Policy Critique

Security Management: Assignment 2

Due Date 4th November

Peter Davies B.Sc - 05004306

MSc Information Security & Computer Crime
University of Glamorgan Security Management Assignment 2

Abstract
This report will critically examine the strengths and weaknesses of the Birkbeck College
Security Policy, resulting in numerous recommendations to clarify the elements of the
policy that present weaknesses.

It will systematically critically address the approaches and standards related to the
implementation and management of security within an organisation, based on the
information taught and researched during the MSc Information Security and Computer
Crime course at the University of Glamorgan.

2
University of Glamorgan Security Management Assignment 2

Contents
Abstract ............................................................................................................................... 2
Contents .............................................................................................................................. 3
Introduction......................................................................................................................... 4
Policy Analysis ................................................................................................................... 6
Policy Introduction.......................................................................................................... 6
General Policy................................................................................................................. 7
Responsibilities of Systems Administrators ................................................................. 12
Responsibilities of Central Computing Services .......................................................... 15
Responsibilities of Users............................................................................................... 18
Implementation of the Policy and Sanctions ................................................................ 18
Recommendations............................................................................................................. 19
Account management.................................................................................................... 19
Running Services .......................................................................................................... 19
Personal Information Disposal...................................................................................... 19
Application Installation................................................................................................. 20
Maintaining Lists of Users............................................................................................ 20
Password Policy ............................................................................................................ 20
Data Storage & Recovery ............................................................................................. 21
Staff Time Off............................................................................................................... 21
Policy Revisions............................................................................................................ 22
Policy Reviewing .......................................................................................................... 22
Network Monitoring ..................................................................................................... 22
Administrative/Security Alerts ..................................................................................... 22
Virus Protection and Prevention Policy........................................................................ 22
Additional Elements...................................................................................................... 23
Formatting of the document.......................................................................................... 23
Conclusions....................................................................................................................... 24
Background Reading......................................................................................................... 26
White Papers & Reports................................................................................................ 26
Websites........................................................................................................................ 26
Magazines ..................................................................................................................... 26
References......................................................................................................................... 27

3
University of Glamorgan Security Management Assignment 2

Introduction
Before we begin to analyse a security policy, we must first understand the purpose and
general goals.

In brief, a security policy is a series of published (publicly available) documents

describing the rules and procedures for dealing with the day-to-day management of
information. It is developed to inform users and management of the steps required to
protect an organisation’s assets.

It encompasses analysis of risks and threats, and then determining a strategy for what to
do if an incident occurs (incident management). The security policy is usually
constructed from several other policies such as the privacy policy, access policy and the
network policy. The SANS Institute1 lists over twenty such policies all of which
(depending on their relevance) could constitute an organisation’s policy.

Searching the World Wide Web for security policies returns quite a few hits. Most
Universities and Colleges will have a security policy (or at least rules and guidelines on
acceptable use of their network). An issue I wish to highlight is that an educational
establishment’s security policy has to deal with the inherent complications that come with
such an organisation’s structure. It is therefore going to contain certain sections in the
policy that would not appear within a corporate organisation’s policy.

For example, an academic organisation has users that often study there from typically one
to five years. They also have little or no loyalty toward the organisation, with a large
percentage studying computer related subjects. A common concern to security personnel
is that the security policy introduces only diminutive fear of retribution, where users are
likely to attempt an attack because they know they won’t be punished to the full extent.

It will be the responsibility of the Information Security Officer (ISO) to create and review
the organisations security policy, and they are also required to enforce these rules and
regulations through-out the organisation.

Kevin Mitnick, a well-known computer cracker and self-confessed social engineer,

describes that2:

Effective security controls are implemented by training employees with well-

documented policies and procedures. However, it is important to note that
security policies, even if religiously followed by all employees, are not guaranteed
to prevent every social engineering attack. Rather, the reasonable goal is always
to mitigate the risk to an acceptable level.

His point is quite valid and confirmed by other authors such as a recent SANS Institute
White Paper3 on social engineering which states that in an aim to mitigate such risk, a
good defence should include but not be limited to:

4
University of Glamorgan Security Management Assignment 2

• Password policies
• Vulnerability assessments
• Data classification
• Acceptable use policy
• Background checks
• Termination process
• Incident response
• Physical security
• Security awareness training

The Request for Comments issue number 219610 (which replaced an older 1991
RFC1244) is a Site Security Handbook developed as a resource for the Internet
community.

Although not directly concerned with organisational security, the Site Security Handbook
provides a detailed explanation of the processes involved in creating a policy. In addition
it provides guidance on how organisations should construct their security policies and
explains the three main characteristics of a good security policy:

1. it must be possible to implement through system administration procedures

2. it must be enforceable with security tools
3. it must clearly define the areas of responsibility for the users, administrators, and
management

Using these three main criteria and the suggestions from the SANS Institute White Paper,
I plan to assess the strengths and weaknesses of the Birkbeck College security policy.

Each section within the policy will be broken down and analysed. The points produced
from this analysis will then be summarised and recommendations made at the end of the
report.

5
University of Glamorgan Security Management Assignment 2

Policy Analysis
Policy Introduction
As a general policy rule, the introduction must provide broad information about the
organisation, including a summary of the technologies that have been implemented. The
Birkbeck College policy contains exactly this, while being careful not to expose too much
technical information.

