Showing posts with label Business. Show all posts
Showing posts with label Business. Show all posts

Tuesday, October 2, 2007

A Simple Incident Response to a Simple Oversight



Today may be the day you need to step up and respond to a breach involving someone else’s confidential information. Do the right thing and you will be OK. Assuming the breach is less than it really is can negatively impact your company, the victims, and your livelihood.

A Little Background
I write for this and The Breach Blog because I am passionate about information security and protecting people when dealing with confidential information. The Breach Blog was born out of this passion just a few months ago, and I have already written 69 articles (with a backlog of four) about breaches and the lessons they teach us. I believe that people can really learn from other people’s mistakes. Anyway, on to the story...

The Incident
This morning I received a phone call from one of the IT administrators at a company that I provide information security consulting for. He was in a panic.

He regularly receives email updates from his human resources department outlining terminations, new hires and management changes. He gets these updates so that he can update the company’s Active Directory. Today, he received his spreadsheets as normal, but this time there was an additional column that he did not recognize before. The column was titled “Assoc. ID”, and the spreadsheet contained information on about 50 company employees.

Can you guess what the “Assoc. ID” is?
If you guessed Social Security number, then you are correct! Oh boy.

On the surface, you may say this isn’t that big of a deal. We can just go to human resources and inform them that this is an unacceptable practice and be done with it. OK, but put yourself in the shoes of a person that was in the spreadsheet. Would you be OK if information security just went to human resources and told them to quit it? I am guessing that your answer may be the same as mine, NO!

If I was a victim, what kind of questions would I demand answers for? Let’s see:

  • I want to know where this information came from.
  • I want to know if this has been an acceptable practice by human resources in the past and if so, how long?
  • I want to know if there was anyone else that received this email.
  • I want to know that the email containing the spreadsheet was deleted. Not just from the “Inbox” either, but also “Sent Items” and “Deleted Items”.
  • I want to know if there were any copies stored locally on the sender’s computer.
  • I want to know if there are any copies on a network drive (i.e. is “My Documents” synchronized).
  • I want to know if this information may be in a backup anywhere that needs to be
    dealt with.
  • I want to know why this happened in the first place.
  • I want to know what human resources is going to do to make sure that this never happens again.
  • Are there any laws and/or regulations, i.e. do I need to disclose this breach to any state attorney generals?
You get the picture yet? I want to know everything there is to know about this breach and I want to take every possible action to contain the damage caused by it.

Victims and shareholders should expect demand no less!

As it turns out, this seemingly innocent mistake/training issue quickly escalated into a full-blown investigation that took away from other important tasks and cost the company money. It would have been easy to take the lazy approach and sweep this under the rug, but what service would I be providing to the victims, the company, or myself? Thank God this breach only affected 50 people and was relatively easy to contain and respond to. What would I have done if this breach affected 5000, 50000, or 500000 people? What if the human resources person sent the email outside of the company?

Tips I've Learned
An easy way to respond to an incident involving personally-identifiable information is to put yourself in the shoes of a victim. This may sound obvious, but too many times I have witnessed information security “experts” going the other way. Answer the questions that you would have as a victim. Take money, lost consumer confidence, stock price, etc. out of the equation and do the right thing. If we all did the right thing we would have less regulation and more time to do other “right things”.

The CIO of this company asked me a question on my way out the door once the investigation was complete. He asked me what makes an information security professional so good at what he (or she) does? My answer: 95% of what makes a good information security professional is common sense. The other 5% is skill.

Unfortunately, it is very difficult to teach someone common sense. Read more!

Posted by The Trusted Toolkit at 1:00 PM 1 comments

Labels: , , ,

Friday, August 3, 2007

Information Security Policy 101 – Policy Approval



OK, the time has come for us to wrap this up!  July is over and so is “Information Security Policy Month”. This is the 19th and final installment in the Information Security Policy 101 Series.

If you have been following along over the last month you will notice that we have covered 16 of the most common information security policies, but we haven’t tied them together or sought formal approval yet.

NOTE: The “approval” we are seeking now is the approval of the written policies. This should not be confused with the initial approval you should have received prior to even beginning an information security policy project.

