330 likes | 505 Views
Information Security Policies:. User/Employee use policies. Overview. Format of policies Usage of policies Example of policies Policy cover areas References Homework Questions. Format of Policies. Purpose The need of the policies Scope Which part of the system is covering
E N D
Information Security Policies: User/Employee use policies
Overview • Format of policies • Usage of policies • Example of policies • Policy cover areas • References • Homework • Questions
Format of Policies • Purpose • The need of the policies • Scope • Which part of the system is covering • Who is applying to the policies • Policy • What can or can’t use for the system • Enforcement • Action can be taken once the policy is violated • Definitions • Define keywords in the policy • Revision History • Stated when and what have been changed
Usage of Policies • Policy • A document that outlines specific requirements or rules that cover a single area • Standard • A collection of system-specific or procedural-specific requirements that must be met by everyone • Guideline • A collection of system specific or procedural specific “suggestions” for best practice • Not require, but strongly recommended
Policy cover areas • Acceptable Use • Information Sensitivity • Ethics • E-mail • Anti-Virus • Password • Connection
Acceptable Use Policy • General outline for all others policies • Protecting employees, partners and companies from illegal or damaging actions • Applied to all computer related equipments • General use and ownership • Security and proprietary information • Unacceptable Use
Information Sensitivity Policy • To determine what information can/can’t be disclosed to non-employee • Public • Declared for public knowledge • Freely be given to anyone without any possible damage • Confidential • Minimal Sensitivity: • General corporate information; some personal and technical information • More Sensitive: • Business, financial, and most personnel information • Most Sensitive: • Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company
Ethics Policy • Defines the means to establish a culture of openness, trust and integrity • Executive Commitment • Honesty and integrity must be top priority • Employee Commitment • Treat everyone fairly, have mutual respect • Company Awareness • Promote a trustworthy and honest atmosphere • Maintaining Ethical Practices • Reinforce the importance of the integrity message • Unethical Behavior • Unauthorized use of company information integral to the success of the company will not be tolerated
E-mail Policy • General usage • To prevent tarnishing the public image • Prohibited use • Can’t used for any disruptive or offensive messages • Personal Use • Can/Can’t use for personal usage • Monitoring • No privacy for store, send or receive massages • Monitor without prior notice
E-mail Policy • Retention • Determine how long for an e-mail to retain • Four main classifications • Administrative correspondence – 4 years • Fiscal Correspondence – 4 years • General Correspondence – 1 years • Ephemeral Correspondence – Until read • Instant Messenger Correspondence • Only apply to administrative and fiscal correspondence • Encrypted Communications • Stored in decrypted format
E-mail Policy • Automatically Forwarding • To prevent unauthorized or inadvertent disclose of sensitive information • When • Approved by the appropriate manger • Sensitive information defined in Information Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy
Anti-Virus Policy • To prevent computer virus problems • Install anti-virus software • Update anti-virus software daily • Always maintain anti-virus software in auto-protect stage • Scan a storage media for virus before use it • Never open any e-mail from unknown source • Never download files from unknown source • Remove virus-infected computers from network until verified as virus-free
Password Policy • A standard for creation of string password • Contain both upper and lower case characters • Contain digits and punctuation characters • At least eight alphanumeric characters long • Not based on personal information • Not a word in any language • Can be easily remembered • Frequency of change passwords
Password Policy • Protection of passwords • Never written down or stored on-line • Don’t reveal a password over the phone • Don’t reveal a password in an email message • Don’t reveal a password to the boss • Don’t reveal a password to co-workers • Don’t hint at the format of a password • Don’t share a password with family members
Connection Policy • Remote Access • Defines standards for connecting to the company’s network from any host or network externally • General • Same consideration as on-site connection • General Internet access for recreational use for immediate household is permitted • Requirement • Public/private keys with strong pass-phrases • Can’t connect to others network at the same time • Can’t provide their login or e-mail password to anyone • Installed the most up-to-date anti-virus software
Connection Policy • Analog/ISDN Line • Define standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computer • Scenarios & Business Impact • Outside attacker attached to trusted network • Facsimile Machines • Physically disconnect from computer/internal network • Computer-to-Analog Line Connections • A significant security threat • Requesting an Analog/ISDN Line • Stated why other secure connections can’t be use
Connection Policy • Dial-in Access • To protect information from being inadvertently compromised by authorized personnel using a dial-in connection • One-time password authentication • Connect to Company’s sensitive information • Reasonable measure to protect assets • Analog and non-GSM digital cellular phones • Signals are readily scanned unauthorized individuals • Monitor account activity • Disable account after no access for six months
Connection Policy • Extranet • Describes the third party organizations connect to company network for the purpose of transacting business related to the company • In best possible way, Least Access • Valid business justification • Approved by a project manager • Point of Contact from Sponsoring Organnization • Pertain the Third Party Connection Agreement • Establishing Connectivity • Provide a complete information of the proposed access
Connection Policy • Modifying Access • Notifying the extranet management group • Security and Connectivity evolve accordingly • Terminating Access • Access is no longer required • Terminating the circuit • Third Party Connection Agreement • Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. • Must be signed by both parties
Connection Policy • Virtual Private Network (VPN) Security • Define the requirements for Remote Access IPSec or L2TP VPN connections to the company network • Force all traffic to and from PC over VPN tunnel • Dual tunneling is not allowed • 24 hours absolute connection time limit • Automatically disconnected with 30 min. inactivity • Only approved VPN client can be used
Connection Policy • Wireless Communication • Defines standards for wireless systems used to connect to the company network • Access Points and PC Cards • Register and approved by InfoSec • Approved Technology • Use approved products and security configurations • Encryption and Authentication • Drop all unauthenticated and unencrypted traffic • Setting the SSID • Should not contain any identifying informaiton
Reference • The SANS Security Policy Project • http://www.sans.org/resources/policies • Information Security Policies & Computer Security Policy Directory • http://www.information-security-policies-and-standards.com • RFC 1244 – Site Security Handbook • http://www.faqs.org/rfcs/rfc1244.html • Google • http://www.google.com
Homework • Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented • Define presented usage of policies Tips: • Policy document’s format is located in slide 3 • Policy’s usage are located in slide 4 • You may find more information in SANS
Questions Any questions?