CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor: Joseph DiVerdi, Ph.D.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Need for a Security Policy If you don't have a written, published Web Security Policy –You can't know if your Web site is secure –Security is defined by policy A policy is a list of what is & is not permissible Must reflect your organization's –Needs –Values –Political Realities Reflects trade-off between risk & convenience

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Issues for Security Policy Who is allowed access? What is the nature of that access? Who authorizes such access? Who is responsible for security? Who is responsible for upgrades? Who is responsible for backups? Who is responsible for maintenance? What kinds of material are allowed on served pages?

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Issues for Security Policy Which sites & external users are to be allowed access to pages & data served? What kinds of testing & evaluation must be performed on software and pages before they are installed? How are complaints & requests about the server & page content to be handled? How should the organization react to security incidents?

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Issues for Security Policy How and when should the policy itself be updated? Who is allowed to speak to members of the press, law enforcement, and other outside entities in the event of questions or an incident?

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy PERSONNEL Access Levels The Web site grants five levels of access: 1. The public - read-only access to all URLs with the exception of the /private directory. 2. Employees of XXX Corporation - read-only access to all URLs including the /private directory. 3. HTML Authors - ability to create, modify, & delete HTML files in the document tree. 4. Site Administrators - ability to modify Web server configuration files, install CGI scripts, & start/stop the Web Server. 5. System Administrators - ability to modify the Web server host configuration, and start/stop the host machine.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy Authorization Procedure For access levels 3, 4, & 5, personnel must obtain written authorization from the Director or Deputy Director of Information Systems. The written authorization must be presented to the system administrator, who will set up the appropriate account & privileges. Access level 2 is granted automatically to all new employees when they receive their account and LAN password.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy Revocation of Authorization For access levels 2 through 5, authorization may be revoked without warning at the discretion of the Director or Deputy Director of Information Systems. In case of emergency, a system administrator may also revoke access. This action must be reviewed and confirmed within 24 hours by the Director or Deputy Director of Information Systems.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES Local Login Local (console) login to the Web server host is allowed for system & site administrators only. Logins are for the purpose of site maintenance only. Network Login All forms of network login are forbidden, including file sharing.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES (con't) Authoring Access HTML authors & site administrators have the right to make changes to the document tree. all authorizing access is via FTP from machines located with the.XXXcorp.com domain. Modifications are time stamped & logged. Except in emergencies, direct modifications to the document tree via local login are forbidden.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES (con't) Remote Server Administration Not allowed. All server administration is done locally. Browsing Access With the exception of the /private URL, anonymous Web browsing is allowed throughout the site. /private is restricted to computers within the.XXXcorp.com domain.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES (con't) CGI Script Installation CGI scripts can be installed by site administrators after at least two members of the site administrators group have reviewed & approved the code. CGI scripts for which source code is unavailable cannot be installed without prior approval by the Director of Deputy Director of Information Systems.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES (con't) Access to the /private Directory The /private directory contains information that is confidential to the XXX Corporation. Access is restricted to host computers in the.XXXcorp.com domain.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy NETWORK SERVICES Web The Web site will serve static HTML documents & the output of CGI scripts. Incoming Web data is limited to customer feedback & discussion groups, whose scripts deposit their information in isolated databases. Neither CGI scripts nor the server itself are to make connections with other databases, files systems, or services on the LAN without prior written authorization by the Director of Information Systems.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy NETWORK SERVICES (con't) FTP Incoming & outgoing FTP are provided for the purpose of updating Web pages only. FTP access is restricted to HTML authors, site & system administrators, and only to computers located within the.XXXcorp.com domain. Anonymous FTP & all access from outside the.XXXcorp.com domain is forbidden. Other Services No other network services are provided by the Web host.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy MAINTENANCE 24 x 7 Operation The site should be accessible 24 hours a day, 7 days a week, except for a 2-hour maintenance period between 7 AM and 9 AM on Sundays. System administrators should be prepared to switch to a backup server in a timely manner in case the primary server develops hardware problems.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy MAINTENANCE (con't) Backups A complete backup of the Web server host will be done weekly, and incremental backups daily.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy MAINTENANCE (con't) Monitoring A system administrator is responsible for monitoring the Web server host system logs for errors & other unusual activity. A site administrator has similar responsibility for the Web server logs. Any suspicious activity should be brought to the attention of the Director of Information Systems immediately. A system or site administrator who detects suspicious activity & has reason to believe that the integrity of the system or XXX Corporation confidential is imminently threatened is authorized to take the Web server off-line.