|
Top Ten Information Security
Policies To Protect Your Organization Against Cyber-Terrorism |
By Charles Cresson Wood, CISA, CISM, CISSP
Independent Information Security Consultant
Sausalito, California
Prepared On 9 October 2001
Management at many organizations is now wondering: "How should we best respond to the 11 September 2001 terrorist attacks?" One inexpensive and quick-to-implement response that many organizations can adopt involves changing internal policies to match the new and changed threats which these attacks have brought. The following list of ten information security policies is meant to be a quick checklist of ideas which might be incorporated into a new or revised information security policy document. Every organization will have different information security needs, and as a consequence, every organization should have different policies to address these needs. Accordingly, this list is unlikely to apply in its entirely to any particular organization, and undoubtedly other actions besides those listed below will be required.
Policy: All workers to be placed in computer-related positions of trust must first pass a background check. This process must include examination of criminal conviction records, lawsuit records, credit bureau records, driver's license records, as well as verification of previous employment. This policy applies to new employees, re-hired employees, transferred employees, as well as third parties like temporaries, contractors, and consultants.
Commentary: This policy is intended to ensure that only those people who are trustworthy will have access to powerful system privileges and sensitive internal information. While the specific tasks to be performed in a background check can vary based on the job involved, a standardized minimum background check should be performed for all workers. In many cases, the background check can be performed by third parties such as a management recruiting firm or a private investigator. Those performing background checks must be careful that they do not inadvertently violate the privacy of prospective workers. Consultation with internal legal counsel is advisable in this regard.
Policy: There must be no signs indicating the location of Company X computer or communications centers.
Commentary: Many organizations are reevaluating the merits of having offices in high-visibility landmarks such as skyscrapers. They are instead distributing their staff to various locations so that a bomb or another disaster would have a diminished adverse impact on their operations. This policy takes the movement in the direction of a low profile one step further by masking the very presence of an organization's information systems. The policy is intended to increase the resources that terrorists and others with malicious intent must consume to locate the organization's computer and communications facilities. People who work at such a facility can also be instructed not to divulge specifics about the facility to the public unless the requesting individuals first provide a legitimate reason to know such information. While this policy may make life slightly more difficult for delivery personnel, buildings and offices can be located by street addresses and other methods.
Policy: Whenever in Company X buildings or facilities, all persons must wear an identification badge on their outer garments so that both the picture and printed information on the badge are clearly visible.
Commentary: Many organizations still allow anybody to wander throughout their offices without identification, without an escort, and without being challenged. This laissez-faire approach is an invitation to theft, not only of confidential information, but also handbags, personal computers, palmtop computers, and other valuable items. Not requiring a badge is also an invitation for a terrorist to come in and look around before he or she performs the dirty work. A policy requiring a badge must be accompanied by procedures to deal with those cases where workers forget their badge, where workers badges have expired, etc. A badge system must also be able to effectively deal with terminated employees. If basic physical security such as this is not provided, many of the information security measures that an organization adopts can be easily undercut or compromised.
Policy: For computer and communications systems, management must prepare, periodically update, and regularly test contingency plans. These plans must provide for the continued operation of critical systems in the event of an interruption or degradation of service.
Commentary: In this context, the words "contingency plans" apply to both emergencies as well as disasters. In the course of preparing contingency plans, organizations should go through what is called a business impact analysis, which examines the effects of various loss scenarios. For example, if a bomb were to go off in a computer center, what would the impact be? Only when the impacts are determined and ranked by priority, can contingency planning resources be allocated efficiently, and can a logical contingency plan be prepared. This policy is intended to mandate the regular update and testing of contingency plans. The information systems field moves so fast that updates are required at the very least annually, and very often more frequently. Of course, other types of contingency plans will also be needed. For example, if a bomb goes off in an organization's headquarters building, then personnel will need another set of offices to if the organization's work is going to continue. This backup office space would generally be covered in a facilities contingency plan.
Policy: Backups of essential business information and software must be stored in an environmentally-protected and access-controlled site which is a sufficient distance away from the originating facility to escape a local disaster.
Commentary: The intention of this policy is to require that up-to-date backup media is stored at a location some distance from its primary location. If a bomb goes off and destroys a building, then backups which were co-located with the original copies will be of very little, or no use whatsoever. The policy also makes a point of emphasizing the need for environmental controls, because excessive heat and airborne particulate matter can damage some types of magnetic recording media. Likewise, only authorized people should be able to access the remotely-located backups. In some cases encryption of backups will be advisable in order to assure that only authorized people can access this critical information stored on these backups.
Policy: All Company X networked production systems must have an adequately-staffed process for expediently and regularly reviewing all newly released systems software patches, bug fixes, and upgrades. This process must also include procedures to promptly install these patches, bug fixes, and upgrades as necessary to all machines interfacing the Internet and other public networks.
