1. Information Security Policies: User/Employee use policies

2. 2 Overview Format of policies Usage of policies Example of policies Policy cover areas References Homework Questions Format of policies Usage of policies Example of policies Policy cover areas References Homework Questions

3. 3 Format of Policies Purpose The need of the policies Scope Which part of the system is covering Who is applying to the policies Policy What can or can’t use for the system Enforcement Action can be taken once the policy is violated Definitions Define keywords in the policy Revision History Stated when and what have been changed Purpose The need of the policies Scope Which part of the system is covering Who is applying to the policies Policy What can or can’t use for the system Enforcement Action can be taken once the policy is violated Definitions Define keywords in the policy Revision History Stated when and what have been changed

4. 4 Usage of Policies Policy A document that outlines specific requirements or rules that cover a single area Standard A collection of system-specific or procedural- specific requirements that must be met by everyone Guideline A collection of system specific or procedural specific “suggestions” for best practice Not require, but strongly recommended Policy A document that outlines specific requirements or rules that cover a single area Standard A collection of system-specific or procedural- specific requirements that must be met by everyone Guideline A collection of system specific or procedural specific “suggestions” for best practice Not require, but strongly recommended

5. 5 Example of Policies

6. 6

7. 7

8. 8 Policy cover areas Acceptable Use Information Sensitivity Ethics E-mail Anti-Virus Password Connection Acceptable Use Information Sensitivity Ethics E-mail Anti-Virus Password Connection

9. 9 Acceptable Use Policy General outline for all others policies Protecting employees, partners and companies from illegal or damaging actions Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use General outline for all others policies Protecting employees, partners and companies from illegal or damaging actions Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use

10. 10 Information Sensitivity Policy To determine what information can/can’t be disclosed to non-employee Public Declared for public knowledge Freely be given to anyone without any possible damage Confidential Minimal Sensitivity: General corporate information; some personal and technical information More Sensitive: Business, financial, and most personnel information Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company To determine what information can/can’t be disclosed to non-employee Public Declared for public knowledge Freely be given to anyone without any possible damage Confidential Minimal Sensitivity: General corporate information; some personal and technical information More Sensitive: Business, financial, and most personnel information Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company

11. 11 Ethics Policy Defines the means to establish a culture of openness, trust and integrity Executive Commitment Honesty and integrity must be top priority Employee Commitment Treat everyone fairly, have mutual respect Company Awareness Promote a trustworthy and honest atmosphere Maintaining Ethical Practices Reinforce the importance of the integrity message Unethical Behavior Unauthorized use of company information integral to the success of the company will not be tolerated Defines the means to establish a culture of openness, trust and integrity Executive Commitment Honesty and integrity must be top priority Employee Commitment Treat everyone fairly, have mutual respect Company Awareness Promote a trustworthy and honest atmosphere Maintaining Ethical Practices Reinforce the importance of the integrity message Unethical Behavior Unauthorized use of company information integral to the success of the company will not be tolerated

12. 12 E-mail Policy General usage To prevent tarnishing the public image Prohibited use Can’t used for any disruptive or offensive messages Personal Use Can/Can’t use for personal usage Monitoring No privacy for store, send or receive massages Monitor without prior notice General usage To prevent tarnishing the public image Prohibited use Can’t used for any disruptive or offensive messages Personal Use Can/Can’t use for personal usage Monitoring No privacy for store, send or receive massages Monitor without prior notice

13. 13 E-mail Policy Retention Determine how long for an e-mail to retain Four main classifications Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read Instant Messenger Correspondence Only apply to administrative and fiscal correspondence Encrypted Communications Stored in decrypted format Retention Determine how long for an e-mail to retain Four main classifications Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read Instant Messenger Correspondence Only apply to administrative and fiscal correspondence Encrypted Communications Stored in decrypted format

14. 14 E-mail Policy Automatically Forwarding To prevent unauthorized or inadvertent disclose of sensitive information When Approved by the appropriate manger Sensitive information defined in Information Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy Automatically Forwarding To prevent unauthorized or inadvertent disclose of sensitive information When Approved by the appropriate manger Sensitive information defined in Information Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy

15. 15 Anti-Virus Policy To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in auto- protect stage Scan a storage media for virus before use it Never open any e-mail from unknown source Never download files from unknown source Remove virus-infected computers from network until verified as virus-free To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in auto- protect stage Scan a storage media for virus before use it Never open any e-mail from unknown source Never download files from unknown source Remove virus-infected computers from network until verified as virus-free

16. 16 Password Policy A standard for creation of string password Contain both upper and lower case characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered Frequency of change passwords A standard for creation of string password Contain both upper and lower case characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered Frequency of change passwords