The advice that I will give in this article is based on what has worked for me in the past. I have had the honor of leading multiple information security projects in the past for both private and public companies from assessment through to final approval and adoption.

The Company XYZ Corporate Information Security Policy
The Company XYZ Corporate Information Security Policy is the one document that everyone in the organization is expected to read and understand. Some portions of the policy may apply more directly than others, but everything is meant to be understood by the audience.

Take the 16 policies (or however many your organization has deemed necessary) and place the “Company XYZ Corporate Information Security Policy” wrapper around them adding some important information that may include:

Header explaining the document
Versioning information
Table of contents
Introduction
Purpose (of the Corporate Information Security Policy)
Scope (of the Corporate Information Security Policy)
Definitions
Responsibilities
Waivers
Disciplinary Actions
Supporting Information, and;
References

Woah! Seems like a lot of information, doesn’t it? Admittedly, yes it does. Take a look at the sample and it should be clearer

SAMPLE CORPORATE INFORMATION SECURITY POLICY

Once the document is complete, it’s ready for approval!

NOTE: Be prepared for mutiple "back and forth" go arounds with management before the policy is "golden"!

Approval
The detailed process for approval of the newly written Corporate Information Security Policy will differ greatly from organization to organization. Some organizations have a more “approachable” executive team than do others so use judgment and care in your approach. When in doubt follow the chain of command by seeking the advice of your direct up line manager.

Approval must come from the leaders of your organization. If you have any hope of adopting, implementing and enforcing your policy then executive approval is a must. Too many times have I seen information security personnel attempt to implement policy without seeking the right approvals and every single time their efforts have failed miserably. Who has overall authority in your organization? This is the person that needs to approve.

Ideally, you have included your organization's leaders all along during the information security policy project. This makes communication and approval much easier. All is not lost however if you have not.

What does management need to know?
1. The Corporate Information Security Policy is based on sound security “best practices”.

Ensure management that the policy is a best of breed policy that was written after careful analysis and research.

2. Approval of the policy will not disrupt business.

The bottom line is that a company is in business to make money. You will not receive the approval of management if they perceive that information security will in any way hinder the ability of the company to make money.  An art of information security is that it must NOT EVER stand in the way of business or be percieved as such.

Inform management that “approval” of the policy does not mean that the policy has been “adopted” or “implemented”. Approval gives the organization (and information security personnel) the ability to begin adoption and start the “secure” process. Create an adoption/implementation timeline that highlights when information security believes that the organization could be compliant with most of the policy and inform management that the organization will never be fully-compliant. Remember, security is evolutionary not stationary!

3. The expected costs involved through the approval of the information security policy will be more than offset by reduced risk and exposure

You can probably think of other items of note to use in your approval process, but the ones above have consistently worked for me.

Next Steps
The real work begins!
Now that you have your new approved policy in hand, decide how you will train the organization’s personnel. There are a variety of training options available including CBT, web-based, instructor-led, in-sourced, out-sourced, etc. Once a training timeline has been tentatively agreed upon, formally announce the new policy to the organization.

It is also time to decide how you will adopt and implement. Read through the policy and detail what you have in place now and what you will need in order to be compliant. Create projects and/or timelines for the implementation of the various standards, procedures, administrative and technical controls.

Closing
Thank you to all that have read and provided feedback to this series!  You know who you are.  I will be posting a summary post that includes all of the "Information Security Policy Month" articles in a nice consice format.

Feel free to contact me if you have and feedback or need any assistance in your own policies.

Previous: "Information Security Policy 101 – Virus Protection Policy"
 Read more!

Posted by The Trusted Toolkit at 12:51 PM 1 comments

Labels: ,

Wednesday, August 1, 2007

Do you care? - Aflac lost laptop



I have been debating over the last week whether I even wanted to mention this, but this story just seems too good to pass up as an example of what is security news and might not be.

The headlines read:
"Aflac Reports Laptop Detailing 152,000 Clients Stolen" - bloomberg.com 7/26/07
"Aflac Loses Data on 152,000" - darkreading.com 7/27/07


And, etiolated.org reports this as an "incident" (etoilated and Attrition.org are a couple of my favorite sites BTW).