As this document is publicly available, it can be seen in two ways; as an information base
to clarify the organisations needs, or more seriously, as a fact sheet for an attacker who is
looking for vulnerability in the system.

The introduction of the Birkbeck College policy also describes the objectives they wish
to achieve by writing and implementing their policy. They base their objectives around
the concept of authorisation, which is describing who is allowed to access what and in
what manner4.

This concept of authorisation is drawn from the CIA model, which has been developed
from a need for standardisation. Its three main sections that describe its acronym are5:

1. Confidentiality: protecting information from unauthorised access and disclosure

2. Integrity: safeguarding the accuracy and completeness of information and
processing methods
3. Availability: ensuring that information and services are available to authorised
users

The Birkbeck College policy openly admits that their own network is operated with a
minimum of restrictions. They correctly establish that this is a security risk and a result
from which is the development of the security policy.

My argument would be to try and avoid any form of admission of weakness. To

challenge this argument you are unavoidably required to highlight issues before you can
attempt to rectify them (or at least control them) and as a result, Birkbeck College have
strengthened their policy.

6
University of Glamorgan Security Management Assignment 2

General Policy
The general policy section is designed to cover all aspects of the organisation’s network
and applies to the all computers and users. The Birkbeck College policy states:

Every computer connected to the Birkbeck College network must be subject to formal
system administration.

With many organisations, the IT department is fearful of users plugging their own
computer equipment into the network. Introducing equipment that has not been checked
means that there is no control over the data that enters or leaves the network. A security
policy should always include a statement such as the one above.

It’s also fair to say that even if the system has been checked, there could be more
subversive applications that have been missed. It might not be the correct place in a
policy to mention it, but there should be provision for physical (hardware) procedures to
prevent such devices from being plugged into the network. For example, it’s possible to
lock a specific Ethernet socket to a given computers MAC address. As each MAC
address is unique to a given network interface card, it will be difficult (although not
impossible) to connect an unauthorised computer to the network.

Synopsis: Formal system administration of connected equipment is a strength of the

policy. The weakness in this statement is there are no checks implied and no formal
written consent procedure.

Responsibility for administration and security of computers should be assigned to a

suitably trained and technically competent member/s of staff.

This point makes clear assignment of the responsibility of the staff to administer and
apply security. It also clearly states that the members of staff responsible for such actions
will be technically competent or suitably trained.

The users should be aware that the administrators are competent at doing their job and
hopefully will deter certain users who might consider disobeying the policy.

Synopsis: This is a strength of the policy assigning administration to the necessary

parties.

The staff assigned to the system administrator role must have adequate time in which to
undertake the maintenance of computers under their control.

Although slightly ambiguous, the users must be made aware that if maintenance were to
occur, the system administrator must be given as much time as they need to complete the
task at hand.

7
University of Glamorgan Security Management Assignment 2

If the administrator takes any shortcuts in the action of repairing a system, for example
installing an operating system, it is probable that they could miss a core system patch (or
service pack). The resulting action could be the unknown introduction of a “system”
vulnerability.

The last thing a system administrator needs is hundreds of angry users pressuring him
into completing a task. So, having such a statement in the policy provides the
organisation and system administrator with a certain level of flexibility in the event of an
incident.

Synopsis: This is strength of the policy providing it is further clarified by the

administrator’s duties.

Adequate provision of cover during sickness or holidays should be made where key
systems may be affected.

The phrase “adequate” may not be accurate enough to cover the possibility of multiple
key members of the administration team being off work at the same time. Provision needs
to be in place to cover such an eventuality.

It must also be stated that there should not be a single member of staff responsible for
core organisational administration. Roles should be shared amongst staff, to cover for the
eventuality that somebody is ill or on holiday. This degree of contingency will enable the
organisation to remain unaffected by unpredictable events such as staff illness.

Synopsis: This is a weakness of the policy – see recommendations.

Access to any network connected computer must be via a logon process that identifies
and authenticates the user, except where read-only access is given to certain systems
(e.g. the Library Catalogue), or unprivileged access is normal and appropriate
safeguards are in place (e.g. Web browsers in kiosk mode, access to a contained
website).

This statement in the policy identifies the method of authentication the organisation uses.
By implication, as a user you must already be “known” to the organisation to have been
entered in the access control list (ACL).

With an educational establishment, users are authenticated at various stages during the
initial enrolment. For example, when the student arrives they are often authenticated
twice, once when they have to join their course and then subsequently when they have to
prove who they are to pay their tuition fees (effectively when they become a student of
that establishment).

Only after you have enrolled at the department you belong to, and then at the College
itself, will you get your enrolment number. This enrolment number is then your

8
University of Glamorgan Security Management Assignment 2

identification to access the computer network. This means that there is a paper-trail that
identifies your access to a computer all the way to the personal details you enrolled with.

A weakness of the above statement mentions that a system with unprivileged access
could have a browser running in kiosk mode. A simple search on “keyboard commands”
will give a user access to the unprivileged machine. From this point forward they could
download numerous applications that could potentially be used to mount an attack on the
rest of the network.

