a threat whether or not the company is connected to the
Internet. Employees could bring programs in from home on floppy disks or CDs.)
Inter- and intracompany (electronic) communications policies
Users shall not purposely engage in activity with the intent to: harass other
users; degrade the performance of systems; deprive an authorized XYZ Co. user
access to an XYZ Co. resource; obtain extra resources beyond those allocated;
circumvent XYZ Co. security measures or gain access to an XYZ Co. system for
which proper authorization has not been given.
Electronic communication and storage facilities including, but not limited to, e-mail
and file servers are for company use only. Fraudulent, harassing, embarrassing,
sexually explicit, profane, obscene, intimidating, defamatory, or otherwise
unlawful or inappropriate messages and/or material shall not be sent from, to,
or stored on XYZ Co. systems.
Content of all communications should be accurate. Users should use the same care
in drafting e-mail and other electronic documents as they would any other
written communication. Anything created on the computer may, and likely will, be
reviewed by others.
User account policy
The user account policy outlines the requirements for
requesting and maintaining accounts on company systems. Many companies require
users to sign this policy before being granted user accounts. This policy should,
at a minimum, include the following clauses, modified as necessary to fit your
The chief technical officer (CTO) (or any other management representative) must
approve new account requests.
XYZ Co. employees are the only parties authorized to use accounts created on the
computing systems unless special access is approved by the CTO.
Each user has his/her own account; users are not allowed to share accounts.
Accounts inactive for 30 days must be disabled.
Accounts of users who were terminated or have resigned must be disabled on the
date of departure.
User account passwords should adhere to the following policy:
Passwords must be at least seven characters long and include a combination of
alphanumeric and numeric characters.
Passwords must be changed every 60 days.
New passwords cannot be the same as the previous six passwords.
Remote access policy
The remote access policy defines acceptable methods
of remotely connecting to the internal network. This policy should, at a minimum,
include the following clauses, modified as necessary to fit your company's needs:
All employees are granted remote access to check e-mail. Additional access must
be approved by the CTO.
Remote access to XYZ Co. computing facilities is restricted to XYZ Co. employees.
Employees can connect to XYZ Co. systems through any means supported by the XYZ
Co. remote access solution (i.e. dial-up directly to company network, dial-up
ISP account, ISDN, cable modem, or XDSL).
Employees connecting to XYZ Co. computing resources through an "always-on"
broadband Internet connection (cable modem, XDSL) must install virus scanning
software and implement security solutions on their home PC.
Information protection policy
The information protection policy outlines
guidelines for processing, storage, and transmission of information. This policy
should, at a minimum, include the following clauses, modified as necessary to
fit your company's needs:
Any third party must sign a nondisclosure agreement before receiving or
discussing trade secrets or proprietary information.
Sending, transmitting, or other dissemination of proprietary information, trade
secrets, or confidential information of XYZ Co. is strictly prohibited.
Unauthorized dissemination of this information may result in substantial civil
liability as well as severe criminal penalties under the Economic Espionage Act
Trade secrets and proprietary information should be stored on specified file
servers. Trade secrets and proprietary information stored on personal machines (laptops,
desktops, etc.) must be encrypted.
Trade secrets and proprietary information transferred over public networks (i.e.
Internet) must be encrypted and digitally signed.
Files obtained from sources outside the company may contain viruses that can
modify or destroy XYZ Co. computer files. Any files received from outside
sources must be scanned with company-approved virus checking software.
In conclusion, security is one of the most
important, but most often overlooked, components of a network. It is essential
to any infrastructure and security policies are the foundation on which to build
this infrastructure. Once security policies are defined and implemented, you
are well on your way to building a security-conscious environment.
|About the author|
Mandy Andress is CEO and Founder of ArcSec Technologies, a security consulting firm. Before starting ArcSec Technologies, Mandy worked for Exxon, USA and several Big 5 accounting firms, including Deloitte & Touche and Ernst & Young. Mandy has written many security product and technology reviews for various publications. She has also spoken on security issues at several security conferences, including Networld+Interop.
You can reach Mandy at email@example.com.