Your first reaction might be (or have been) a little like mine was.  I immediately assumed the worse, shook my head, and clicked on the link to read a little more.  You can read the articles yourself (click the links above) so I won't delve into all that they say, but some interesting points worth mentioning:

1.  A laptop was stolen from an Aflac employee on a commuter train that contained "clients' names, addresses, birth dates, and policy details".  Bad news, right?  Read on...

2.  "All the information was encrypted and password-protected, so it would be very difficult for any third-party to access it".  Amen!  Encryption if properly managed can make it nealy impossible for a third-party to access the data.  I sincerely hope that the employee who had the laptop stolen from him/her is not akin to many of the employees I see with laptops when it comes to password management, i.e. written on a Post-it note or on the back of the laptop.  Most likely a password is used by the employee and doubles as the "secret key" that enables decryption of the drive/data.  Given the limited amount of information to work with, one can only assume.

"Aflac wanted to send letters apologizing to policyholders before alerting the press"  Why?  Don't most (if not all) breach disclosure laws and regulations have safe harbor statements when the data is encrypted?  Maybe a reader can help me out here.  If a company is not required by law to disclose the lost laptop publicly AND there is very very little risk of disclosure (encrypted), then why send letters and notify the press?

Thankfully, cooler heads seemed to have prevailed on this piece of news (or non-news) and it wasn't blown out of proportion.  Kudos to Aflac for using encryption on laptops!
 Read more!

Posted by The Trusted Toolkit at 1:37 PM 0 comments

Labels: , ,

Monday, July 30, 2007

Information Security Policy 101 – Virus Protection Policy



Part 18 in the Information Security Policy 101 Series

For many organizations the threats posed by viruses are manageable given appropriate controls. A Virus Protection Policy is the first step towards ensuring that appropriate controls are in place on workstations, laptops, email gateways, servers, etc.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Virus Protection Policy is to describe the
requirements for dealing with computer virus, worm and Trojan horse infection,
prevention, detection and cleanup.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Virus Protection Policy applies to all persons with any type of access to an %ORGANIZATION% information resource.

SAMPLE:
Audience
The %ORGANIZATION% Virus Protection Policy applies equally to all individuals
that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Virus Protection Policy
The Virus Protection Policy is simple policy that you may find some overlap with other information security policies. One additional benefit of having a separate Virus Protection Policy is the ease of reference for users and support personnel. Be careful to write statements that do not contradict those in another policy, however rare.

SAMPLE VIRUS PROTECTION POLICY STATEMENTS:

- All %ORGANIZATION% owned and/or managed workstations, including laptops whether connected to the %ORGANIZATION% network, or standalone, must use the %ORGANIZATION% IT management approved virus protection software and configuration.
- All non-%ORGANIZATION% owned and/or managed workstations, including laptops must use %ORGANIZATION% IT management approved virus protection software and configuration, prior to any connection to an %ORGANIZATION% Information Resource.

Conclusion
The draft, approval, implementation, and enforcement of a Virus Protection Policy can decrease the amount of risk to an organization’s information resources as a result of malware (virus and/or spyware).

Download the SAMPLE VIRUS PROTECTION POLICY.

Next in the series: “Information Security Policy 101 – Policy Approval”

Previous: “Information Security Policy 101 – “Vendor/Third-Party Access Policy”
 Read more!

Posted by The Trusted Toolkit at 1:50 PM 0 comments

Labels: ,

Information Security Policy 101 – Vendor/Third-Party Access Policy



Part 17 in the Information Security Policy 101 Series

Some organizations call on the support of a third-party and/or vendor rarely. Other organizations have third-party support personnel in and out of various areas all day, every day. Most organizations fall somewhere in the middle. I cannot think of a single organization that has not allowed a third-party and/or vendor at least physical access to restricted areas to conduct seemingly innocent tasks.

Question: What governs a vendor and/or other third party's access?

Answer: Vendor/Third-Party Access Policy.

