© 2006 Cisco Systems, Inc. All rights reserved. SND v Introduction to Network Security Policies Developing a Comprehensive Security Policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Why Do You Need a Security Policy? What Does a Security Policy Do and Who Uses It? Components of a Comprehensive Security Policy Developing a Security Policy Using the PDIOO Model Developing a Security PolicyPlan Phase Developing a Security PolicyDesign Phase Developing a Security PolicyImplement Phase Developing a Security PolicyOperate Phase Developing a Security PolicyOptimize Phase What Makes a Good Security Policy? Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Figure Out What You Are Protecting THREATS SAFEGUARDS Vulnerability Things you have that others want Critical processes, data, or information systems Anything that will bring your business to a halt Safeguards protect the confidentiality, integrity, and availability of your network. Assets: Threats

© 2006 Cisco Systems, Inc. All rights reserved. SND v Why Do You Need a Security Policy? Three reasons for a security policy: To inform users, staff, and managers of their obligatory requirements for protecting technology and information assets To specify the mechanisms through which these requirements can be met To provide a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the security policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v What Does a Security Policy Do? A comprehensive security policy: Protects people and information Sets the rules for expected behavior Authorizes staff to monitor, probe, and investigate Defines the consequences of violations

© 2006 Cisco Systems, Inc. All rights reserved. SND v Who Uses the Security Policy? Internal audiences: –Managers and executives –Departments and business units –Technical staff –End users External audiences: –Partners –Customers –Suppliers –Consultants and contractors

© 2006 Cisco Systems, Inc. All rights reserved. SND v Components of a Comprehensive Security Policy Governing Policy Technical Policies End-User Policies

© 2006 Cisco Systems, Inc. All rights reserved. SND v Governing Policy Comes from the Top Governing policy includes these key components: A statement of the issue that the policy addresses A statement about your position on the policy How the policy applies in the environment The roles and responsibilities of those affected by the policy What level of compliance to the policy is necessary Which actions, activities, and processes are allowed and which are not What consequences of noncompliance are

© 2006 Cisco Systems, Inc. All rights reserved. SND v Technical and User Policies Categories of technical policies describe the duties of the security staff in specified technical areas: –General policies – policies –Remote access policies –Telephony policies –Application policies –Network policies –DMZ policies –Lab policies User policies detail specific duties and responsibilities for end users. SPAN Engineering General security policies: Acceptable use policy Account access policy Acquisition assessment policy Audit policy Information sensitivity policy Password policy Risk assessment policy Global web server policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Types of Technical Policies General policies: AUP Account access request policy Acquisition assessment policy Audit policy Information sensitivity policy Password policy Risk assessment policy Global web server policy policies: Automatically forwarded policy policy Spam (see AUP) Remote access policies: Dial-in access policy Remote access policy VPN security policy Telephony policy: Analog and ISDN line security policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Types of Technical Policies (Cont.) Application policies: Acceptable encryption policy ASP policy Database credentials coding policy Interprocess communications policy Project security policy Source code protection policy Network policies: Extranet policy Minimum requirements for network access policy Network access standards Router and switch security policy Server security policy Wireless communications policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Types of Technical Policies (Cont.) DMZ policies: DMZ equipment DMZ application server DMZ web entitlement Lab policies: Active directory trust process Internal lab security policy Lab antivirus policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Security Policy Development Plan Design Implement Operate Optimize Assess the Effectiveness of the Security Policy Domain of Managers and Users

© 2006 Cisco Systems, Inc. All rights reserved. SND v Developing a Security PolicyPlan Phase Design group: Information security team Technical staffs Legal counsel Human resources Internal audit User groups Technical writers Steering committee: Business management Technical management Legal counsel User group Tasks and Responsibilities

© 2006 Cisco Systems, Inc. All rights reserved. SND v Developing a Security PolicyDesign Phase ActivityComment Identify the assetsWhat do you need to protect? Identify the threatsWhat are you protecting them from? Classify the risksWhat level of risk does each threat present to each asset? Identify usersWho needs to use each asset? Take actionWhat policies are needed to protect our assets?

