8.2 Basic Approach to WLAN Security and Policy Development


8.2 Basic Approach to WLAN Security and Policy Development

One generally accepted approach to the development of site security policy is that suggested by Fites [5], which recommends the following steps:

  1. Identify what you are trying to protect.

  2. Determine what you are trying to protect it from.

  3. Determine how likely the threats are.

  4. Implement measures to protect your assets in a cost-effective manner.

  5. Review continuously and make improvements each time a weakness is found.

Most organizations concentrate their efforts on implementation, but if an effective security plan is to be established at your site, the other steps cannot be avoided. An axiom to remember is that the cost of protecting yourself against a threat should be less than the cost of recovering if the threat were to strike you. Cost in this context should factor in losses expressed in dollars, reputation, trustworthiness , and other less obvious measures. Without reasonable knowledge of what you are protecting and what the likely threats are, following this rule could be difficult. We briefly review each of the five security policy steps in the following sections.

8.2.1 Identify What Needs Protection and Why

These two steps are initially accomplished in the risk analysis phase (which is described later in this chapter). A list of asset categories (e.g., disposable office supplies, nondisposable office supplies, computer equipment, computer peripherals) should be developed. For every organization, the inventoried assets will be different, but most will fall into one of these categories.Conduct your asset inventory, listing every item, grouped by category. This may help you determine potential threats for an entire group of assets versus using an item-by-item approach. For example, mandating that all disposable supplies should be locked in a cabinet may be more cost effective and equally effective as having separate procedures for ribbons , paper, and so on. Once the assets requiring protection have been identified, an organization should take steps to identify corresponding potential threats for those assets. These threats can subsequently be evaluated to determine if any potential for loss may exist.

8.2.2 Determine Likelihood of Threats

A computer security policy is generally created to ensure that efforts spent on security yield cost-effective benefits. Most surveys of computer security show that, for most organizations, the actual loss from insiders is a much greater risk than attack by outsiders. We have discussed a process that involves determining what a site needs to protect, what it needs to protect it from, and how to actually protect it. The process of examining all of the risks associated with each of these three items ”including ranking those risks by level of severity ”is what we mean by determining the likelihood of a threat. This process involves making cost-effective decisions on what you want to protect. After all, it does not make good business sense to spend more to protect something than it is actually worth.

8.2.3 Implement Protective Measures

The security- related decisions you make, or fail to make, largely determine how secure your network is; however, you cannot make good decisions about security without first determining what security goals need to be set for your organization. Until you determine what your security goals are, you cannot effectively use any collection of security tools because you simply won't know what to check for and what restrictions to impose. Your goals will be largely determined by the following key tradeoffs:

  • Services offered versus security provided . Each service offered to users carries its own security risks. For some services, the risk outweighs the benefit of the service, and the administrator may choose to eliminate the service rather than try to secure it.

  • Ease of use versus security . The easiest system to use would allow open access to any user and require no passwords. Of course, there would be no security. Requiring passwords makes the system a little less convenient , but more secure. Requiring device-generated one-time passwords makes the system even more difficult to use, but much more secure.

  • Cost of security versus risk of loss. There are many different costs related to security: monetary , performance, and ease of use, to name a few. There are also many levels of risk: loss of privacy, loss of data, and the loss of service. Each type of cost must be weighed against each type of loss.

Goals should be communicated to all users, operations staff, and managers through a set of security rules called a "security policy."

Definition of a Security Policy

A security policy is a formal body of the rules by which people who are given access to an organization's technology and information assets must abide. It is part of an overall organizational site security plan. Its purpose is to inform members of the organization of their responsibilities under certain circumstances that could pose potential risk to the company.

Purposes of a Security Policy

The main purpose of a security policy is to inform users, staff, and managers of their obligations for protecting technology and information assets. The policy should specify the mechanisms put in place to meet these requirements. Another purpose is to provide a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy. An Acceptable Use Policy (AUP) should be part of any security policy. The AUP should spell out what users shall and shall not do on the various components of the system, including the types of traffic allowed on the networks. The AUP should be as explicit as possible to avoid any ambiguity or misunderstanding.

What Makes a Good Security Policy?

Characteristics of a good security policy are that (1) it must be implementable through system administration procedures, publication of acceptable use guidelines, or other appropriate methods ; (2) it must be enforceable using security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible ; and (3) it must clearly define the areas of responsibility for the users, administrators, and management. These three characteristics form the basis of any sound security policy. Additionally, there must be buy-in from Legal, the CIO, and HR for the policies developed. Otherwise, they are not worth the paper they are printed on.