NOTE: Some organizations have already negotiated detailed contracts with vendors and other third-party entities. In some instances an existing contract may need to be appended, a new contract drawn up, or a waiver request approved.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Vendor Access Policy is to establish the
rules for vendor access to %ORGANIZATION% Information Resources and support
services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and
protection of %ORGANIZATION% information. Vendor access to
%ORGANIZATION% Information Resources is granted solely for the work
contracted and for no other purposes.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Third-Party/Vendor Access Policy typically applies to those persons involved in contracting third-party/vendor support and representatives of the third-party/vendor itself.

SAMPLE:
Audience
The %ORGANIZATION% Vendor Access Policy applies to all individuals that are
responsible for the installation of new %ORGANIZATION% Information Resource
assets, and the operations and maintenance of existing %ORGANIZATION%
Information Resources, and who do or may allow vendor access for support,
maintenance, monitoring and/or troubleshooting purposes.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Vendor/Third-Party Access Policy
The Vendor/Third-Party Access Policy is longer and more in-depth than some of the policies we have covered most recently. Use the information gleaned from your business assessment to determine to what extent your policy should be detailed towards the information resources you are trying to protect.

TIP: Have your legal department (or whoever is in charge for negotiating contracts) review the policy in detail. You may also choose to have your legal department assist you in the drafting of this policy.

SAMPLE THIRD-PARTY/VENDOR ACCESS POLICY STATEMENTS:

- Vendors must comply with all applicable %ORGANIZATION% policies, practice standards and agreements, including, but not limited to:
@ Safety Policies
@ Privacy Policies
@ Security Policies
@ Auditing Policies
@ Software Licensing Policies
@ Acceptable Use Policies
- Vendor agreements and contracts must specify:
@ The %ORGANIZATION% information the vendor should have access to
@ How %ORGANIZATION% information is to be protected by the vendor
@ Acceptable methods for the return, destruction or disposal of %ORGANIZATION% information in the vendor’s possession at the end of the contract
@ The Vendor must only use %ORGANIZATION% information and Information Resources for the purpose of the business agreement
@ Any other %ORGANIZATION% information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others

Conclusion
The draft, approval, and implementation of a Vendor/Third-Party Access Policy will assist in ensuring that information security is forethought in contract negotiations and no longer an afterthought. Seasoned information security personnel understand the benefit of information security applied early on vs. retrofitting an existing solution with security after the fact.

Download the SAMPLE VENDOR/THIRD-PARTY ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Virus Protection Policy”

Previous: “Information Security Policy 101 – “Software Licensing Policy”
 Read more!

Posted by The Trusted Toolkit at 11:48 AM 0 comments

Labels: ,

Information Security Policy 101 – Software Licensing Policy



Part 16 in the Information Security Policy 101 Series

“The Business Software Alliance (BSA) is gearing up for a final push to convince companies to fill in their voluntary audit forms.” – VNUNet.com UK

“Thirty-five percent of the world's software is pirated. Software piracy is not only a crime, but it can destroy computers and data.” – Business Software Alliance

There is little doubt that the use of unlicensed and/or pirated software can pose significant risk to an organization’s information resources and assets. Risks can range from malware installation to significant fines. You may notice that there is some slight overlap between the Software Licensing Policy and our Acceptable Use Policy. If you remember, there was mention of using “unauthorized” software in our Acceptable Use Policy.

NOTE: A well-written software licensing policy can limit the amount of time required to satisfy BSA requests for information because it demonstrates proactive action on the part of the organization.

TIP: Many Windows-based organizations grant their users local administrator rights to their workstations. Disallowing this practice can significantly reduce the risk of users installing unauthorized and/or unlicensed software.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Software Licensing Policy is to establish
the rules for licensed software use on %ORGANIZATION% Information Resources.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Software Licensing Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Software Licensing Policy applies equally to all
individuals that use any %ORGANIZATION% Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Software Licensing Policy
Like many of the policies already covered in this series, the Software Licensing Policy is short and simple. The policy makes management’s views regarding software licensing “official”.