Synopsis: This is both a strength and weakness of the policy.

Any networked system which will be unused for extended periods (typically several days
or more) should be switched off.

This is a power-saving remark often stated by large organisations that wish to save
money by asking for computer equipment to be turned off when not in use.

Sumir Karayi, CEO of an organisation called 1E discusses in a recent Computer Weekly

article6 that even if managing power consumption on a PC saves only a few tens of
pounds a year, a large company could begin to realise significant savings.

Having a computer turned off also provides a physical security barrier. As obvious as it
may seem, if the computer is off it cannot be used or affected by a computer attack.

Synopsis: This is a strength of the policy but requires further clarification. For example,
a server needs to remain active, but could be perceived as unused by non-technical staff.

Accounts which remain unused for five months should be disabled where possible.

Accounts used by system administrators should be cancelled immediately on departure of

member of staff.

No shared accounts will be created, except where absolutely necessary, and under the
condition that a list is kept of the users of the account, and that they are jointly
responsible for any action taken using the account.

Accounts should not be re-used, except where absolutely necessary, and under the
condition that a details are kept of the users of the account.

A successful user account management strategy can only be developed through an

understanding of the organisations operations. From this learned experience it will be
possible to determine whether a specific rule will work.

For example, the rule above stating that “accounts which remain unused for five months
should be disabled” has been agreed upon by the writers of this policy and therefore now
specifically applies to Birkbeck College.

9
University of Glamorgan Security Management Assignment 2

My main criticism of the rule is that it states the account should be disabled which is
rather negative and less enforcing as “accounts which remain unused for five months will
be disabled”. It also fails to define how an account is classified as unused. For example,
if a researcher working part-time does not use their account for five months, does it mean
they will have their account deleted? Or disabled? An educational establishment will also
have many users arriving each year, and often leaving at any point thereafter.

The other rules stated in the category of account management are mostly common sense.
A noteworthy “shared accounts” rule successfully imposes the responsibilities for
running such an account on the users. By maintaining a list of the users who control the
shared account, you can apportion blame amongst all parties if it gets misused.

Synopsis: This is a strength of the policy although further recommendations have been
made regards shared account access.

Lists of users and their data (such as userids) must not be available to anonymous users
or, where possible, to other users and systems administrators.

What the Birkbeck College fails to mention in this statement is how the lists will be
managed. As part of the CIA model, confidentiality is a core requirement of the
organisations management of information. Deciding who can access what and how they
will access it should be clearly stated.

Synopsis: Despite my previous comment, this is a strength of the policy. Further

recommendations have been made at the end of the report.

Computers in open areas should be physically secured.

Computers in other areas should be accessible only by authorised persons, and security
imposed as appropriate.

Physically securing computer equipment is essential within an educational establishment

where you have hundreds of users sharing a single computer. The usual solution is to lock
the computers within secure cabinets that are attached to the desk units. The second
statement seems to imply the securing of computers within areas such as lecture rooms,
or more generally, rooms that can be locked.

Having physical locks on devices and doors implies there should be a management
process for access control (i.e., distribution of keys). In my opinion, further clarification
is required to establish a mechanism for key management; this could be achieved though
a further document such as a “Physical Security Policy”.

Synopsis: This is a weakness of the policy requiring a further management process to

maintain the access to rooms and equipment.

10
University of Glamorgan Security Management Assignment 2

Computers offering services external to the College (e.g. web, email, ftp etc), must be
authorised by School or CCS support staff.

Details of any networked system which is operating as a server (including file serving,
print serving, web serving, ftp serving, or applications server) must be given to CCS
Systems staff or to School support staff in the cases of Schools responsible for
maintaining their own servers (e.g. Computer Science and Information Systems,
Crystallography, Economics and Statistics, Geography and the Library).

Most educational establishments will make statements as above, but unless there are
hardware or software tools (firewalls) in place to prevent such services running, it will
not prevent users from running them.

It is aimed at the departments within the organisation who may be running their own
internal systems.

The statements also seem to offer no retribution if a user failed to notify them of running
services.

Synopsis: This is a strength of the policy although modification needs to be made to

include some form of retribution.

Access to equipment should be possible at all times (in the event of a report being
received by CCS or School support staff out of hours) unless precluded by Health and
Safety requirements.

In a similar vein to physically securing open area computers, the policy states that the
same secured computers must be accessible by support staff in the case of certain
incidents.

Synopsis: This is a strength of the policy but again, this introduces a weakness that
requires a further management process to maintain the access to rooms and equipment.

Personal equipment may not be connected to the College network except where the
connection is made to a School or Departmental network with the written authorization
of the School/Dept System Administrator.

Connecting equipment to the network has technically been covered by formal system
administration (policy point one). The only addition to the rule of connecting equipment
is that this mentions written authorisation from the system administrator.

Synopsis: This is a strength of the policy stating that written authorisation is required to
connect personal equipment. See recommendations.

11
University of Glamorgan Security Management Assignment 2

Responsibilities of Systems Administrators

The following sections within the policy highlight the Systems Administrators main
responsibilities to the College.

Users including systems administrators, should normally login with userids without
unnecessary (“superuser”) privileges. Privileged accounts should be used only for
systems administrative work and monitoring.