Components of a Good Security Policy

What elements make up a good security policy? What needs to be in the policy to make it effective without overloading users with hundreds of security-related items? This section has identified eight key areas that should be addressed in security policies:

  • Access

  • Authentication

  • Accountability

  • Privacy

  • Availability

  • Systems and networking maintenance

  • Acquisition guidelines

  • Violations reporting

The Access Policy is used to define access rights and privileges that are necessary to protect company assets from loss or disclosure by specifying acceptable use guidelines for users, staff, and management. The Access Policy should provide specific guidelines for use of external connections, data communications, connecting user-owned devices to a network, and adding new software to systems. It should also specify any required banner messages.

The Authentication Policy is used to establish trust through use of an effective password policy. It is also used for setting guidelines for remote location authentication and use of various authentication devices. It should outline minimum requirements for access to all business resources.

An Accountability Policy defines the responsibilities of users, staff, and management. It should specify a periodic, recurring audit capability and provide basic incident-handling guidelines. The Privacy Policy defines reasonable expectations of privacy regarding such issues as monitoring of electronic mail, logging of keystrokes, and access to user files.

Availability Statements are used to set expectations for the availability of resources. This statement should address redundancy and recovery issues. It should also be used to specify operating hours and maintenance downtime periods. It is important to include contact information for reporting system and network failures as part of this document.

The Information Technology System and Network Maintenance Policy describes how both internal and external maintenance people are allowed to handle and access technology for routine tasks such as system backup, equipment maintenance, application of upgrades, patches, and so on. One important topic to be addressed here is whether remote maintenance is allowed and how such access is controlled.

Another area for consideration is outsourcing and how it is managed. Computer Technology Purchasing Guidelines should be used to specify required, or preferred, security features. These guidelines should supplement existing purchasing policies and guidelines.

The Violations Reporting Policy indicates which types of violations (e.g., privacy and security, internal and external) must be reported and to whom the reports are made. A nonthreatening atmosphere and the possibility of anonymous reporting will result in a greater probability that a violation will be reported if it is detected .

It is a good idea also to provide supporting information that can provide users with contact information for each type of policy violation encountered . Specific guidelines on how to handle outside queries about a security incident or information that may be considered confidential or proprietary are a good idea. Include cross-references to security procedures and related information, such as company policies. Regulatory requirements may affect some aspects of your security policy (e.g., line monitoring). The policy should be reviewed by legal counsel before being put into effect. Once your security policy has been established, it should be clearly communicated to users, staff, and management. Having all personnel sign a statement indicating that they have read, understood , and agree to abide by the policy is an important part of the process.

8.2.4 Review and Assess Regularly

Security managers must ensure that the organizational security policy is reviewed regularly (semiannual is our recommended review frequency) to see if it is successfully supporting security needs. Adapt the plan to meet any changed conditions and distribute change notices to the constituency as needed. Ensure that training plans are updated with the changed material and that managers brief their personnel on all security changes.

It is equally important to assess the adequacy of measures implemented by the policies. Ensure that the measures taken not only solve the problem but also help prevent them from recurring. Have security and IT staff independently evaluate the effectiveness of the security policies whenever possible. Sometimes, it is even a good idea to bring in third-party organizations to perform independent assessments of your processes and procedures. If you make changes, be sure to go back and update the policy book accordingly .

8.2.5 Awareness Programs

Successful computer security programs are highly dependent on the effectiveness of an organization's security awareness and training program. If employees are not informed of applicable organizational policies and procedures, they cannot be expected to properly secure computer resources. The dissemination and enforcement of the security policy is a critical issue that can be addressed through local security awareness and training programs. Employees cannot be expected to follow policies and procedures of which they are unaware. In addition, enforcing penalties may be difficult if users can claim ignorance when they are caught doing something wrong.

Training employees can also show that a standard of due care has been taken in protecting information. Simply issuing policy without follow-through to implement that policy is not enough to get the job done right. Many organizations use acknowledgment statements to verify that employees have read and understand computer security requirements. A sample acknowledgment statement is provided below. New hires are an especially important audience for security awareness training. It is critical that any new employee receive training on the security policies in place at an organization within the first week or two of employment.

