‫آشنایی با تدوین سیاست های امنیتی‬
‫و پیاده سازی آن ها‬
‫کامیار نیرومند‬
‫کارشناس تیم تجهیزات‬
‫‪1‬‬
‫مرکز تخصصی آپا‬
‫دانشگاه صنعتی اصفهان‬
‫پاییز ‪1388‬‬
Objectives
 Describe the concepts of security policies.
 Examine the standards of Security Policy
Design.
 Describe the individual policies in a security
policy.
 Examine a detailed complete policy template.
 Describe the policy procedures for Incident
Handling and Escalation.
2
Concepts of Security Policies
 A security policy is nothing more than a well-
written strategy on protecting and
maintaining availability to your network and
it’s resources.
 Most organizations do not have a security
policy
 Excuses are rampant!
3
Policy Benefits
 Categories
 They lower the legal liability to employees and 3rd
party users of resources
 They prevent waste on resources
 They protect proprietary and confidential
information from theft, unauthorized access or
modification, or internal misuse of resources
4
How to Start
 Policy Design
 policy committee works together to develop an
overall strategy for the policy
 Enforcement
 mechanisms to ensure the policy is enforced
 Monitoring
 tracking the performance of the policy and its
effectiveness, or lack thereof
5
A graphical representation of the
components of the security policy.
6
A Question of Trust
 The level of trust varies by the organization
 Balancing is the key
 too little trust impacts functionality
 too much trust affects security
7
Trust Options
 Trust all the people all the time
 Trust none of the people none of the time
 Trust some of the people some of the time
8
Policy Committee
 Security Policy Committee
 Upper & Middle Management
 Local & Remote Users
 Human Resources
 Legal Professionals
 Security Professionals
 IT Users
9
Security Policy Scenario
 Organization Overview
 Physical Building Overview
 Network & Computer Overview
 Extranet Overview
10
Are Policies Political?
 Resistance
 A person who doesn’t like change
 A person who is convinced the policy will hinder
their work performance
 A person who believes the organization is akin to
“big-brother”
11
12
The Policy Design
 Choosing a leader
 strong project management skills
 excellent communicator
 Goals
 Formulating the policy
13
Policy Standards
 BS7799
 www.securityauditor.net
 ISO17799
 www.iso.ch

