2.7 Pulling It All Together: Sample Security Policy Creation

Previous page
Table of content
Next page


2.7 Pulling It All Together: Sample Security Policy Creation

The final section in this chapter is a sample security policy. Due to space constraints, the actual policy itself will be rather straightforward and somewhat abbreviated, but it will walk you through all the major steps of creating a security policy and implementing it.

The following sample describes a sample security policy that my consulting company, Proteris, might follow. For purposes of this example, Proteris is a consulting company that produces a good deal of unique intellectual property. Their most important information asset then is this data. While the materials are printed in hard copy for classes, Proteris must maintain strict controls over the digital versions of their courses lest the company lose value at the same time it loses its intellectual property.

2.7.1 Abstract

Proteris recognizes that intellectual information is the corporation's primary asset. The material value of the company itself is directly tied to safeguarding this intellectual property and, therefore, safeguarding all administrative, technical, and physical systems used to access this information is likewise critical. To support this critical asset, Proteris will create policy, standards, and guidelines to protect the confidentiality, integrity, and availability of this information.

2.7.2 Context

Proteris maintains a worldwide reputation for quality technical training and consulting. Our clients expect and receive knowledgeable, experienced instructors and high-quality training materials tailored to meet their specific technology training and consulting requirements. To consistently meet these high standards, Proteris employs state-of-the-art information management systems. As such, the security and availability of these information systems are critical to Proteris' success.

The information security policy of Proteris applies to all employees, contractors, vendors, and consultants that access Proteris information systems as part of their employment at Proteris. All information systems and information assets, including logical or physical representation of Proteris intellectual property, are covered as part of this policy.

2.7.3 Policy

Proteris will establish standards, procedures, and guidelines that support information security. Information security shall pertain to the confidentiality, integrity, and availability of information on the Proteris network. Standards, procedures, and guidelines will employ the most cost-effective solutions that reduce risk from information security threats to acceptable levels as determined by the IS staff. This includes but is not limited to creating physical, technical, and administrative controls as deemed necessary to ensure that the objectives of the Proteris security policy are met.

Acceptable levels for the purposes of this document shall be defined by the relative value of the information assets owned by Proteris versus the likely risks to be encountered by those assets as determined by the information security (IS) team.

The information technology (IT) department manager shall head the IS team. The IS team shall consist of members of the IT staff as deemed appropriate by the IS director. The department manager of all other Proteris departments shall select one member of their staff to serve as a representative on the IS team.

Implementation of the goals of this policy is described in the Proteris security standards and procedures document. The most recent copy of the Proteris security standards and procedures document is attached to this document as Proteris Security Standards and Procedures version 2.05 4/15/03 or in electronic form at http://house.proteris.com.

In the course of network operations, employee data, including transmitted data or stored data regardless of place of storage, may be monitored or examined. This will take place under one of three circumstances:

  1. IT staff observes the data during the course of normal network operations and troubleshooting.

  2. The IS team will monitor employee data with the supervision of the human resources department if an employee is suspected of violating the terms of this security policy or any other associated documents.

  3. The incident response (IR) team may monitor or examine stored or transmitted data in response to an information system incident to determine the cause and severity of the incident.

2.7.3.1 Administrative Security.

The human resources department and IS team will establish administrative procedures at Proteris that support the goals of information security. The IS team will be responsible for the creation of administrative procedures pertaining to user interaction with network or computer systems, including but not limited to password policies, acceptable use policies, data storage policies, and remote access policies.

Human resources will create policy that pertains to all other aspects of the user work environment subject to the approval of the IS director.

2.7.3.2 Technology/Network/Computer Systems Security.

The Proteris IS team will create standards and procedures that support the goals of confidentiality, integrity, and availability. These controls will be selected and implemented based on the cost-effectiveness and ability to provide adequate security to information and information systems.

2.7.3.3 Physical Security.

Proteris will take such steps as deemed necessary to provide a safe working environment for Proteris employees, contractors, vendor representatives, consultants, and visitors. These steps will be selected based on cost-effectiveness and acceptable levels of risk by the human resources department. Proteris will comply with all local, state, and federal laws regarding the safety of its premises. The Proteris IS will provide physical security devices such as are required to protect information stored on or transmitted over the network. This asset protection will be installed on the basis of cost efficiencies and provided protection.

All physical assets assigned to a department shall be the responsibility of the department head in assuring the confidentiality, integrity, and availability of such assets. Physical assets related to information systems not directly controlled by a single department shall be the responsibility of the IT staff to ensure their physical security.

2.7.4 Acceptable Use Policy

Proteris employees are permitted to use the network resources to view Internet Web pages and send e-mails subject to the following provisions:

  • Resources consumed by such activities are minimal.

  • Employees agree that all network information, stored or transmitted, may be monitored as described above.

  • Employees do not use these resources to perform any illegal or immoral actions as defined by local, state, and federal laws and the policies defined by Proteris.

  • Employees do not use Proteris resources to operate any personal business or contract work.

  • Employees are not permitted to perform any activity that contradicts the goals of this security policy or its associated documents.

Definitions of minimal use are at the discretion of the employee's direct supervisor with regard to time spent on such activities and at the discretion of the IT staff regarding network resource utilization.

Full terms of the acceptable use policy can be found in the attached document, Proteris Acceptable Use Policy version 3.25 02/04/03, or at the Proteris documentation web site http://house.proteris.com.