  Sample Acknowledgment of Information Security Policy  This form is used to acknowledge receipt of and compliance with the company's Information Security Policy. You are required to agree to the following terms and complete the following steps before access to network and computing resources will be granted: 1. Read the Information Security Policy. 2. Initial the spaces provided below. Sign and date the last page. 3. Return to the Management Information Services department director. Initial __________ By initialing above, I agree to the following: (1) I have received and read a copy of the company Information Security Policy and understand and agree to the same. (2) I have received mandatory training on the company Information Security Policies and will comply with all published policies and procedures. (3) I will attend recurring training annually to stay informed of Information Security Policies. Employee Signature _____________________________________ Employee Name __________________________________________ Employee Title _________________________________________ Date ___________________________________________________ Department/Location ____________________________________ 

Many employees regard computer security as an obstacle to their job productivity. To help motivate employees to be security aware, awareness should emphasize how security can contribute to productivity. The consequences of poor security should be explained without using fear and intimidation tactics that employees often associate with security. Awareness helps reinforce the fact that security supports the mission of the organization by protecting valuable resources. If employees view security measures as bothersome rules and procedures, they are likely to ignore them. Managers are responsible for ensuring that their personnel are briefed and understand the role they play in supporting security efforts. By informing all personnel of the statutes and policies surrounding IT security, and by conducting periodic security awareness briefings, managers can accomplish this task.

Security training is most effective when targeted to a specific audience. This enables the training to focus on security-related job skills and knowledge that people need when performing their duties . Divide the audiences into groups according to their level of security awareness. Individuals may be separated into groups according to their current level of awareness. This may require research to determine how well employees follow computer security procedures or understand how computer security fits into their jobs. Training groups can be segmented according to job function, specific job category, or their level of competence and understanding of general computer knowledge.

8.2.6 Risk Analysis

A prime consideration for creating a computer security policy is to ensure the that effort spent on developing and implementing the security policy will yield cost-effective benefits. It is important for a security manager to understand where the most obvious "quick wins" in security will be found. Although there is a great deal of information in the press about intruders hacking into computers systems, most security surveys reveal that actual loss from insiders is a far greater risk. Remember, good security administrators always go for the low-hanging fruit first.

Risk analysis involves determining what you need to protect, what you need to protect it from, and how you need to protect it. Risk analysis is the process of examining all of the potential risks you may face, then ranking those risks by level of severity. This process involves choosing cost-effective solutions for what you want to protect and deciding how it is to be protected. It is important to balance the value of the asset that needs protection against the cost of providing that protection. For example, if you spend $500,000 to protect reproducible code assets that originally only cost $180,000, it is not likely a sound security investment. Always consider the cost-versus-worth scenario when selecting your security solutions.

Identify Assets

For each asset, the basic goals of security are availability, confidentiality, and integrity. A risk analysis process requires identification of all assets that need to be protected. For each asset, try to determine what potential threats exist for that particular asset. A list of asset categories that has been suggested by Pfleeger [6] includes the following:

  • Hardware. Keyboards, monitors , laptops, personal computers, printers, disk drives , communication lines, terminal servers, routers

  • Software. Source programs, object programs, utilities, diagnostic programs, operating systems, communication programs

  • Data. Used during execution, stored online, archived offline, backups , audit logs, databases, in transit over communication media

  • People. Users, administrators, hardware maintainers

  • Documentation. On programs, hardware, systems, local administrative procedures

  • Supplies. Paper, forms, paperclips, ink cartridges, ribbons, magnetic media

Identifying the Threats

Once the assets have been identified, it is necessary to determine the potential threats to those assets. Threats can then be examined to determine a loss potential. Loss potential helps rank the asset and threat against other items in your list. The following are classic threats that should be considered: unauthorized access, unintended disclosure of information, and denial of service. Depending on your organization, more specific threats should be identified and addressed.