When undertaking systems work demanding privileged user status, administrators should
login in under their own account before assuming privileged status (to maintain audit
information).

This is a common computer security concern. The usual practice is to never allow a user
to login directly as the superuser (root on Linux systems) as this greatly increases the
possibility of security risks. Depending on the operating system, the solution is to login as
a normal user and then perform any administrative tasks using the su or sudo commands.

Synopsis: This is a strength of the policy, maintaining an audit trail for system access.

Administrators must ensure that all software is properly licensed.

Administrators must ensure adequate backup procedures are in place.

Adequate virus protection software must be installed.

The above policy statements identify core requirements of the organisation. Each is
required in maintaining the operation of the organisation. For example, the operating
systems and software installed on servers and desktops must be correctly licensed. Some
businesses are open to running unlicensed products due to the excessive costs involved,
but academic establishments are entitled to substantial discounts to reduce such piracy.

Realistically, there should be a separate backup procedure outlined in a further policy

such as a “Data Storage & Recovery Policy” (see recommendations).

The same could be said of virus protection, having a separate policy describing the
procedures to manage a virus and malicious code database. This virus policy should also
consider the consequence if a virus, such as a worm, infects any one of the organisations
networks.

Synopsis: Each statement is fairly weak in what it is trying to describe. The first
statement is a massive weakness of the policy, as the administrator can only prevent
application installation by users if the security tools are available – see the application
installation section in the recommendations. Another recommendation is to have a Virus
Protection and Prevention Policy to cover all departments.

12
University of Glamorgan Security Management Assignment 2

Ensure that passwords are changed regularly and knowledge of the super-user password
should be restricted.

Most literature on security will recommend that passwords are changed on a regular
basis. This reduces the usage of the password to a set period of time and also the
password being brute-force cracked (by the time it has been cracked, the system has
already forced the user to change it).

Synopsis: This is a weak statement of the policy – see recommendations on introducing

password policies. Access to the super-user password is covered below.

Superuser and system administrator passwords should be passed to CCS or School/Dept

Computer staff for use in emergency.

As a precautionary measure, most organisations require that system administrator

passwords (that often control core systems) be backed up in some form. This backup can
then be used in an emergency, for example, if the administrator is unreachable.

Synopsis: This is a strength of the policy, maintaining operation given the possibility of
accidents. Although, this should remain part of the password policy where depending on
the risk of the password, control measures for accessing should be enforced (i.e., signed
by the academic board).

Logging, and in particular a record of logins on the computer, should be maintained for
one year.

Administrators must not amend any audit or system information which may be used as
part of an audit trail in cases of security breach.

All system access, whether successful or unsuccessful must be logged. The log should
only contain the records of incorrect passwords, making sure that successful passwords
are only logged as “successful”.

It should be common sense that in order to preserve an audit trail, the system
administrator must not tamper with it. This could generate complicated situations if the
organisation demands to have the system active, and in the process of rebuilding the
system, the audit trail is destroyed.

Synopsis: Maintaining an audit trail for an individual system for up to one year is a
strength of the policy. The main criticism of the second statement is it might not be
possible for a systems administrator to keep an audit, so the policy would need clarifying
to include possible exceptions.

13
University of Glamorgan Security Management Assignment 2

If necessary to protect or maintain service, administrators will disconnect a system,

individual workstation, or software from the School.

The statement covers both the disconnection of hardware and software if it is deemed
dangerous to the organisation.

Synopsis: This is an extremely broad and weak statement given the implications of its
actions. If a server was to be infected with a virus, the last thing an organisation needs is
for an overprotective systems administrator unplugging all of the equipment around it.

Monitor activity and/or record traffic on the network if appropriate, including periodic
intrusion detection testing either internally or by third party.

Monitoring of users is one of the main responsibilities of a system administrator. By

monitoring users’ behaviours and activities it is possible for them predict events such as
bandwidth increase before it presents itself as a real problem.

The tools used to monitor traffic and generate reports, can often be used in forensic
analysis of network incidents. By recording a time frame of network activity, the system
administrator can replay (in a secure environment) the steps that caused an incident.

Synopsis: This statement is a weakness of the policy. The monitoring of activity needs
clarifying and possibly expanded further in a subsequent policy. See my
recommendations at the end of this document.

Ensure that adequate security (such as dial back) is utilized when connecting modems to
allow remote management/troubleshooting.

Some remote management systems offer dial-back facilities, for example the user dials in
and is authenticated, and then the system disconnects the call and calls back on a pre-
defined number.

Dial-back is useful since if someone were to successfully guess a username and

password, they are disconnected, and the system then calls back the actual user whose
password was guessed, which would signify the password as being compromised.

Synopsis: This is a weakness of the policy. “Remote Access Policies” would need to be
implemented governing who and when could access the system. Necessary authentication
and logging would need to be in place to generate any form of useful audit trail.

14
University of Glamorgan Security Management Assignment 2

Responsibilities of Central Computing Services

The following sections within the policy highlight the Central Computing Services
responsibilities as a department.

Liaise with external organizations (such as UCL Network Group and UKERNA) in the
development and maintenance of the network.

The process of sharing information between organisations is an essential networking tool.