SAMPLE SOFTWARE LICENSING POLICY STATEMENTS:

- %ORGANIZATION% provides a sufficient number of licensed copies of software such that workers can get their work done in an expedient and effective manner. Management must make appropriate arrangements with the involved vendor(s) for additional licensed copies if and when additional copies are needed for business activities.
- Users must refrain from knowingly violating license agreements and/or requirements.
- Third party copyrighted information or software, that %ORGANIZATION% does not have specific approval to store and/or use, must not be stored on %ORGANIZATION% systems or networks. Systems administrators reserve the right to remove such information and software unless the involved users can provide proof of authorization from the rightful owner(s).

Conclusion
A well-written Software Licensing Policy can save an organization a considerable amount of time and effort, especially given how easy it is to write and get approved. A subject of much debate is the BSA’s million dollar reward to turn-in software pirates:

BSA Rewards Page:
https://reporting.bsa.org/usa/rewardsconditions.aspx

A twist:

Would You Rat Out Your Boss for $1 Million?: http://blogs.pcworld.com/staffblog/archives/004849.html

Wouldn’t it be nice to take out the drama by using a simple policy and enforcement?

Download the SAMPLE SOFTWARE LICENSING POLICY.

Next in the series: “Information Security Policy 101 – Vendor/Third-Party Access Policy”

Previous: “Information Security Policy 101 – “Security Training and Awareness Policy”
 Read more!

Posted by The Trusted Toolkit at 8:30 AM 0 comments

Labels: ,

Information Security Policy 101 – Security Training and Awareness Policy



OK, we're back!

Part 15 in the Information Security Policy 101 Series

“there is a substantial increase in the respondents’ perception of the importance of security awareness training. On average, respondents from most sectors do not believe their organization invests enough in this area.” - 2006 CSI/FBI Computer Crime and Security Survey. If I were going to overspend on any one area of my information security program, it would be for information security training and awareness.

Information security personnel can write whatever they want in their policies, but if nobody is aware of the policies or trained on how they can comply with them then what good are they?

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Information Security Training and Awareness
Policy is to describe the requirements that must be met, in order ensure that each user of
%ORGANIZATION% Information Resources receives adequate training on information
security issues.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Security Training and Awareness Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Information Security Training and Awareness Policy applies
equally to all individuals that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Security Training and Awareness Policy
The Security Training and Awareness Policy is a simple policy that states what management expects and gives authority to information security personnel. The policy should state general rules that the audience must comply with and lay the groundwork for the training program.

SAMPLE SECURITY TRAINING AND AWARENESS POLICY STATEMENTS:

- All new users must complete an approved Security Awareness training class prior to, or at least within 30 days of, being granted access to any %ORGANIZATION% Information Resources.
- All users must acknowledge they have read and understand the ORGANIZATION% Corporate Information Security Policy
- All users (employees, consultants, contractors, temporaries, etc.) must be provided with this policy to allow them to properly protect %ORGANIZATION% Information Resources.

Conclusion
Do not underestimate the importance of a formal information security training and awareness program. Understand that many people do not understand their critical role in keeping organization assets secure.

TIP: Find things that you can use to prove a ROI in you training and awareness program. I have used help desk staff in the past for this. We took a one month time frame before information security training, where we tracked the number of laptops that came in for service from field staff with passwords on Post-it notes before training. We tracked the same afterwards then calculated a percentage and extrapolated the number over a one year period. The change was dramatic.

Download the SAMPLE SECURITY TRAINING AND AWARENESS POLICY.

Next in the series: “Information Security Policy 101 – Software Licensing Policy”

Previous: “Information Security Policy 101 – “Privacy Policy”
And here is the rest of it. Read more!

Posted by The Trusted Toolkit at 7:45 AM 0 comments

Labels: ,

Tuesday, July 24, 2007

Information Security Policy 101 – Privacy Policy



Part 14 in the Information Security Policy 101 Series

Writing an organization's privacy policy is not as clear-cut as it may seem. An entire book could easily be written around privacy in the workplace. What an organization states, what it actually does, and what an employee reasonably expects are all critical to privacy/employment matters. To make things worse, privacy rights are not entirely clear under the law.

Two rules of privacy rights (although you could probably come up with more):


One, Write a policy that is focused. Do NOT write “you have no expectation of privacy” as a blanket statement. Privacy is not “all or nothing”.