8.2.7 Alerts and Advisories

Alerts and advisories are released (almost daily) that detail newly discovered vulnerabilities and other security information. This information may require immediate action on the part of the system administrators, the Incident Response Group, or the users. Advisories come from a variety of sources, such as vendors and product manufacturers. There are also places like the CERT Coordination Center (CERT /CC) and the Federal Computer Incident Response Capability (FEDCIRC), which are now both a part of the new National Strategy to Secure Cyberspace and Protect Critical Infrastructure. On February 14, 2003, the White House issued a press release [7] announcing President Bush's endorsement of National Plans to Protect Critical Infrastructure. The following is a statement from President Bush upon the release of two White House documents: "The National Strategy to Secure Cyberspace" and "The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets:"

  The White House  Office of the Press Secretary February 14, 2003    Strategies for Securing Cyberspace and Protection of    Infrastructure Released Statement By The President    The National  Strategy to Secure Cyberspace  and the National    Strategy   for    the   Physical   Protection   of   Critical    Infrastructures  and Key Assets will help  us protect America    from those  who  would do us  harm, whether  through physical    destruction or   by  attacking  our  infrastructures  through    cyberspace.    These strategies recognize  that the majority of our critical    assets  and infrastructures,  such as  those in  the banking,    telecommunications, energy,  and  transportation sectors, are    privately owned and operated.    The strategies  outline Federal  efforts  and State and local    roles in securing  the Nation's critical  infrastructures,and    identify  opportunities  for  partnership   with  the private    sector. The Department of Homeland Securty will take the lead    in accomplishing many of the objectives of these  strategies.    Other departments and agencies also have  important  roles to    play.  I encourage   everyone,  government  at  all   levels,    industry,and private citizens to continue to work together to    make our nation secure. 

Additionally, in order to help develop ways of better protect our critical infrastructures and to help minimize vulnerabilities, the U.S. Department of Homeland Security has established Information Sharing and Analysis Centers (ISACs) to allow critical sectors to share information and work together to help better protect the economy. The IT-ISAC is a forum for sharing information about network vulnerabilities and effective solutions [8]. It is also a forum for sharing threat-related information and ways to protect against those threats. The Operations Center is intended to help achieve a higher level of critical infrastructure protection through sharing of key security solutions.

Regardless of which source agency sends out an advisory, upon receipt of any alerts and advisories requiring action, ensure compliance with the required action. If compliance cannot be obtained for any reason, get a statement of waiver with reasons that the actions cannot be implemented. For any compliance or waiver actions needed, ensure that they are reported to the Chief Security Officer (CSO) or security manager for briefing to other senior management.

8.2.8 Warning Banners

It is good security practice for all systems to display warning banners upon connection to a given system. These banners should display a warning informing the user logging in that the system is for legitimate use only, is subject to monitoring, and carries no expectation of privacy. The use of warning banners provides legal notice to anyone accessing the system that it is subject to monitoring. Users should also be notified of the possible sanctions, such as loss of privileges, employment, or even prosecution , if they misuse or access the network without authorization. System Administrators can install the banners quite easily, and the information contained in the banners should be approved by the organization's legal staff. A sample of banner wording is as follows :

 This is a  proprietary computer  system that is  "FOR INTERNAL    USE ONLY." This system is subject to monitoring. Therefore, no    expectation of  privacy is  to be  assumed. Individuals  found    performing   unauthorized    activities    are   subject    to    disciplinary action including criminal prosecution. 

8.2.9 Employee Termination Procedures

Unfortunately, termination often leads to a security incident. This sad fact of life must be dealt with by businesses every day. Security teams have routinely become involved in termination processing to ensure that disgruntled employees cannot take actions that are detrimental to the company. The termination procedure encompasses those activities that occur when an employee terminates his or her employment with the organization or is terminated by the organization. It is good business practice to require the Chief People Officer (CPO) or vice president of Human Resources to provide the Chief Information Officer (CIO) and Chief Security Officer (CSO) with a list of terminated employees on a weekly or monthly basis.

8.2.10 Training

All authorized users should be required to attend training on how to fulfill their security responsibilities within 30 days of employment. They should also be required to participate in periodic recurring training on Information System Security Awareness and accepted information system security practices, as appropriate to their job functions and responsibilities. Users with access to multiple applications should be encouraged to attend training on each application and in all general support systems. The system security plan should specify the type and frequency of training required in such circumstances.

IT and Security Managers should plan and prepare for two types of training: one for users and the other for system administrators. Users should be required to participate in certain training activities such as awareness training and various application training classes, which may be offered periodically. The second type is training for the System Administrators, which should be in security competency. It is the manager's responsibility to ensure that System Administrators have been provided all the security training needed to fulfill the security requirements for which they are responsible.

8.2.11 Personnel Security

Personnel Security involves training users to be aware of their responsibilities and the consequences of any failure to abide by security policies for using the computer automation assets. Personnel security should be a part of the overall security training plan. Supervisors should be responsible for coordinating and arranging system access requests for all new or transferring employees and for verifying an individual's need to gain access to any sensitive information in an organization.