© 2006 Cisco Systems, Inc. All rights reserved. SND v Assigning Risk to Network Components Network ComponentAssigned Level of Risk LowMediumHigh Core network devices Distribution network devices Access network devices Network monitoring devices - SNMP and RMON Network security devices - RADIUS and TACACS systems Network file servers Network print servers Network application serversDNS and DHCP Data application serversOracle or others Desktop computers, standalone print servers, and network fax machines ASSETSRISKSTHREATS

© 2006 Cisco Systems, Inc. All rights reserved. SND v Identify Types of Users Type of UserDescription AdministratorsInternal users responsible for network resources Privileged usersInternal users with a need for greater access General usersInternal users with general access PartnersExternal users with a need to access some resources OthersAccess granted as required and appropriate

© 2006 Cisco Systems, Inc. All rights reserved. SND v Security Analysis Matrix Network Component Description Risk Level Types of Users ATM switches Core network device HighAdministrators for device configuration (support staff only); all others for use as a transport Network routers Distribution network device HighAdministrators for device configuration (support staff only); all others for use as a transport Closet switches Access network device Medium Administrators for device configuration (support staff only); all others for use as a transport ISDN or dial-up servers Access network device Medium Administrators for device configuration (support staff only); partners and privileged users for special access FirewallAccess network device HighAdministrators for device configuration (support staff only); all others for use as a transport

© 2006 Cisco Systems, Inc. All rights reserved. SND v Developing a Security PolicyImplement Phase ActivityComment Write an initial draftEnforce, implement, and account for exceptions. (The policy must last a long time and be understood) Review draft until completeReview inside and outside the team Develop a communication planUse the chain of command to disseminate any new or changed policies Publish and distributeUse the Intranet; allow downloads Activate the communication plan Use and security awareness program Provide trainingDesign training to be relevant to the work responsibilities of every person using the system Allow a grace periodAudit internally; ensure enforceability

© 2006 Cisco Systems, Inc. All rights reserved. SND v Developing a Security PolicyOperate Phase ActivityComment Security operations and administration Includes day-to-day operations, responses to changes, and responses to attack Security auditingScheduled activity to evaluate effectiveness using: Automated tools Internal controls audit Security checklists Penetration testing Annual policy review Security monitoringOngoing activity focusing on the security system and its users Incident responseEstablished procedures and follow-up

© 2006 Cisco Systems, Inc. All rights reserved. SND v Operate PhaseSecurity Monitoring Create a monitoring policy based on the security analysis matrix to monitor: Low-risk equipment weekly Medium-risk equipment daily High-risk equipment hourly Example: Because firewalls are high-risk components, set SNMP to monitor: Failed login attempts Unusual traffic Changes to the firewall configuration Access granted to the firewall Connections setup through the firewall

© 2006 Cisco Systems, Inc. All rights reserved. SND v Operate PhaseIncident Response Harmless Illegal Incident Activity Network Administrators Managers and Users Security Policies Legal, Human Resources, and Others System Administrators Incident Response Options Technical Collaboration Operational Collaboration Incident Handling (Operational) Incident Handling (Technical Analysis) Incident Handling (Forensic Analysis and Criminal Investigation) Hostile

© 2006 Cisco Systems, Inc. All rights reserved. SND v Developing a Security PolicyOptimize Phase ActivityComment Managing changeOrganizations deal with changes in features and services, new threats and vulnerabilities, increasing need for interconnections, new user groups, and upgrades to software, hardware, and services. Major changeYou should analyze changes from a security standpoint and use the PDIOO process. Minor changeYou should complete the necessary analysis and modify as necessary. Policy management You should review policies to ensure that they remain current.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Managing Security Changes Create specific security configuration requirements in nontechnical terms Use the guidelines to complete required network configuration changes to implement the security policy Use the guidelines to control future configuration changes Security team must review: Any change to firewall configuration Any change to ACLs Any change to SNMP Any software change or update FTP Guideline: Outside connections should not be able to retrieve files from the inside network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v What Makes a Good Security Policy? The characteristics of an effective and efficient policy: Implementable Enforceable Defines roles and responsibilities Documented, distributed, and communicated An Effective Security Policy for SPAN Engineering

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Organizations need security policies to guide efforts to protect their technology and information assets. A comprehensive security policy protects people and information; sets the rules for expected behavior by users, system administrators, management, and security personnel; allows security personnel to monitor, probe, and investigate; and defines and authorizes the consequences of violations. A comprehensive security policy is a set of technical and user policies governed by management direction and support. Developing a security policy is a major undertaking and you should approach it in the same way as any major project. The plan phase aims at assembling a team and assigning tasks. The design phases aims at identifying assets, identifying threats, and balancing needs against risks.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary The implement phase aims at developing and implementing policies. The operate phase is concerned with security operations and administration activities including security auditing, monitoring, and incident response. The optimize phase manages how changes in network and business environments affect security policies. An effective security policy is implementable and clearly defines the responsibilities for the users, administrators, and management. A security policy needs to be documented, distributed, and communicated.

© 2006 Cisco Systems, Inc. All rights reserved. SND v