Two, Do what you say you are going to do consistently. Do NOT follow your policy only when there is an enforcement action. As the US Supreme Court has noted, "[W]hile police, and even administrative enforcement personnel, conduct searches for the primary purpose of obtaining evidence for use in criminal or other enforcement proceedings, employers most frequently need to enter the offices and desks of their employees for legitimate work-related reasons wholly unrelated to illegal conduct."

TIP: Privacy policy should be reviewed by a legal counselor that is familiar with privacy rights and law. Many corporate counselors are not experts in this area.


General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Privacy Policy is to clearly communicate
the %ORGANIZATION% privacy expectations to Information Resource users.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Privacy Policy should apply to all personnel, and in some cases (depending on your organization) contractors, vendors, and other third-parties.

SAMPLE:
Audience
The %ORGANIZATION% Privacy Policy applies equally to all individuals who use
any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Privacy Policy
Privacy policy is a critical policy in most organizations and needs to clearly communicate what amount of privacy a user should expect when using the organization information assets.

NOTE: A very good article written by Mark Rasch; Employee Privacy, Employer Policy.

SAMPLE PRIVACY POLICY STATEMENTS:

- Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of %ORGANIZATION% are not private and may be accessed by %ORGANIZATION% Information Security employees at any time, under the direction of %ORGANIZATION% executive management and/or Human Resources, without knowledge of the Information Resource user or owner.
- To manage systems and enforce security, %ORGANIZATION% may log, review, and otherwise utilize any information stored on or passing through its Information Resource systems in accordance with the provisions and safeguards provided in %ORGANIZATION% Information Resource standards. For these same purposes, %ORGANIZATION% may also capture user activity such as telephone numbers dialed and web sites visited.

Conclusion
Be careful in using a sample Privacy Policy. Be sure that it fits your organization and internal processes. A poorly written or implemented Privacy Policy can leave your organization open to a legal quagmire. Most of the investigation and forensic work I have done in the past has been governed by what the organization’s Privacy Policy stated.

Download the SAMPLE PRIVACY POLICY.

Next in the series: “Information Security Policy 101 – Security Training and Awareness Policy”

Previous: “Information Security Policy 101 – “Mobile Computing Policy”

Read more!

Posted by The Trusted Toolkit at 9:33 AM 0 comments

Labels: ,

Monday, July 23, 2007

Information Security Policy 101 – Mobile Computing Policy



Part 13 in the Information Security Policy 101 Series

Few things in my profession give me more shivers than the amount and sensitivity of data that is carried outside the corporate boundary every day on mobile devices such as PDAs, laptops, and Smartphones. Without effective controls mobile devices are easily lost or stolen, data transmissions are easily intercepted, and shoulder-surfing is commonplace. Nearly every week a company is forced to publicly disclose a lost or stolen laptop that contained personally identifiable data (PII).

See: http://attrition.org/dataloss/, http://breachalerts.trustedid.com/, http://doj.nh.gov/consumer/breaches.html, http://www.privacyrights.org/ar/ChronDataBreaches.htm


Often information security is a discipline that constantly attempts to balance the risk of using a technology versus the business benefits gained as a result from such use. How can an information security professional effectively balance the risks inherent with using mobile devices while still allowing the business to benefit from their use?

In order to provide protection to the data that may be contained on a mobile device, organizations must extend protections and controls to such devices. Protection starts with policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Mobile Computing Security Policy is to
establish the rules for the use of mobile computing devices and their connection to the
network. These rules are necessary to preserve the Integrity, Availability, and
Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Mobile Security Policy applies to all individuals in the organization that use, possess, manage, secure, and/or approve the use of mobile devices.

SAMPLE:
Audience
The %ORGANIZATION% Mobile Computing Security Policy applies equally to all
individuals that utilize mobile computing devices and access %ORGANIZATION%
Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Mobile Computing Policy
If an organization does not use or allow the use of mobile devices, then a simple statement in an Acceptable Use policy may be all that is needed. If the organization does allow the use of mobile computing devices, general rules around this usage need to be communicated to all relevant personnel. As with all policies, the Mobile Computing Policy should state general rules, leaving room supporting documentation (procedures, standards, and guidelines) to define the specifics.