17. 17 Password Policy Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an email message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family members Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an email message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family members

18. 18 Connection Policy Remote Access Defines standards for connecting to the company’s network from any host or network externally General Same consideration as on-site connection General Internet access for recreational use for immediate household is permitted Requirement Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or e-mail password to anyone Installed the most up-to-date anti-virus software Remote Access Defines standards for connecting to the company’s network from any host or network externally General Same consideration as on-site connection General Internet access for recreational use for immediate household is permitted Requirement Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or e-mail password to anyone Installed the most up-to-date anti-virus software

19. 19 Connection Policy Analog/ISDN Line Define standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computer Scenarios & Business Impact Outside attacker attached to trusted network Facsimile Machines Physically disconnect from computer/internal network Computer-to-Analog Line Connections A significant security threat Requesting an Analog/ISDN Line Stated why other secure connections can’t be use Analog/ISDN Line Define standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computer Scenarios & Business Impact Outside attacker attached to trusted network Facsimile Machines Physically disconnect from computer/internal network Computer-to-Analog Line Connections A significant security threat Requesting an Analog/ISDN Line Stated why other secure connections can’t be use

20. 20 Connection Policy Dial-in Access To protect information from being inadvertently compromised by authorized personnel using a dial-in connection One-time password authentication Connect to Company’s sensitive information Reasonable measure to protect assets Analog and non-GSM digital cellular phones Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months Dial-in Access To protect information from being inadvertently compromised by authorized personnel using a dial-in connection One-time password authentication Connect to Company’s sensitive information Reasonable measure to protect assets Analog and non-GSM digital cellular phones Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months

21. 21 Connection Policy Extranet Describes the third party organizations connect to company network for the purpose of transacting business related to the company In best possible way, Least Access Valid business justification Approved by a project manager Point of Contact from Sponsoring Organnization Pertain the Third Party Connection Agreement Establishing Connectivity Provide a complete information of the proposed access Extranet Describes the third party organizations connect to company network for the purpose of transacting business related to the company In best possible way, Least Access Valid business justification Approved by a project manager Point of Contact from Sponsoring Organnization Pertain the Third Party Connection Agreement Establishing Connectivity Provide a complete information of the proposed access

22. 22 Connection Policy Modifying Access Notifying the extranet management group Security and Connectivity evolve accordingly Terminating Access Access is no longer required Terminating the circuit Third Party Connection Agreement Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. Must be signed by both parties Modifying Access Notifying the extranet management group Security and Connectivity evolve accordingly Terminating Access Access is no longer required Terminating the circuit Third Party Connection Agreement Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. Must be signed by both parties

23. 23 Connection Policy

24. 24 Connection Policy Virtual Private Network (VPN) Security Define the requirements for Remote Access IPSec or L2TP VPN connections to the company network Force all traffic to and from PC over VPN tunnel Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min. inactivity Only approved VPN client can be used Virtual Private Network (VPN) Security Define the requirements for Remote Access IPSec or L2TP VPN connections to the company network Force all traffic to and from PC over VPN tunnel Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min. inactivity Only approved VPN client can be used

25. 25 Connection Policy Wireless Communication Defines standards for wireless systems used to connect to the company network Access Points and PC Cards Register and approved by InfoSec Approved Technology Use approved products and security configurations Encryption and Authentication Drop all unauthenticated and unencrypted traffic Setting the SSID Should not contain any identifying informaiton Wireless Communication Defines standards for wireless systems used to connect to the company network Access Points and PC Cards Register and approved by InfoSec Approved Technology Use approved products and security configurations Encryption and Authentication Drop all unauthenticated and unencrypted traffic Setting the SSID Should not contain any identifying informaiton

26. 26 Reference The SANS Security Policy Project http://www.sans.org/resources/policies Information Security Policies & Computer Security Policy Directory http://www.information-security-policies-and-standards.com RFC 1244 – Site Security Handbook http://www.faqs.org/rfcs/rfc1244.html Google http://www.google.com The SANS Security Policy Project http://www.sans.org/resources/policies Information Security Policies & Computer Security Policy Directory http://www.information-security-policies-and-standards.com RFC 1244 – Site Security Handbook http://www.faqs.org/rfcs/rfc1244.html Google http://www.google.com

27. 27 Reference

28. 28 Reference

29. 29 Homework 1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented 2. Define presented usage of policies Tips: Policy document’s format is located in slide 3 Policy’s usage are located in slide 4 You may find more information in SANS 1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented 2. Define presented usage of policies Tips: Policy document’s format is located in slide 3 Policy’s usage are located in slide 4 You may find more information in SANS

30. 30 Questions Any questions?