Policy and Procedures

The key to any successful intrusion detection and prevention program is based on sound policies, standards, guidelines, procedures, and baselines. This chapter attempts to define the differences among these as they’re often referred to in the same context. Then, the focus will be on the creation of policies and procedures that can help your organization achieve optimal success.

Policies, Standards, Guidelines, Procedures,and Baselines

First, let’s define the terms. A policy is a high-level statement of beliefs, goals, and objectives, and the general means by which they can be achieved. Policies help to determine strategies for standards, guidelines, procedures, and baselines. A standard is a mandatory activity, action, rule, or regulation designed to support policy structure and lend specific direction. Standards are often expensive to administer and, therefore, should be used judiciously.

A guideline is similar to a standard, but it’s a more general statement of how to achieve policy objectives. Guidelines provide the framework needed to implement procedures. Where standards are mandatory, guidelines are recommendations and more flexible. Guidelines are “recommended actions” only.

A procedure outlines the specific steps of how the policy, supporting standards, and guidelines will be implemented. A procedure is a description of tasks that must be executed in a specific order. Procedures are sometimes referred to as “practices.”

A baseline is a method of implementing security mechanisms and products. Baselines are platform unique and should be employed throughout an organization. They detect differences between various operating systems (OSs) to ensure uniform security implementation.

IDS IPS Policy

When creating a strong defense-in-depth policy, a good deal of time must be spent on researching the tools that will be used. Creating an IDS policy can be a daunting task, but one that can reap many benefits when done correctly. An IDS policy is a stand-alone policy, but it integrates with other policies, such as the firewall, routers, and incident response. When creating a policy, it’s important to include enough detail to be able to determine the strategies for standards, guidelines, procedures, and baselines. The policy needs to include why it’s important to the organization, and it must be prepared for signs of intrusion and lead to procedure development. Once the policy is written, it needs to undergo legal review. Once reviewed, the procedure can be drawn from the policy and implemented in the organization. Finally, it’s critical that the policy remain current with up-to-date procedures and information.

Creating an IDS IPS Policy

Earlier in this book, the importance of risk analysis was discussed. The relationship between risk analysis and the security policy is important for an effective security program. When defining your organizational needs, a risk analysis can and should help to determine what will go into your policies.

When you create a policy, having input from the organization as to what they want to achieve is critical. The policy wants to cover the why and the how. One effective way to do this is to cover the following seven steps:

• Introduction
• Purpose
• Scope
• Policy
• Enforcement
• Definitions
• Revisions

The introduction and the purpose help set the stage for the rest of the document. Having the correct policy language in place can help prepare your organization to detect signs of intrusion in a timely, controlled manner. The introduction should give a general statement about what the document will cover. The purpose shows why this technology is important and why it’s necessary to have a policy. These could seem like simplistic topics that might not be needed but, for the nontechnical management, it helps to clarify the reasoning and gives a high-level definition of the technology. The scope is important because it helps define who this policy affects. This can be an entire department, all users, or a group of individuals. The scope must be defined for legal reasons to make certain it’s clear for whom the policy is intended and for clear understanding of the perspective on which the policy should be taken.

The policy itself is the section that states what’s expected. This section helps give general guidance and could include or refer to procedures that need to be taken. The policy section should be more clear and concise about what must occur in given situations. This is the how and why of the document.

Enforcement defines what the consequences are to those defined in the scope. This section can define specific consequences or point to other documents, such as an HR manual or a code of conduct.

Finally, there are the definitions and revisions sections. The definitions section helps put forth specific meaning for your organization and helps eliminate any assumptions. The revisions section reflects the current policy and indicates when it was last updated. This is important for keeping current and usable policies.

The following is an example policy using this seven-step process:

Sectionx	mm/dd/yy: Effective
	mm/dd/yy: Revised
Policy x.xx Intrusion Detection Policy	Security Analyst Author

Step 1: Introduction

Intrusion detection is a critical piece of the organization’s security policy. Effective security systems must evolve to handle the vast amount of vulnerabilities introduced by the use of distributed systems. Having some type of reassurance that the systems and network are secure is important, and intrusion detection systems can help provide part of that assurance.

Step 2: Purpose

The purpose of this policy is to provide guidance for the use of intrusion detection at <Your Organization Here>. This document is to be followed for intrusion-detection monitoring using intrusion detection tools and system audit logs for the system servers, software, database, networks, and firewalls under its control.

Step 3: Scope

This policy applies to all constituents at <Your Organization Here>. More specifically, this policy applies to all individuals who are responsible for the installation of new information resources, the operations of existing information resources, and individuals charged with information resource security.