NOTE: At least 35 states have laws regarding security breach notification and most have safe harbor provisions around data that has been encrypted.

SAMPLE MOBILE COMPUTING POLICY STATEMENTS:

- Only %ORGANIZATION% approved portable computing devices may be used to access %ORGANIZATION% Information Resources.
- Portable computing devices must, at a minimum be password protected in accordance with the %ORGANIZATION% Password Policy.
- %ORGANIZATION% Confidential data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all Confidential %ORGANIZATION% data must be encrypted using approved encryption techniques, wherever possible.

Conclusion
Due to the increased risks that mobile computing devices pose to many organizations and the increased reliance on these devices to complete “business critical” tasks, it is recommended that a stand-alone Mobile Computing Policy be developed.

Download the SAMPLE MOBILE COMPUTING POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Physical Security Policy”
 Read more!

Posted by The Trusted Toolkit at 9:21 AM 0 comments

Labels: ,

Information Security Policy 101 – Physical Security Policy



Part 12 in the Information Security Policy 101 Series

In some organizations “physical” security and “information” security are separated into different groups or teams. Whether this is a good idea or not has been the subject of some debate over the years. One issue that should not be debated is the tight interdependence between the two.

Information security is a balance of physical, logical, and administrative controls. Every control must have its roots written in somewhere in policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Physical Security Policy is to establish the
rules for the granting, control, monitoring, and removal of physical access to
Information Resource facilities.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Physical Security Policy applies to any person or entity that has the potential to physically interact with information resources or facilities that house information resources under the control of an organization. The policy is specifically written to provide direction to those individuals whom are charged with maintaining physical security.

SAMPLE:
Audience
The %ORGANIZATION% Physical Security Policy applies to all
%ORGANIZATION% individuals that install and support Information Resources, are
charged with Information Resource security and data owners.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Physical Security Policy
The form that a Physical Security Policy takes is dependant on many factors. This article is written with small to medium sized organizations in mind. These organizations do not typically have the staff to support a separate physical security group and/or opt to integrate physical security into a single information security program. In order to determine where a physical security policy fits best in an organization the earlier business assessment should be used.

NOTE: Physical security policy is a must in almost all organizations. If physical security is not adequately defined and applied, all other controls could be easily defeated.

SAMPLE PHYSICAL SECURITY POLICY STATEMENTS:

- Physical security systems must comply with all applicable regulations including but not limited to building codes and fire prevention codes.
- Physical access to all %ORGANIZATION% restricted facilities must be documented and managed.
- All Information Resource facilities must be physically protected in proportion to the criticality or importance of their function at %ORGANIZATION%.

Conclusion
The science involved with physical security is often specialized and there seem to be a limitless supply of available technologies and controls that can be applied. The physical Security Policy should be written in broad enough terms as to not restrict the use of any one specific control. The policy does not usually require an in-depth knowledge of all the available controls, whereas the application and implementation typically do. In most cases, I write the policy then call upon physical security consultants to design effective controls.

NOTE: If you have a keen interest in the physical nature of information security and would like to demonstrate your mastery, check out the Physical Security Professional (PSP) certification from ASIS International.

Download the SAMPLE PHYSICAL SECURITY POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Password Policy”
 Read more!

Posted by The Trusted Toolkit at 7:45 AM 0 comments

Labels: ,

Thursday, July 19, 2007

Information Security Policy 101 – Password Policy



Part 11 in the Information Security Policy 101 Series

Passwords get a bad rap. Nobody likes them, users, administrators, and information security personnel alike. Users don’t like passwords because us “information security police” make them so complex and hard to remember, administrators don’t like them because they have so many that they have to remember, and information security personnel don’t like them because they are arguably the most insecure means of authentication.

All the more reason and justification for a Password Policy.

A Password Policy should be required in all organizations that rely on passwords as a source of authentication.

Let’s get to it.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:.
Purpose
The purpose of the %ORGANIZATION% Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of %ORGANIZATION% user authentication mechanisms.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Password Policy aptly applies to any person or entity uses a password.

