Policies and Procedures

 < Free Open Study > 



Policies and Procedures

In most security conscious businesses, policies and procedures are implemented to provide a set of rules and standards for employees that represent management philosophies and opinions. Most company policies include certain sets of guidelines, standards, and procedures that should be implemented, enforced, and updated continuously to reflect changes in management wishes and direction properly.

Security Policy

A security policy is a detailed document that simply specifies how an organization will protect the business resources and assets.

Note 

A security policy is a type of written policy that is never completed. It is a living document that deserves and requires continuous updates that reflect changes occurring over the lifetime of a business.

The security policy creation process typically begins by assessing the threats or risks that exist and developing a response team that will be implemented and empowered to respond to security related threats and issues. Next, usage policy statements are often created to identify the roles and responsibilities of specific employees. All company employees should be educated on the importance of the security policy and their roles regarding the security policy. Other statements are often added to security policy such as vendor or partner usage statements that specify the roles and responsibilities of clients and other third parties.

A good security policy might also include prevention statements and restorations statements that identify specific means that will be used to minimize security risk and steps that will take in response to security breaches. A very informative description of network-related security policy practices is available to the public at http://www.cisco.com/warp/public/126/secpol.html#1a
.

Most security policies include an “Acceptable Use” clause or policy, which will be described next.

Acceptable Use

An Acceptable Use Policy (AUP) is a written and signed agreement that is usually required by a human resource department when a new employee is hired to work for a company. It can contain statements that reflect the company’s policy regarding proper use of building facilities, equipment, software, applications, and other assets. If an employee breaks the rules included in the companies AUP, the employee can be subject to disciplinary action such as termination.

Many companies such as software manufacturers, Internet service providers (ISPs), network and online institutions require the signing of an AUP before access to their products or services are granted. Signing or agreeing to the terms included in an AUP means that you accept the rules and regulations associated with the AUP. Noncompliance with the AUP typically results in withdrawal or denial of the product or service and can result in legal action if deemed necessary by the owner.

Due Care

Company directors, managers, network administrators, and security personnel as well as other personnel are expected and required to carry out their specific job functions and exhibit due care. Due Care is considered acting in good faith as any “normal,” “prudent” person would in a similar position or function. It is carrying out one’s responsibilities with the overall welfare of the business or enterprise in mind.

Certain positions within companies require that key personal receive specialized training with certain business concepts and etiquette. Recent history tells us that high-ranking business representatives that do not act with due care can be legally held responsible for their actions.

Due Care and Due Diligence often are used synonymously; do not let this confuse you if you happen to see a question on the Security+ exam that references Due Diligence.

Note 

Due Care is concerned with maintaining confidentiality, integrity, and availability, which will be explained in the next section.

Principles and Management Concepts

The development, implementation, and education of employees regarding company policies, procedures, and practices by business managers and leaders are imperative to the success of any productive secure business environment. There are also three very important management concepts that you should be aware of. They are as follows:

  • Confidentiality: Ensures that only authorized individuals have access to services recourses and important data. It is critical that controls such as authentication mechanisms, firewalls, and cryptography practices are put in place to ensure confidentiality.

  • Integrity: Ensures that important data remains unchanged or is not modified from any other state than is expected.

  • Availability: Ensures that data, resources, and services are available to those who need them. In order for a business to be productive and profitable, it needs to ensure its employees, partners, and customers to have access to certain information and products. For example, if a business provides a product for sale on an Internet site, and that particular Internet site is down, it is unavailable. DoS (Denial of Service) attacks on servers that provide Internet sites and service are often responsible for lack of availability.

    Note 

    The security management concepts confidentiality, integrity, and availability make up what is well known in security circles as the CIA Triad.

Separations of Duties

Concerning information and communication security, separation of duties is the segmenting or the division of job responsibilities regarding highly sensitive information technology and data so that no one can solely jeopardize or compromise the integrity of data, a system, or a network.

Every job function in a company should have a documented job description that identifies the particular jobs requirements, responsibilities and duties. These job descriptions should be updated whenever an employee leaves the company, is terminated, or moves to another position within the company. This documentation should also be updated as job requirements change.

SLA (Service Level Agreements)

SLAs are agreements or contracts between vendors of services or products that specify what the service agreement will provide. A good example of an SLA would be a contract from an Internet service provider who, in writing, guarantees a certain level of access speed to the Internet.

Most SLAs provide statistics that can be used to compare services with other vendors of a similar product. For example, companies that provide access to the Internet often include such metrics as measured response time, help desk response time, total number of users who can be signed on at a time, accessibility time, and other information that can be used as a benchmark.

Today, many enterprise-class companies require SLAs and other contractual agreements to be in place with their service providers in order to guarantee a certain level of access and integrity to business customers.