Regardless of their position or job function, personnel who have access to the network should read and sign an AUP. They should attend periodic recurring security training. Users usually only need to sign the Acceptable. Use agreement once, when their e-mail account is issued by the organization. After that, they should be briefed at least annually on any updates to the AUP. New procedures should be covered and awareness of security concerns addressed.

Quite often, an organization will provide all employees with a personnel security handbook that describes the responsibilities of employees. All persons accessing sensitive computer systems should have a background check before being granted access. The handbook should describe minimum requirements for any background investigations. Contractors who design, operate , test, maintain, or monitor systems should be required to have background checks as well.

8.2.12 Internet Use

It is a good idea for an organization to require all employees and contractors who use company-provided information systems in their job to sign an Internet use policy. Employees and contractors should be prohibited from accessing systems that are not necessary for performing their duties. They should also be restricted from performing tasks on systems they are authorized to access, but which are not related to their job responsibilities. For example, a help desk agent may have access to a payroll computer, but that does not give him the right to go in and use the payroll computer for any purposes. System administrators have the ability to audit network logs and perform periodic checks for misuse and should do so regularly. This practice helps ensure compliance among the "masses."

8.2.13 E-Mail

It is a primary responsibility of the IT group and/or the security team to ensure the appropriate use of e-mail systems. Various technical measures can assist in this goal. First of all, e-mail should be used primarily for official business. Persons using company systems for sending e-mail should make the same provisions to ensure confidentiality as those that would be made for sending hard-copy correspondence. All activities on a company's information systems are subject to monitoring. Users should have no expectations of privacy. By using a company's e-mail system, users implicitly agree to be governed by that company's AUP regarding e-mail. As an example of the devastation that can occur from improper e-mail usage, let's look at the recent worm that attacked more than 500,000 computers almost overnight in mid-August 2003.

The Win32.Sobig.F worm spreads via e-mail by using its own SMTP engine and leveraging shared file stores or drives. The worm arrives in a message with one of the following subject lines:

  • Re: Thank you!

  • Thank you!

  • Your details

  • Re: Details

  • Re: Re: My details

  • Re: Approved

  • Re: Your application

  • Re: Wicked screensaver

  • Re: That movie

The attachment name is chosen at random from the following embedded name list:

  • your_document.pif

  • document_all.pif

  • thank_you.pif

  • your_details.pif

  • details.pif

  • document_9446.pif

  • application.pif

  • wicked_scr.scr

  • movie0045.pif

The message body reads either "Please see the attached file for details." or "See the attached file for details." The worm spoofs the "From" address, so it appears to come from a different address than that of the affected machine. The worm searches local files, looking for the following extensions: .txt, .eml, .html, .htm, .dbx, .wab, .mht, and .hlp. When activated, the worm copies itself to the local Windows directory with the following file name: %Windows%\WINPPR32.EXE . It also creates another file in the Windows directory: %Windows%\WINSTT32.DAT . The "%Windows%" part of the file name uses local environment variables that store the path to the Windows directory. The worm then creates the following registry values (if the keys currently exist) so WINPPR32.EXE runs whenever Windows starts:

 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrayX =    "%WINDOWS%\winppr32.exe /sinc HKLM\SOFTWARE\Microsoft\    Windows\CurrentVersion\Run\TrayX = "%WINDOWS%\winppr32.exe /    sinc 

Win32.Sobig.F uses Network Time Protocol (NTP) servers to obtain time values. Internally, the worm carries 20 specific IP addresses representing known NTP servers. It randomly selects an IP address to use and will attempt to connect with three NTP servers using Port 123 to obtain time values. If all three attempts fail, Win32.Sobig.F will wait an hour before trying again. If the time of day is between 7:00:00PM and 10:59:59PM Greenwich Mean Time (GMT), and the day of the week is a Friday or a Sunday, the worm will try to use the 20 IP addresses embedded within the worm code using port 8998 until it receives a valid response. Previous tests have shown that the remote machine responds with an encrypted URL. The worm then attempts to download and execute a file from this encrypted URL. The 20 IP addresses have been found to belong to victimized home users for the most part. These users are believed to be victims of previous exploits.

The Win32.Sobig.F worm was coded to stop replicating effective on September 10, 2003. According to a CNN News article [9] that appeared shortly after the presence of the worm became known, the worm caused more than $50 million in damages in the United States alone. With more than 500,000 computers infected almost overnight, Win32.Sobig.F became the fastest -spreading worm in known history.