By associating with businesses and organisations that deal directly with security
incidents, you place your organisation one step ahead of the latest threat.

Synopsis: This is a strength of the policy. Any facility for obtaining more information
about security issues will be an advantage to the organisation.

Inform system administrators of security information, hacking attempts, tools etc via an
email list.

The CCS is responsible for alerting the organisation’s systems administrators of the latest
security information via e-mail.

Providing cross departmental communication is usually quite effective, but it must be

agreed across all members that high priority information should be communicated
immediately.

Synopsis: The statement is quite weak, although security alerts should be announced, e-
mail is not a reliable communication method. See recommendations for alerts.

Provide information and good practice guidelines.

Synopsis: As a policy statement this is quite ambiguous. The statement should describe
what exactly appears in the “good practice guidelines” or at least refer the reader to
another document. This statement does not contribute to the policy and therefore I would
classify it as a weakness.

15
University of Glamorgan Security Management Assignment 2

Assist School/Dept Systems Administrator to correct a security or breach, especially

where the integrity of the network may be at risk, or it is affecting systems elsewhere.

The CCS will act as an independent department, yet it is responsible for overall network
security of the organisation. This statement suggests that despite any individually agreed
departmental policies; the CCS still needs to resume control over the actions of the other
departments, as inherently it is still responsible.

Synopsis: The statement is a strength of the policy. It demonstrates that CCS trust the
other departments in the organisation, and will provide support if required.

If necessary to protect and maintain service, disconnect a system, individual workstation,

software, School network or building from the wider College network.

This is a repetition of the system administrator’s responsibility although now on a larger

scale. The statement implies CCS will do what they deem necessary to maintain service
across the network, even if the result is detrimental to another department.

Synopsis: The statement is a weakness of the policy, it needs to clarify the processes
involved before it takes action against another department.

Monitor activity on the network, including periodic intrusion detection testing either
internally or by third party. If during a scan an obvious weakness is found, CCS will
provide advice and assistance to the appropriate systems administrator. If no
administrator is available, depending on the nature of the loophole, the offending system
may be disconnected from the network.

Following the logical order of the document, the separate departments and the CCS will
be running intrusion detection systems simultaneously.

Synopsis: This is a weak statement and really should be broken down into separate
sections. The monitoring process needs clarifying further and should really be given its
own category within the security policy – see recommendations on Monitoring Network
Activity.

16
University of Glamorgan Security Management Assignment 2

Maintain central checking of malicious code, including of email passing through central
mail systems.

The CCS should really set a generic policy for all other networks to follow. For example,
if the CCS have a specific anti-virus policy in place, it would be logical that each
department also follow suit and use the same procedures.

The likelihood is that the internet connection to the network will pass through the CCS
department, so technically each subsequent department will not require the same level of
protection that is automatically provided to the overall organisation. There would be no
point running a second virus scan on an e-mail that has already been scanned through the
central mail system.

Synopsis: This is a weak statement. By implication of having and maintaining virus

protection, CCS will automatically be completing this action.

Maintain site licences of virus protection software.

Each server and client desktop will be required to have a valid virus protection license.
This is a requirement of the complete network, and has to include every department.

The CCS is to make sure each of the separate departments comply with whatever policy
is in place to deal with software licensing.

Synopsis: This is a strength of the policy. An organisation should be responsible for the
management and control of virus protection licenses.

Co-ordinate the development and maintenance of the security policy.

The CCS should be responsible for the maintenance and review of the security policy.
The document should be reviewed on a regular basis and signed off by various members
of the educational establishment academic board.

Synopsis: This is a weakness of the policy. It should really describe who is responsible
for management and review of the security policy. Review practices will be mentioned in
the recommendations.

Provide assistance in developing router-filtering rules if required.

The CCS should aid any department in the setting up of firewall rules. Given prior
authorisation CCS can grant access to certain services through the firewall.

Synopsis: This is a weak statement. The CCS should be responsible for enforcing router-
filtering rules and maintaining network integrity. They subsequently note that (at the time
of writing) there is no border level firewall, and no firewall policy.

17
University of Glamorgan Security Management Assignment 2

Responsibilities of Users
The section dealing with the responsibility of users forms the basis for an Acceptable Use
Policy. This will aid the staff and management to discipline any users, using the AUP as a
reference. The organisation can claim that the user was made aware of the AUP and
subsequently anybody who violates the policy can be referred back to the document.

The Birkbeck College policy lists some of the main components that constitute an
Acceptable Use policy as:

• User Authentication & Password

• File Storage
• Email Communication
• Network Use

Each of these sections lists a series of “rules” that users are expected to obey, and are not
really classified as responsibilities. The term “users” in this section applies to students,
staff and system administrators.

In synopsis, Birkbeck College openly admits that the lists of rules are not extensive, and
that other rules are implied and not directly stated. This, in itself, is a weakness of this
section of the policy.

A further weakness of this section is that the Birkbeck policy identifies other relevant
policies that users are required to be familiarise themselves with. It is unlikely that a user
will actively seek out the other documents, and as a result, simply listing them in this
section provides no useful information.

Implementation of the Policy and Sanctions

This section of the Birkbeck policy deals directly with disciplinary procedures.

