Beruflich Dokumente
Kultur Dokumente
C
Countermeasures
t
Version 6
Mod le XLIX
Module
Creating Security Policies
News
Source: http://www.darkreading.com/
• Security Policies
• Key Elements of Security Policy
• Role of Security Policy
• Classification of Security Policy
• Configurations of Security Policy
• Types of Security Policies
• E mail Security Policy
E-mail
• Software Security Policy
• Points to Remember While Writing a Security Policy
Classification of Security
Security Policies E-mail Security Policy
Policy
Points to Remember
Role of Security Policy Types of Security Policies While Writing a Security
Polic
Policy
Securityy p
policies are the foundation of the securityy infrastructure
Without them, you cannot protect your company from possible lawsuits, lost
revenue, bad publicity, and basic security attacks
Clear communication
Enforceable by law
Sufficient guidance
User Policy
• Defines what kind of user is using the network
• Defines the limitations that are applied on users to secure the
network
• Password Management Policy
• Protects the user account with a secure password
IT Policy
• D
Designed
i d for
f IT d department
t t to
t kkeep th
the network
t k secure and
d stable
t bl
• Following are the three different IT policies:
• Backup Policies
• Server configuration, patch update, and modification policies
• Firewall
Fi ll P
Policies
li i
General Policies
• Defines the responsibility for general business purposes
• The following are different general policies:
• High Level Program Policy
• Business
B i Continuity
C i i Pl Plans
• Crisis Management
• Disaster Recovery
P t
Partner P
Policy
li
• Policy that is defined among a group of partners
Components:
• Issue
I Statement
St t t
• Statement of the Organization's Position
• Applicability
• Roles and Responsibilities
• Points of Contact
• Physical security
• Personnel Security
• Communications Security
• Administrative Securityy
• Risk Management
• System Management
Copyright © byEC-CouncilAll Rights Reserved.
EC-Council Reproduction is Strictly Prohibited
Design of Security Policy
Guidelines should cover the following points as policy
structure:
End-consequences of non-compliance
Copyright © byEC-CouncilAll Rights Reserved.
EC-Council Reproduction is Strictly Prohibited
Contents of Security Policy
• Defines
D fi the
h roles,
l responsibilities,
ibili i andd functions
f i off a security
i policy
li
• Provides a way to configure services that are installed and available depending on
the server’s role and other features
Network Security
Registry Settings
Audit Policy
Proper
p securityy awareness p
program,
g , cooperation,
p , and coordination
among employees is required
Promiscuous Policy
Permissive Policy
Prudent Policy
Paranoid Policy
Acceptable-Use Policy
User-Account Policy
Remote-Access Policy
Information-Protection Policy
Firewall-Management Policy
Special-Access Policy
Network-Connection Policy
Business-Partner Policy
O h Important
Other I P li i
Policies
No Restrictions on Internet/Remote
Access
• Goodd lluck
k to your network
k administrator,
d i i you have
h our
blessings...
K
Known d
dangerous services/attacks
i / k bl
blocked
k d
Everything is logged
Should users read and copy files that are not their own but are accessible to them?
Should users modify files that they have write access to but are not their own?
Should users make copies of system configuration files (for example, /etc/passwd and SAM)
for their own personal use or to provide to other people?
Should users be allowed to use .rhosts files? Which entries are acceptable?
W at levels
What eve s o
of se
sensitive
s t ve information
o at o may
ay be printed
p ted in pub
publicc
printers?
H
How often
ft are passwords
d changed?
h d?
Wh should
Who h ld document
d t network
t k changes?
h ?
Are there any security requirements for the new devices being
added to the network?
The policy is really only as good as the policy statements that it contains. Policy
statements must be written in a very clear and formal style
An e-mail
e mail security policy is created to govern the proper usage of
corporate e-mail
Line management
g must notifyy staff about changes,
g , that might
g
affect security
Policy
P li development
d l t mustt b
be d
devised
i d andd processed
d entirely
ti l
by the security professional and it should be expanded only
with the stakeholders’ input
Source: http://www.watchguard.com/
Source: http://www.watchguard.com/
Source: http://www.watchguard.com/
Source: http://www.state.tn.us/
Copyright © byEC-CouncilAll Rights Reserved.
EC-Council Reproduction is Strictly Prohibited
Internet Acceptable Use Policy
Source: http://www.enterprise-ireland.com/
Copyright © byEC-CouncilAll Rights Reserved.
EC-Council Reproduction is Strictly Prohibited
Software Licence Policy
Source: http://www.enterprise-ireland.com/
Security Policy is a set of objectives and rules of behavior for users and
administrators
d i i t t
Prudent Policy provides maximum security while allowing known but necessary
g
dangers
An e-mail
A il security
i policy
li iis created
d to govern the
h proper usage off corporate e-
mail
Copyright © byEC-CouncilAll Rights Reserved.
EC-Council Reproduction is Strictly Prohibited
Copyright © byEC-CouncilAll Rights Reserved.
EC-Council Reproduction is Strictly Prohibited
Copyright © byEC-CouncilAll Rights Reserved.
EC-Council Reproduction is Strictly Prohibited