.ch = Switzerland.
 (Switzerland is also known as ‘Confoederatio
Helvetica’, hence ‘ch’)
14
BS7799
 Business continuity planning
 System access control
 System development and maintenance
 Physical and environmental security
 Compliance
15
BS7799
 Personnel security
 Security Organization
 Computer and network management
 Asset classification and control
 Security policy
16
ISO17799
 Sections
 Business Continuity Planning
 System Access Control
 System Development and Maintenance
 Physical and Environmental Security
 Compliance
 Personnel Security
 Security Organization
17
ISO17799
 Computer and Network Management
 Asset Classification and Control
 Security Polilcy
18
Important RFCs
 RFC 2196: The Site Security Handbook
 RFC 2504: The User’s Security Handbook
19
20
The Policies
 The Acceptable Use Policy
 The User Account Policy
 The Remote Access Policy
 The Information Protection Policy
 The Network Connection Policy
 The Strategic Partner Policy
 The Privileged Access Policy
21
The Policies
 The Password Policy
 The Internet Policy
 Individual policies per technology
 i.e. firewall policy or IDS policy
22
The Acceptable Use Policy
 Considerations
 Are users allowed to share user accounts?
 Are users allowed to install software without
approval?
 Are users allowed to copy software for archive or
other purposes?
 Are users allowed to read and/or copy files that
they do not own. but have access to?
23
The Acceptable Use Policy
 Are users allowed to make copies of any OS files
 Are users allowed to modify files they do not own,
but have write abilities?
 Are users required to use password-protected
screensavers?
24
The User Account Policy
 Considerations
 Are users allowed to share their user accounts
with coworkers?
 Are users allowed to share their user accounts
with family members or friends?
 Are users allowed to have multiple accounts on a
computer?
 Are users allowed to have multiple accounts in the
network?
25
The User Account Policy
 Considerations
 Who in the organization has the right to approve
requests for new user accounts?
 How long are accounts to remain inactive befor
they are disabled?
26
The Remote Access Policy
 Considerations
 Which users in the organization are authorized for
remote access?
 What is the process for becoming authorized for
remote access?
 What methods of remote access are allowed?
 Is the entire network accessible remotely?
27
The Remote Access Policy
 Can remote users use remote management to
their computers in the office?
 Are users family members allowed to access the
organization’s network remotely?
 Are users allowed to install modems to dial out of
the network?
 Will the organization place requirements on the
software of computers performing remote access?
28
The Information Protection Policy
 Considerations
 How are the different levels of data classification
labeled?
 Which users have access to the different levels of
data classification?
 How are users informed of their levels of access?
 What is the default level of access that is to be
applied to all information?
29
The Information Protection Policy
 Is information that is classified at the top level
allowed to be printed on common printers?
 Are all computers in the network able to store
information that has the top level of classification?
 Will computers that do store top-level information
require special security controls?
 How is information to be disposed of?
30
The Network Connection Policy
 Considerations
 Are users allowed to install networking hardware
into their computers?
 Which users are authorized to install networking
devices into their computers?
 Who in the organization has the authority to
approve of networking component installation?
31
The Network Connection Policy
 What is the process of documentation for new
networking components?
 What is the procedure in the event that the
network is disabled?
 What is the process in the event an unauthorized
network component is found on the network or in
a computer?
32
The Strategic Partner Policy
 Considerations
 Are strategic partners required to have written
security policies?
 Are strategic partners required to provide copied
of their policies?
 Are strategic partners required to disclose their
perimeter and internal security measures?
33
The Strategic Partner Policy
 Will strategic partners be allowed to connect via a
VPN?
 How are those VPNs to be configured?
 What type of access shall be granted to Strategic
Partners?
34
The Privileged Access Policy
 Considerations
 Who hires the network administration personnel
 Who may be allowed root, or domain
administrator, or enterprise administrator access?
 What is the process for requesting privileged
access?
35
The Privileged Access Policy
 Who has the authority to create the privileged
access user account?
 Are administrators allowed to run networkscanning tools?
 Are administrators allowed to access any file on
any computer?
 What is the process of determining which files
administrators do have access to?
36
The Privileged Access Policy
 Are administrators allowed to run password
checking tools?
 Are privileged accounts allowed to access the
network remotely?
 Can a family member or visitor share a privileged
account?
37
The Password Policy
 Considerations
 Will the Security Administrator have the right to




run password-checking tools?
What is the minimum length that users passwords
must be?
How often must users change their passwords?
Can a user re-use a password?
What are the restrictions on how a password must
be created?
38
The Password Policy
 What are the penalties for passwords that do not
meet the criteria?
 Are passwords required to be of a different
strength for privileged accounts?
 How many incorrect passwords are required for an
account lockout?
 What is the process of unlocking a locked account?
39
The Password Policy
 Are screen-savers required to be password
protected?
 Does a user have to log on to the system in order
to change a password?
40
The Internet Policy
 Considerations
 Are all users allowed to access the Internet?
 Are all users allowed to access Web sites?
 Are users allowed to access remote email servers?
 Are there limits on the size of Internet downloads?
41
The Internet Policy
 Are there controls in place to restrict access to




objectionable Web sites?
Are users aware of the controls on access?
Will the organization monitor users access to Web
sites?
Are users allowed to use organizational email
resources for personal use?
What level of privacy will users be granted with
their email
42
Miscellaneous Policies
 Considerations
 Are users able to install PDA software on their
components?
 Who in the organization is going to support the
user-installed application?
 Will administrators be able to review the content
stored on the PDA?
43
44
Sample Escalation Procedures for
Security Incidents
 Computer security incidents
 Loss of personal information
 Suspected sharing of User accounts
 Unfriendly employee termination
 Suspected violations of specials access
 Suspected computer break-in or computer virus
45
Sample Escalation Procedures for
Security Incidents
 Physical Security Incidents
 Illegal building access
 Property damage or personal theft
46
Incident Handling
 The steps of incident handling must be
discussed before an incident occurs
47
Sample Incident Handling Procedure
 Introduction
 General procedures
 Specific procedures
48
49