It correctly assesses the responsibility for implementing the policy to be dealt with by the
Heads of Schools, Academic Services and Central Administration.

As a policy statement, its main weakness is in the explanation of the disciplinary

procedures. I would have thought that the policy and sanctions section would include
specific disciplinary actions for given infringements of the policy. This in my opinion
would strengthen the organisations stance in convincing a user that they must abide by
the guidelines and rules set out in the security policy.

18
University of Glamorgan Security Management Assignment 2

Recommendations
Account management
In my opinion, I would prevent users from having shared accounts altogether. This then
reduces the likelihood that it could be compromised, and also reduces the workload of the
systems administrator.

For situations where a shared account is unavoidably required, my suggestion is to

introduce a time-limit on the account. This maintains a certain degree of control over the
account, but at the expense of further administration when the account needs renewing.

Also, prior to disabling a user’s account, the administrator must obtain formal verification
(written) that the user no longer requires the account.

Users must also be aware that the primary user of a computer is considered to be the
‘guardian’ of the equipment. So, if the machine they use is compromised, they are
technically responsible. This though in practice could be difficult to implement, and by
the recommendations already outlined, if it can’t be implemented, it probably shouldn’t
be in the security policy.

Running Services
The policy states that any user wishing to run services such as Web, FTP or e-mail must
give details to the CCS department.

In my opinion this should be altered to read that “any user wishing to run services must
obtain written authorisation from the CCS department”. The responsibility for
maintenance can then be passed onto the individuals wishing to run the service. This also
provides a useful control mechanism if there are no hardware or software firewalls in
place.

The statement should also then include some form of punishment if the CCS department
discovers illegitimate running services. For example, peer-to-peer applications are
basically servers distributing large amounts of data across a network. There should be
adequate detail in the policy to cover such services (which is discussed further in these
recommendations).

Personal Information Disposal

There should be a “personal information disposal and retention guidelines” document or
section within the policy. It is the responsibility of the staff and users of the network to be
aware of security when disposing or storing of coursework.

For example, certain computer systems have temporary storage directories where a user
can put documents they are working on. If this directory is not “cleaned” after use,

19
University of Glamorgan Security Management Assignment 2

another user using the same machine will have access to the same document after logging
on. In terms of plagiarism it will be both parties that will be disciplined, the first for
having failed to sufficiently protect their work.

Application Installation
The administrators of the Birkbeck College network will need to employ the features
available from software vendors to control and implement successful application
installation.

For example, Microsoft provides a mechanism for controlling installation of applications

on individual computers through the use of “Group Policies”. Microsoft describes on
their website that it:7

…allows you to centrally manage registry-based policy settings (Administrative

Templates), security settings, software installation, scripts, folder redirection,
Remote Installation Services, wireless settings, Internet Explorer, and other
components.

Using such a tool would prevent individual desktop users from installing unwanted or
more importantly, unlicensed software.

Maintaining Lists of Users

The Birkbeck College security policy has no clearly defined process for managing lists of
users. They would be required to comply with the Data Protection Act and as a
suggestion I would create a sub-policy specifically to deal with this matter.

Another important issue is lists of Administrators and staff. Their phone number and e-
mail addresses should not be disclosed to any other users, so as to prevent needless phone
calls and reduce the risk of social engineering attacks.

Password Policy
Lost passwords should be rectified by resetting the password and not retrieving the old
one. This will also require formal identification of the account holder. This will prevent
social engineering attacks aimed at obtaining authorisation through the administration
department.

Another solution is to create accounts that expire or become disabled each academic year.
This would remove any unused accounts and reduce the risk of attackers using dormant
accounts. Actually deleting the accounts may be too extreme, so simply disabling the
account and getting the user to physically re-authenticate with a department could be a
solution.

The SANS Institute has an example online Password Policy Template8 which contains
some general guidelines for maintaining passwords:

20
University of Glamorgan Security Management Assignment 2

• All system-level passwords (e.g., root, enable, NT admin, application

administration accounts, etc.) must be changed on at least a quarterly basis.
• All production system-level passwords must be part of the InfoSec administered
global password management database.
• All user-level passwords (e.g., email, web, desktop computer, etc.) must be
changed at least every six months. The recommended change interval is every
four months.
• User accounts that have system-level privileges granted through group
memberships or programs such as “sudo” must have a unique password from all
other accounts held by that user.
• Passwords must not be inserted into email messages or other forms of electronic
communication.

Some of these points are valid, but depending on your type of business (such as a website
hosting provider) there are no other cost-effective means of providing clients with
authentication details (for example, sending new account information through e-mail).

Data Storage & Recovery

A complete new section should be generated for examining the processes involved in
maintaining a successful backup and archive system.

Organisations and users often get confused when discussing backup and archiving
procedures, so a policy specifically for describing the processes should be created. It
should include items like:

Daily incremental backups will be performed in the evening and stored on the
University Storage Area Network (SAN).

Weekly full tape backups will be made of the SAN and stored off site for a period
of 1 month

The policy or document responsible for the storage and recovery procedures must define
what file-systems get backed up, how often, and which members of staff are responsible
for this maintenance.

Staff Time Off

As a general rule, the system administrators of a given department must not be allowed to
take the same holidays. If something was to go wrong, and all technical staff were away,
how could the organisation continue business?