Step 4: Policy

247 intrusion-detection monitoring will be conducted by using intrusion-detection tools and system audit logs for the system servers, software, database, networks, and firewalls under its control. Reports will be submitted daily for assessment and possible corrective action. Immediate corrective action will be taken to help eliminate system vulnerabilities or to prevent future intrusion attempts. This can also be seen as a contract with the rest of the organization regarding the expected quality of service (that is, 247 or maximum response time).

Procedures for system break-ins:

• Immediately notify management via a predefined emergency notification list and notify the affected network manager.
• Follow up with a system security report to management in the System Security Template, as shown in the following example. The report will include an assessment on compromised systems or information, system risks, and corrective actions.
• Security management will determine the appropriate corrective action and direct the corrective action based on priority.

  System Security Template
  Date:
  Time:
  Security Incident Report—Number ______________
  Incident Details:
  Information Resource Effect:
  Incident Identified By:
  Source of Attempt:
  Analyses and Recommendation(s):
  Reporting Manager:

Other procedures include the following:

• Operating system, user accounting, and application software audit logging processes must be enabled on all host and server systems.
• Alarm and alert functions of any firewalls and other network perimeter access control systems must be enabled.
• Audit logging of any firewalls and other network perimeter access control system must be enabled.
• Audit logs from the perimeter access control systems must be monitored/reviewed daily by the system administrator.
• System integrity checks of the firewalls and other network perimeter-access control systems must be performed on a routine basis.
• Audit logs for servers and hosts on the internal, protected network must be reviewed on a weekly basis. The system administrator will furnish any audit logs as requested by the ISO.
• Host-based intrusion tools will be checked on a routine basis.
• All trouble reports should be reviewed for symptoms that might indicate intrusive activity.
• All suspected and/or confirmed instances of successful and/or attempted intrusions must be immediately reported according to the Incident Management Policy. Users will be trained to report any anomalies in system performance and signs of wrongdoing to the IS Help Desk.

Step 5: Enforcement

Any employee found to have violated this policy could be subject to disciplinary action, up to and including termination of employment. Additionally, individuals are subject to loss of information resources, access privileges, and the possibility of civil and criminal prosecution.

Step 6: Definitions

• Constituent Any employee, contracted employee, or affiliate of the company.
• Information Resources Any computer-related or computer-generated material. Including, but not limited to, printouts, online display devices, magnetic storage media, and any computer-related activities involving any device with e-mail receiving capabilities, browsing web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistants (PDA), and pagers.
• Security Incident Any attempt or action of unauthorized access to a information resource.

Step 7: Revision History

• Policy: Version 1.0 April 2000
• Revised: Version 1.1 June 2002
• Revised: Version 1.2 May 2003

Legal Review

Creation of any security policy needs to be reviewed by your organization’s legal representation, so the policy can be legally reinforced and defensible. Your legal department can help determine if the policy reflects best practices and due care on the part of your organization. When investigations of an incident occur, it’s critical that your organization does everything in its power to protect the information and preserve evidence for legal proceedings. In addition, making sure that your organization adheres to all local, state, and federal regulations can help.

Another key issue is to make sure the policy is in touch with legislation that affects your organization. Your policy should include a clause regarding compliance with any legislation. Because much legislation is required, it’s wise to incorporate your policies with this legislation. Your legal department is in the best position to do this.

Procedure for Implementation of Your Policy

Just having a policy written isn’t nearly enough. Proper implementation of the policy is key. At this stage, the staff needs to be educated on the policy and what needs to be done for the policy to succeed. Therefore, all staff who have access to, or are responsible for, the IDS or the IPS program must have the policy made available to them. The policy should be easily accessible, but also secured. This can be done via an intranet site or on a server on the internal network.

Keeping Your Policy Current

Keeping your policy current is critical for a successful policy. If your policy is outdated, it won’t do anyone any good when it’s needed. Make certain you review your policy at least annually. Things that might need to be updated include the following:

• Any new software added
• New legislation
• Changes in procedures
• Changes in critical assets
• Roles and responsibilities
• Contact information
• New detection methods

Also important is to look at what happened during an incident and revise your policy to reflect these issues. You might find your policy lacks certain steps or actions that should have been addressed.

Summary

This chapter examined the need for a good intrusion policy. We looked at the creation and implementation of an intrusion detection policy. A seven-step methodology including Introduction, Purpose, Scope, Policy, Enforcement, Definitions, and Revisions was discussed. Once a policy is created, it is important to make sure that it is legally compliant and kept up-to-date, at least on an annual basis.