Administrators, more technically savvy than their managers, have started to
secure the networks in a way they see as appropriate. When management catches up
to the notion that security is important, system administrators have already
altered the goals and business practices. Although they may be grateful to these
people for keeping the network secure, their efforts do not account for all
assets and business requirementsFinally, someone decides it is time to write a
security policy. Management is told of the necessity of the policy document, and
they support its development. A manager or administrator is assigned to the task
and told to come up with something, and fast!Once security policies are written,
they must be treated as living documents. As technology and business
requirements change, the policy must be updated to reflect the new
environment--at least one review per year. Additionally, policies must include
provisions for security awareness and enforcement while not impeding corporate
goals. This book serves as a guide to writing and maintaining these
all-important security policies.
Table of Contents
I. STARTING THE POLICY PROCESS.
1. What Information Security Policies
About Information Security Policies. Why
Policies Are Important. When Policies Should Be Developed. How Policies Should
2. Determining Your Policy Needs.
Identify What Is to Be Protected. Identify From
Whom It Is Being Protected. Data Security Considerations. Backups, Archival
Storage, and Disposal of Data. Intellectual Property Rights and Policies.
Incident Response and Forensics.
3. Information Security
Management Responsibility. Role of the
Information Security Department. Other Information Security Roles. Understanding
Security Management and Law Enforcement. Information Security Awareness Training
II. WRITING THE SECURITY POLICIES.
4. Physical Security.
Computer Location and Facility Construction.
Facilities Access Controls. Contingency Planning. General Computer Systems
Security. Periodic System and Network Configuration Audits. Staffing
5. Authentication and Network Security.
Network Addressing and Architecture. Network
Access Control. Login Security. Passwords. User Interface. Access Controls.
Telecommuting and Remote Access.
6. Internet Security Policies.
Understanding the Door to the Internet.
Administrative Responsibilities. User Responsibilities. World Wide Web Policies.
Application Responsibilities. VPNs, Extranets, Intranets, and Other Tunnels.
Modems and Other Backdoors. Employing PKI and Other Controls. Electronic
7. Email Security Policies.
Rules for Using Email. Administration of Email.
Use of Email for Confidential Communication.
8. Viruses, Worms,
and Trojan Horses.
The Need for Protection. Establishing the Type
of Virus Protection. Rules for Handling Third-Party Software. User Involvement
Legal Issues. Managing Encryption. Handling
Encryption and Encrypted Data. Key Generation Considerations. Key Management.
10. Software Development Policies.
Software Development Processes. Testing and
Documentation. Revision Control and Configuration Management. Third-Party
Development. Intellectual Property Issues.
III. MAINTAINONG THE POLICIES.
11. Acceptable Use Policies.
Writing the AUP. User Login Responsibilities.
Use of Systems and Network. User Responsibilities. Organization's
Responsibilities and Disclosures. Common-Sense Guidelines About Speech.
12. Compliance and Enforcement.
Testing and Effectiveness of the Policies.
Publishing and Notification Requirements of the Policies. Monitoring, Controls,
and Remedies. Administrator's Responsibility. Logging Considerations. Reporting
of Security Problems. Considerations When Computer Crimes Are Committed.
13. The Policy Review Process.
Periodic Reviews of Policy Documents. What the
Policy Reviews Should Include. The Review Committee.
Appendix A. Glossary.
Incident Response Teams. Other Incident Response
Information. Virus Protection. Vendor-Specific Security Information. Security
Information Resources. Security Publications. Industry Consortia and
Associations. Hacker and “Underground” Organizations. Health Insurance
Portability and Accountability Act. Survivability. Cryptography Policies and
Regulations. Security Policy References.
Appendix C. Sample
Sample Acceptable Use Policy. Sample Email
Security Policy. Sample Administrative Policies.