The same must also be stated that there should not be a single member of staff
responsible for core organisational administration. Roles should be shared amongst staff,
to cover for the eventuality that somebody is ill or on holiday.

21
University of Glamorgan Security Management Assignment 2

Policy Revisions
As well as having the latest version stated on the title page, the document should contain
a complete new section called “Revisions”. This revisions section will list the dates and
times that the policy was modified. It should list next to each revision which member of
staff performed the modification. This way there is an audit trail of who introduced what
change and when.

Policy Reviewing
The introduction talked about the responsibility of the ISO to create and review the
organisations security policy. It is also the responsibility of the ISO to consult the users
who the policies affect before implementing any changes.

It must also be considered that any legacy systems inadvertently will be affected by any
policy implemented. The requirements of such systems need to be well thought-out
during the initial development of the policy.

Network Monitoring
A policy needs to clarify exactly what the system administrator will be monitoring. The
usual practice is to include such information in a privacy policy, explaining the extent to
which the users will have their privacy violated.

The policy should also make a clear note of the Intrusion Detection Systems and as a
result, how the computer network will be protected from malicious attacks.

Administrative/Security Alerts
A system should be in place that categorizes security incidents and subsequently alerts
the necessary parties. This will require management of staff and system administrator
contact information.

It should also, depending on the severity of the alert, require that system administrators
directly communicate using the telephone to resolve the incident.

Virus Protection and Prevention Policy

Another SANS Institute policy document9 suggests that for successful virus protection
and prevention, the policy should demonstrate the baseline requirements for the use of
virus protection software. It should have separate guidelines on:
• reporting and containing virus infections
• defining levels of virus risk (i.e., worms, Trojans)

And suggests that the following points be discussed:

• requirements for scanning email attachments
• a policy for the download and installation of public domain software
• the frequency of virus definitions

22
University of Glamorgan Security Management Assignment 2

Additional Elements
The current policy appears to be quite dated. The past few years have seen an increase in
mobile devices, and as a result, the system administrator must make provision for users
connecting to the network.

This though, instantly breaks one of the already established policy rules that no user can
connect “personal” equipment to the academic network. A solution is to implement a
separate wireless network, which has been secured against possible threats to the main
network.

Another recommendation is to include (or exclude) the use of portable mass-storage

devices (such as USB memory sticks). Again, the current policy prohibits the use under
the “personal” equipment statement. But nowadays, the floppy disk is all but obsolete,
and applications are generating larger sized files.

So, if you allow mass-storage devices to be accessed through the computers USB port,
why not allow music devices like the Apple iPod? The issue here is that files as well as
music can also be stored on an iPod. It is obvious that a clear policy would need to be
created to cover the use of such devices.

In terms of network usage, the policy should be updated to exclude and prohibit such
applications as instant messaging and peer-to-peer file transfer applications. Both of
which can unnecessarily increase bandwidth generating adverse affects on the rest of the
network.

The Birkbeck policy does not state any goal to obtaining ISO 17799 or BS7799 status.
These standards are specifically related to developing a code of practice that the
business/organisation must adhere to. The ISO’s role should be to guide the organisation
towards obtaining certification by one of the two standards.

Formatting of the document

My initial concern with the document was that it was missing definitions explaining any
acronyms, for example, the first page uses CCS which isn’t explained until you deduce
that it is one of the three distinct groups mentioned on page two.

The Birkbeck College security policy shows no dates of when it was created, or when it
has been subsequently modified. For effective version control, a date of creation, date of
last modification and finally a revision number should be added to a title page.

The document should also have been proof read as there are several cases where the
structure of the stated rule makes no grammatical sense.

A useful “authoritative approval” would be to have the policy signed off by the Colleges
Academic Board. This make the document appear official in the eyes of the user.

23
University of Glamorgan Security Management Assignment 2

Conclusions
An ISO’s job is to manage the flow of information entering and leaving an organisation
to minimise loss or damage. This can only be achieved through initial development and
subsequent regular reviewing of the security policy.

The end of the document lists several policies that are technically pre-requisite to reading
the Birkbeck College network policy. In my opinion this should be part of the main
policies introduction, because everyone is expected to read these texts as well as the
policy document.

In my opinion, the construction of a security policy must follow a certain pattern. For
example, reading any document is in what could be classically defined as a “serial”
fashion. You start from the beginning of the document and inevitably reach the end. In
my opinion the Birkbeck policy was constructed from the following three separate
sections, in the order listed below:

1. responsibilities of users – the list of things users can and cannot do

2. introduction and general policy statements
3. job responsibilities for systems administrators and the CCS

The reason for this argument is that the Responsibilities of Users looks as if it was the
first list or statement made by Birkbeck before they had a policy document because it
seeks to make clear what users “must” and “must not” do. It is also apparent that there are
many more positive statements such as “must”, compared to the earlier sections that use
the terminology “should”.

The policy should be written more like a demand upon users than a guideline telling the
users that they should perform a certain task. What ever is written must be positive, and
induce a sense of importance in the mind of the users.

One generally accepted approach to follow is suggested by Fites, et. al. [Fites 1989] and
subsequently summarised by the 1997 Site Security Handbook (RFC2196) that includes
the following steps10.