2.7.5 Incident Response Planning

Proteris will form an incident response (IR) team, including members of the IT staff, the IS team, and a representative of each department as selected by the department manager.

The IR team is responsible for the creation of incident response standards and procedures. These procedures will include a categorization of risk and response related to the level of risk and the significance of the target to the Proteris information systems.

The IR team will be held responsible for preparing, testing, and training in the skills required to perform efficient incident response.

Full standards and procedures of the Proteris incident response policy can be found in the attached document Proteris Incident Response Policy version 1.03 12/15/02 or at the Proteris documentation Web site http://house.proteris.com.

2.7.6 Disaster Planning and Recovery

Proteris will develop a comprehensive disaster recovery plan that clearly defines the most critical Proteris information requirements and is able to restore them to operational status within 48 hours of a devastating disaster. This plan will cover contingencies for human, technological, and natural disasters.

The head of the disaster recovery effort shall be appointed by the chief executive officer of Proteris, and the head of the disaster recovery plan shall have the authority to designate those resources as required for the planning and execution of a disaster recovery plan.

The disaster recovery plan will be tested on an annual basis pending approval of the chief executive officer to determine readiness and assess needs.

Full standards and procedures of the Proteris disaster planning and recovery policy can be found in the attached document Proteris Disaster Planning and Recovery Policy version 1.00 2/15/03 or at the Proteris documentation Web site http://house.proteris.com.

2.7.7 Definitions

Adequate security

Security safeguards will be evaluated based on effectiveness at reducing risk and a cost/benefit analysis. Adequate security shall be considered security that can reduce risk to the lowest possible level while still providing a cost benefit in the comparison of the countermeasure and the asset to be protected.

Asset

Any item, information, or person that provides value for Proteris.

Associated documents

Documents supporting the security policy, including but not limited to the Proteris security standards and procedures policy, the acceptable use policy, incident response policy, and disaster planning and recovery policy.

Availability

Assurance that information is available when the information is required.

Confidentiality

Assurance that only those with a right to view the information will have access to information.

Countermeasure

Any technology, physical control, or administrative action that can reduce the risk to information systems or Proteris personnel.

Information systems

Any device or software that assists in the storage, transmission, or processing of data, including but not limited to servers, routers, switches, network cabling, workstations, and printers.

Integrity

Assurance that information is unaltered from its original or correct state.

Users

Any individual who has access to information systems owned or managed by Proteris.

2.7.8 Authority

This security policy has been approved by and is supported by the chief executive officer, the chief financial officer, and the chief information officer of Proteris. All users are expected to abide by its policy, standards, and procedures. Failure to comply with this security policy will result in action suitable to the offense. Sanctions may include reprimand, dismissal, and criminal or civil action initiated by Proteris.

2.7.9 Distribution

This document and all associated documents shall be available to any employee upon request from the human resources department. Electronic versions of this document may be found on the company intranet site http://house.proteris.com.

All users will be notified of changes to this and associated documents via e-mail within 12 hours of the changes being approved and will be held responsible for any such changes within 24 hours of notification.

The Proteris IS staff is responsible for providing training to all users prior to access to Proteris information systems being granted.

The Proteris IS staff is responsible for providing ongoing security awareness training to all Proteris users on a semiannual basis at a minimum.

2.7.10 Review

This policy may change at any time at the discretion of the chief executive officer or IS team head in response to unforeseen or unusual circumstances.

This security policy and all associated documents will be reviewed on an annual basis for changes that reflect changing priorities of the Proteris business model.

Requests for changes to this security policy will follow the following sequence of events:

  • The individual making the change request submits a written request to the head of the IS team. The request must explain the nature of the change, the reason for the change request, and be signed by the individual's department manager.

  • The IS team will have ten working days to review the proposed change and examine its impact on the information security goals of Proteris. Requests will either receive preliminary approval or be rejected with explanation to the requester.

  • If approved, the IS team will have another ten working days to test the proposed changes in the Proteris information system environment. At the end of this period, the request will either be approved or rejected with explanation.

  • Upon approval, the IS team will update the appropriate portion of the security policy document and provide notification to users as described above.

The security policy as described above is fairly generic. There are a couple of points worth discussing before moving on to an example of a standards and procedures document.

The first item is the general nature of the policy. It simply states that Proteris knows that information technology is an important element of its business and Proteris needs to take steps to ensure that this information technology is safe and reliable. Worded as such, the security policy should rarely, if ever, change. What is more likely to change is how the information security that Proteris seeks is implemented. Therefore, the AUP, incident response plan, disaster recovery plan, and standards and procedures document will most likely change regularly to reflect changing technologies and business needs.

We move on now to a look at a sample standards and procedures document that will support this security policy. It is worthwhile to point out that all of the supporting documents of the Proteris security policy will have much the same format and tone. We will not include the entire document as we have with the security policy, as this document is likely to be of much greater length and detail.


Previous page
Table of content
Next page
Network Perimeter Security. Building Defense In-Depth
Network Perimeter Security: Building Defense In-Depth
ISBN: 0849316286
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Cliff Riggs
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Inside Network Security Assessment: Guarding Your IT Infrastructure
An Introduction to Design Patterns in C++ with Qt 4
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Sap Bw: a Step By Step Guide for Bw 2.0
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy