With knowledge of the organization's critical systems, you can now turn your attention to directing the team to draw up lists of required documents for review. Several standards clearly define and delineate required security policies. These include ISO 17799, NIST 800-26, and the NSA IAM. Our favorite of the three is the NSA IAM. The NSA revised this list in 2003 to closely match NIST documentation. Unlike the NIST standards, which separate policies into 17 classes of information, the NSA has expanded this to 18. These are divided into the same three categories as used by NIST: management, technical, and operational. All 18 categories are shown in Table 5.1.
Management |
Technical |
Operational |
---|---|---|
INFOSEC documentation |
Identification and authentication |
Media controls |
INFOSEC roles and responsibilities |
Labeling |
Account management |
Contingency planning |
Session controls |
Physical environment |
Configuration management |
Auditing |
Personal security |
Malicious code protection |
Education training and awareness |
|
Maintenance |
||
System assurance |
||
Networking connectivity |
||
Communications security |
This doesn't mean that all the policies you will want to review will fit into one of these 18 categories, but don't be surprised to find out how well these 18 work in most cases. Although we will spend a considerable amount of time discussing these categories of policies in Chapter 7, "Performing the Assessment," there are a few things worth mentioning here, such as policy documents that can be broadly divided into the following three:
Illegal copyingEmployees should never download or install any commercial software, shareware, or freeware onto any network drives or disks, unless they have written permission from the Network Administrator. BE PREPARED to be held accountable for your actions including: the loss of network privileges, written reprimand, probation, or employment termination if the Rules of Appropriate Use are violated.
In partnership with the Product Management Team, Instructor Resources job is to serve as advocates for all Security Evolution instructors, providing superior service in recruitment and career development, scheduling services, and fulfillment of administrative needs for our instructors.
Because of recent changes to Virginia state law, the company will now retain records of employee inventions and patents for 10 years; all email messages and any backup of such email associated with patents and inventions will be stored for one year.
Because of potential regulatory requirements, you will also want to review any applicable state, provincial, and federal laws affecting your organization. You will want to make sure that the organization's policies meet these requirements; if not, this will need to be noted.
You will also want to gather all infrastructure documentation. If diagrams don't exist, you have two options: You can ask that they be created or you can provide assistance to get it done. Keep in mind that there are two types of system diagrams needed:
Now you may be wondering how you are going to keep track of all these incoming documents. The best way is to develop a system to track the following:
It is best to appoint one person to collect and distribute all policies and documents requested. A simple form as shown in Table 5.2 can make your life much easier.
Title |
Date Requested |
Date Received |
Custodian |
Date Destroyed, Archived, or Returned |
---|---|---|---|---|
Password Policy |
10/20/2005 |
10/31/2005 |
David Kim |
Returned 11/2/2005 |
Acceptable Use Policy |
10/22/2005 |
10/25/2005 |
Guy Bruneau |
In use |
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template