1. identify what you are trying to protect

2. determine what you are trying to protect it from
3. determine how likely the threats are
4. implement measures which will protect your assets in a cost-effective manner
5. review the process continuously and make improvements each time a weakness is
found

As previously stated, the Birkbeck College security policy shows no dates of when it was
created, or when it has been subsequently modified. From inspection of the document
properties, it shows that the document was created (and last modified) on the 29th January
2002. This shows that no apparent review of the security policy exists.

24
University of Glamorgan Security Management Assignment 2

As a student studying Information Security and Computer Crime, I am concerned that a

large organisation such as a college has not subsequently reviewed their security policy.
It could be true that the document has stood its ground for 3 years, but in that time we
have had a surge in networked, wireless and mobile computers (see recommendations).

Another interesting issue is to ask if the document will ever be read or knowingly
accepted by the users or staff? It is the ISO’s job to make sure they do, but who
realistically is going examine the contents of the policy?

A possible solution is to have all users sign a statement indicating that they have read,
understood, and agreed to abide by the policy. On academic networks, I have often seen
the policy available as soon as you login to your account. But user ignorance means I
click the “accept” button without understanding the implications that I have just agreed to
abide by the policy, and subsequently be subjected to any of the disciplinary procedures.

If the user were to actually sit and read the many documents that constitute a policy, I
believe they may realise that the policy has unrealistic demands.

In my opinion, what makes users accept the policy without reading it is the need to
complete a task with the minimum of questions. Sometimes you have no choice but to
agree to an organisations policy, as the consequences of not agreeing means you know
longer belong to the “group”. This is true of academic establishments. If you wish to
study at University, and use their facilities (which is quite often necessary to complete the
course), you are required to agree use the organisations policy.

With all my analysis of the strengths and weaknesses of the Birkbeck College security
policy, the only real sign that they work will come from actual implementation, which
should highlight issues for review and modification.

I also believe that it doesn’t matter how comprehensive a security policy is, the users will
still find it as an impediment to their daily duties. Any such complaints should be
highlighted during policy reviews and the policy document subsequently amended if
possible.

25
University of Glamorgan Security Management Assignment 2

Background Reading
White Papers & Reports
ASIS Online (2004) Chief Security Officer (CSO) Guideline
BarclaySimpson (2005) Information Security Market Report 2005
CIO (2005) Incident Response: Response & Reporting Guidelines
Computer Security Institute (2005) CSI/FBI Computer Crime and Security Survey
Control Data (1999) Why Security Policies Fail
Kroll (2004) Protecting Corporate Secrets

Websites
CSO Online (2005) The Resource for Security Executives [Online] CXO Media Inc
Available From: http://www.csoonline.com [Accessed 14th October 2005]

Information Security Policy World (2005) Security Policies [Online] ISPSG, Available
From: http://www.information-security-policies-and-standards.com [Accessed 15th
October 2005]

SuperhighwaySafety (2001) Computer Misuse Act 1990 [Online] Crown copyright -

DfES and Becta, Available From:
http://safety.ngfl.gov.uk/ukonline/document.php3?D=d10 [Accessed 15th October 2005]

Dolan, A., (2001) SANS Social Engineering Papers [Online] SANS Institute, Available
From: http://www.sans.org/rr/whitepapers/engineering/ [Accessed 30th October]

Magazines
SC Magazine August (2005), Article: Policy Management
SC Magazine October (2005), Article: Risk Opinion

26
University of Glamorgan Security Management Assignment 2

References
1
Unknown, (2004) The SANS Security Policy Project [Online] SANS Institute. Available
From: http://www.sans.org/resources/policies/#template [Accessed 15th Oct 2005]
2
Mitnick, K. E., (2003) The Art of Deception [Book] Wiley. Chapter 16 [Page 260]
3
Dolan, A., (2004) Social Engineering [Online] SANS Institute. Available From:
http://www.sans.org/resources/popular.php [Accessed 15th Oct 2005].
4
Denning, D. E., (1999) Information Warfare and Security [Book] Addison Wesley. Part
1: Introduction [Page 41]
5
Blyth, A & Kovacich, G.L., (2001) Information Assurance [Book] Springer. [Page 99]
6
Unknown, (2005) Who is winning the power game? [Online] Computer Weekly.
Available From:
http://www.computerweekly.com/Articles/Article.aspx?liArticleID=212113 [Accessed:
1st November 2005]
7
Unknown, (2000) Windows 2000 Group Policy [White Paper] Microsoft. Available
From:
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.
asp [Accessed: 2nd November 2005]
8
Unknown, (2001) Password Policy [Online] SANS Institute. Available From:
http://www.sans.org/resources/policies/Password_Policy.pdf [Accessed: 3rd November
2005]
9
Guel, M. D., (2001) Policy Primer [Online] SANS Institute. Available From:
http://www.sans.org/resources/policies/Policy_Primer.pdf [Accessed: 3rd November
2005]
10
Fraser, B., (1997) RFC 2196 – Site Security Handbook [Online] NWG. Available
From: http://www.faqs.org/rfcs/rfc2196.html [Accessed: 31 October 2005]

27