8.2.14 Sensitive Information

All organizational personnel are responsible for the safeguarding and appropriate handling of sensitive corporate information. Sensitive corporate information is defined as information critical to the operation of the business and information for which public release is inappropriate. Ensure that your users are trained and briefed on how to handle sensitive corporate information. Maintain adequate access controls and accountability for information. Set specific policy for the use and handling of sensitive information.

8.2.15 System security

Providing for adequate system security requires advanced planning and effort. Ensure that System Administrators have adequate resources to establish and maintain system security levels. Listed below are basic areas security managers should be concerned with to ensure that adequate security measures are in place:

  • Hardening systems. No system should ever be placed on a network without a security configuration setup. "Hardening" refers to the process of disabling unnecessary services, installing all of the latest fixes and patches, installing adequate security software, tuning the operating system for security rather than performance, and documenting the system on the network. All of this work takes a great deal of effort to accomplish, but should not be taken lightly. It takes only one incorrectly configured system to allow an intruder into your network.

  • Network architecture. The way systems (nodes) are placed on a network affects the level of security for that network. It is good practice to keep the internal network separate from the publicly accessible network. Publicly accessible portions include things such as Web servers and mail systems. The way administrators go about segregating the two sections of the network varies. In many cases, a firewall is used to create a demilitarized zone (DMZ). This is a separate area of the network where the Web servers and other publicly accessible systems are placed.

  • User authentication and identification. All systems should incorporate proper user authentication and identification methodologies. This includes authentication based on user ID and password, tokens, or biometrics. To protect systems and data, companies should require outside entities needing access to their systems (whether contractors or other agencies) to use access controls commensurate with those used by the organization. Additionally, these systems should undergo a periodic review (not to exceed semiannually) of user access privileges to ensure that no accounts exist where users are no longer working on the system. All such "ghost" accounts should be deleted.

8.2.16 Physical Security

Physical security involves safekeeping systems from theft or physical damage and preventing unauthorized access to those systems. If unauthorized users are given physical access to a system, it is a simple matter for them to break in and gain access to important business data. All employees and contractors should be held responsible (and accountable) for taking every reasonable precaution to ensure the physical security of their IT hardware and related peripherals, including mobile devices, from theft, abuse, avoidable hazards, or unauthorized use. Company servers, routers, and other communications hardware essential for maintaining the operability of the systems and their connectivity to the Internet should be placed in a controlled-access location (i.e., behind locked doors).

Managers must ensure that the nodes that comprise the network (such as file servers, Web servers, mail servers, and any other equipment that forms the basis of the network) are secured in an area where access is controlled. Only authorized personnel should have access to network equipment. Ensure that users' systems are as secure as is practical. This includes securing the systems from casual use by installing password-protected screensavers. Provide the ability for users to lock their workstations when they leave their area. The responsibility to safeguard IT assets should not include company employees or contractors endangering themselves or others by attempting to physically prevent the unauthorized removal or destruction of IT hardware, accessories, or supplies. In such a case, employees should notify law enforcement and follow their guidance.

The following section displays a template for creating policies. Appendix A contains samples of policies for some of the more difficult topics to manage in security. A thorough understanding of these policies is essential to all of the employees in any organization. Such understanding will provide better overall security to an organization and prevent unnecessary loss of intellectual property or physical assets. The reader is also encouraged to consult the SANS Reading Room Web site [10] for more information on a wide variety of security policies.

 January 21, 2004    Change made by    Chief Security Officer    Generic Policy Template    <Policy Title>    1.0 Purpose    The purpose of this policy is to provide guidance ...    2.0 Scope    This policy applies to all < Company Name > employees and    affiliates.    3.0 Policy    Term    Definition    4.0 Enforcement    Any employee found to have violated this policy may be subject    to disciplinary action,  up to and including tennination  of    employment.    5.0 Definitions    6.0 Revision History    Date of last change    Summary of change    7.0. Signature(s)    Date ___________________________    Date ___________________________    Chief Executive Officer 
Note  

It is often the practice in many organizations for the CIO, Legal, and HR, as well as the CSO and CEO, to sign off on policy documents. It is a good idea to check with your organization to be sure which signature blocks are required before publishing policies.




Wireless Operational Security
Wireless Operational Security
ISBN: 1555583172
EAN: 2147483647
Year: 2004
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net