Disposal/Destruction

The proper handling of confidential company information, whether it be hard or soft copy, should always be a consideration when developing a company security policy or just handling sensitive information. Rules should be put in place and these rules should be brought to the attention of every employee that handles important and confidential data. Most companies have a disposal policy that states all paper and printed output must be shredded in a crosscut shredder before it is recycled or thrown away. Most of these policies are not limited to paper output. They also include policy that pertains to the erasing of data stored on media such as floppy disks, CDs, zip disks, hard drives, and other forms of media storage before the media is thrown away, recycled, donated, or sold to a third party.

Information theft is not isolated to online sources. A popular technique known as dumpster diving is commonly used by hackers to obtain information that can be used to gain access to systems and confidential company information. In simple terms, dumpster diving is going through someone else’s trash with the hopes of finding information such as names, ID’s, phone lists, passwords, network information, PINs, account numbers, and other information that can be used for social engineering attacks and access to information systems.

HR Policy

Human Resource departments play a very important role in the administrative management of security practices and policies. These departments should have strict HR (Human Resource) policies in place in order to ensure the proper procedures are implemented and followed regarding the hiring and firing of potential and company employees. HR personnel are also required to use due care and follow a proper code of ethics when managing the human factor of an organization.

Hiring

Hiring quality, responsible, trustworthy employees who meet a business’s needs is an essential process in protecting a company’s infrastructure. Proper HR policies and procedures should be in place when recruiting new employees. HR personnel should be trained and familiar with hiring laws, regulation, and company policy.

Background checks should be conducted to ensure that perspective employees meet policy and company needs. Multiple references should be consulted to ensure a possible employee’s integrity and honesty.

Once hired, it should be policy that new employee’s job responsibilities are clearly defined and presented to the employee. The employee should be well educated on the rules, regulations, and policies associated with the company and the employee’s role in the company. Building and network access should be granted to new employees based on their roles, applying the principle of least privilege. In other words, give an employee access to physical places and logical resources needed to carry out only their specific job functions.

Termination

As is the case with hiring practices, employee termination policies require great attention to be effective. All of the same practices mentioned earlier should be considered. HR personal must be educated with laws and regulations as they apply to the dismissal of company employees. Documented company policy as it applies to termination should be strictly followed.

When an employee is terminated or leaves the company for any reason, all responsible management, security, and network personal should be notified that the employee has left. All physical access privileges to the building and other secured areas should be immediately revoked for the employee. All network and resource access should be immediately disabled or removed for the former employee. If the former employee requires access to personal property before leaving the business, they should be escorted by HR and security personal to and from all required locations.

Code of Ethics

A code of ethics is a documented representation of the values associated with a profession or business. They are the collaborative beliefs or values associated with job responsibilities that are used to assure employees, partners, and clients that a company, its management, and its employees will act responsibly and be accountable for their actions as they pertain to the products they provide and the customers they support.

A solid company code of ethics typically will include the following abilities:

  • Employees can monitor the behavior of coworkers as the behavior applies to the company’s documented code of ethics.

  • Management and HR can educate and carry out the values contained in the code of ethics.

  • Management and HR can dismiss or reprimand employees for not abiding by the company’s documented code of ethics.

Just about every job or industry that provides a product or service has as associated code of ethics. Even the Internet has a code of ethics; use of government information and Web sites have an associated code of ethics; and yes, even certain security certification requires a code of ethics. Currently, those who are CISSP (Certified Information Security Professionals) certified are required to follow the code of ethics stated at: http://www.isc2.org/cgi-bin/content.cgi?category=12.

Incident Response Policy

An incident response policy is a set of instructions, guidelines, and rules usually created by a CIRT (Computer Incident Response Team), which are most often a combination of management and a skilled team of those who are technically inclined. The incident response policy should be followed if a known emergency, security-related incident or disaster has occurred. Most well-organized and well-documented incident response policies will state or define what an incident really is to the company. This is usually the first step in the development of an incident response policy. The policy will list the emergency contacts and prioritize the order in which these contacts are notified. The policy will also require that an incident response report be filled out if a security issue or emergency has occurred. An incident response report will typically include items such as the following:

  • Time and place the incident occurred.

  • Summary of people and systems that were involved with the incident.

  • Description in detail of the incident.

  • Documenter’s name, the time the report was initiated, and the people who were notified when the issue occurred.

Proper incident handling includes three important factors. They are incident reporting, incident analysis, and incident response. For security issues and emergencies to be properly taken care of, and the earlier mentioned important factors to be addressed in a controlled manner, it is critical that incidents be reported as soon as possible. Most computer security incidents require quick action. If an intruder, virus, or disgruntled employee is not handled with swift action, devastating results to company equipment and data may be the end result.

The Carnegie Mellon University provides the following very informative Web site that details incident response handling and services: http://www.cert.org/csirts/csirt_faq.html.



 < Free Open Study >