Commentary: The objective of this policy is to ensure that systems administrators and others are promptly updating systems software on those systems which interface with public networks like the Internet. If systems software is not promptly updated, then intruders will be able to run vulnerability identification software to identity systems susceptible to publicized exploits. This means that terrorists, hackers, industrial spies and other unsavory characters are now using computers to identify those systems which could be breached. If network-connected systems don't have the latest software which incorporates security bug fixes, patches, and upgrades, in a matter of only a few days these systems will be identified and soon thereafter penetrated. In the years ahead, this process will be increasingly performed without human intervention with the aid of automated software distribution systems. In the meanwhile, it is often a tedious but nonetheless vitally important process.
Policy: To allow Company X to promptly respond to attacks, all Internet-connected multi-user computers must be running an intrusion detection system approved by the Information Security Department.
Commentary: Intrusion detection systems are different from vulnerability identification systems. The former provides an alert system telling staff when the defenses have been breached. The latter tells staff what needs fixing in order to bolster the defenses. Typically an intrusion detection system will feed a network management system (NMS) or some other notification system which will immediately alert those who are in a position to do something. For example, members of a Computer Emergency Response Team (CERT) can get into action based on pager alerts from an intrusion detection system. This policy helps to ensure that all systems on the periphery of an internal network have adequate intrusion detection systems.
Policy: Computer systems handling sensitive, valuable, or critical information must securely log all significant security relevant events. Examples of security relevant events include: password guessing attempts, attempts to use privileges that have not been authorized, modifications to production application software, and modifications to system software.
Commentary: Investigations of computer crimes -- be these crimes initiated by terrorists or not -- critically-depend on logging information. If such logging information is not available, an investigation is going to be severely hampered if not infeasible. This policy is intended to ensure that security relevant events will be recorded and available for subsequent analysis and corrective action. The policy could apply to all production systems rather than those which handle sensitive, valuable, or critical information. However an organization does it, it should make sure that these logs are recorded and maintained in a safe place for a certain period of time (perhaps six months). In many cases hash totals, checksums, or digital signatures applied to system logs can be used to prove that the logs have not been altered since the time they were recorded.
Policy: Specific information security responsibilities must be incorporated into all worker job descriptions if such workers have access to sensitive, valuable, or critical information.
Commentary: The time has come for management to stop saying that information security is everyone's responsibility, but at the same time ignoring the need to specifically assign responsibility to certain people. This policy is intended to force management to be clear about what is expected of all people who have access to either sensitive, valuable, or critical information. Included within the scope of this policy are end-users, who often make believe that they have no responsibilities in the information security area. In reality, end-users are on the front line in the battle against intruders, viruses, and other information security problems. Today's information security environment involves the distribution of information not only to end-user desktop computers, but also to workers' homes, to outsourcing firm's premises, to strategic partners' premises, and to other locations. These and other people must cohesively work together as a team in order to achieve genuine information security. This can only be done if the responsibilities of each are explicitly assigned.
Policy: Information security risk assessments for critical information systems and critical production applications must be performed at least once every two years. All major enhancements, upgrades, conversions, and related changes associated with these systems or applications must be preceded by a risk assessment as defined in the Information Security Manual.
Commentary: The intention of this policy is to make sure that staff continues to consider the risks associated with the use of information systems technology. This policy is notable because it provides a time-frame for the performance of periodic risk assessments. The two-year interval is an outside limit on these activities, and in reality risk assessments should be performed much more frequently, as the circumstances defined in the second sentence indicate. In many instances, an independent third party is the best provider of risk assessment services. This is because information security staff should not be called upon to evaluate the effectiveness of their own work -- this would be a conflict of interest. In many organizations that independent provider may be an internal auditor, but in an increasing number of cases it is an expert external consultant. Nothing in this policy dictates a methodology, but in general the methodology should be changed every so often to get a different picture of the risks and how the organization is doing with respect to these risks. One year an organization might use scenario analysis, another year it might use the stand-of-due-care method, and yet another year it might use quantitative risk assessment. All of these can be supported with quarterly third party penetration attacks to validate the correctness of the security precautions that have been taken to date.
© Copyright, All Rights Reserved
The preceding list of ten sample policies was extracted from Information Security Policies Made Easy - Version 10, a book and CD-ROM written by the author of this article. This reference book contains over 1350 already-written policies and is published by Information Shield.
Charles Cresson Wood, CISA, CISM, CISSP
Independent Information Security Consultant & Author
InfoSecurity Infrastructure, Inc.
Post Office Box 708
Mendocino, California 95460 USA
For information about consulting services
707-937-5572 office voice
For information about books by Charles Cresson Wood
contact Information Shield at http://www.informationshield.com
713-443-8428 (or) 888-641-0500
All Rights Reserved