SAMPLE:
Audience
The %ORGANIZATION% Password Policy applies equally to all individuals who use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Password Policy
The Password Policy should communicate the general rules for password creation, use, storage, transmission and destruction (the “lifecycle”). Most likely the policy will state many general security “best practices” of password management along with some home grown statements based on the business assessment.

NOTE: People will inevitably break some rules in password policy. It is proven that the number and severity of incidents can be reduced by training and awareness. Give users a better way to do things rather than telling them what they cannot do.

SAMPLE PASSWORD POLICY STATEMENTS:

- Password history must be kept to prevent the reuse of passwords
- Stored passwords are classified as Confidential Data and must be encrypted

Conclusion
A Password Policy is not just an efficient method of communicating good password management practices, but it is also an implement for enforcement. A well-written and implemented Password Policy can significantly reduce the amount of risk to the organization’s information.

Download the SAMPLE PASSWORD POLICY.

Next in the series: “Information Security Policy 101 – Physical Security Policy”

Previous: “Information Security Policy 101 – “Network Access Policy”
 Read more!

Posted by The Trusted Toolkit at 1:27 PM 1 comments

Labels: ,

Wednesday, July 18, 2007

Information Security Policy 101 – Network Access Policy



Part 10 in the Information Security Policy 101 Series

This is now the 10th entry into the “Information Security Policy 101” series. Are these policies starting to blur at all? Are they all starting to look the same? Believe it or not, the policies look similar on purpose and there are statements in one that may be found in another (also on purpose). The repetition can make things a little boring for the information security personnel, but it really does help “normal” people retain the information.

The Network Access Policy is found in many organizations, or at least the language of the policy statements. Often I will find Network Access Policy statements included in an Acceptable Use Policy instead. Tomayto tomahto.

As always…

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Access Policy is to establish the rules for the access and use of the %ORGANIZATION% network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Network Access Policy aptly applies to any person or entity that access the organization’s network either locally or through a WAN, VPN, modem, wireless, etc.

SAMPLE:
Audience
The %ORGANIZATION% Network Access Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Access Policy
The Network Access Policy is a simple policy that should outline some basic ground rules that people need to follow when using the organization’s network.

NOTE: Although the statements in a policy may seem basic and common sense to the author, don’t assume that they are for everyone.

STORY: I once had a user complain to me that a policy I wrote for a client company was too simple and common sense.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- Remote users may connect to the %ORGANIZATION% corporate networks only after formal approval;
- Remote users may connect to %ORGANIZATION% Information Resources using only the protocols approved by %ORGANIZATION% IT;

Conclusion
The Network Access Policy is simple and you may be able to get away with ditching it in favor of adding the required statements to your Acceptable Use Policy. This decision is up to you. The business assessment exercise could help you in this decision. I almost always separate the policy statements for easy-of-reference, simplified reviews and changes, and reinforcement through repetition.

Download the SAMPLE NETWORK ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Password Policy”

Previous: “Information Security Policy 101 – “Network Configuration Policy”
 Read more!

Posted by The Trusted Toolkit at 2:55 PM 2 comments

Labels: ,

Tuesday, July 17, 2007

Information Security Policy 101 – Network Configuration Policy



Part 9 in the Information Security Policy 101 Series

Most network configuration policies are fairly straightforward.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Configuration Policy is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the Integrity, Availability, and Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically a Network Configuration Policy applies to all individuals in an organization.

SAMPLE:
Audience
The %ORGANIZATION% Network Configuration Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Configuration Policy
Although many organizations do not have a separate Network Configuration Policy, many of the statements are important enough to communicate in one form or another. Some organizations will include these statements in other information security policies. I prefer to separate.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% IT owns and is responsible for the %ORGANIZATION% network infrastructure and will continue to manage further developments and enhancements to this infrastructure
- To provide a consistent %ORGANIZATION% network infrastructure capable of leveraging new networking developments, all cabling must be installed by %ORGANIZATION% IT or an approved contractor.

Conclusion
Read through the sample policy, and together with the business assessment, determine if a Network Configuration Policy makes sense in your organization.

Download the SAMPLE NETWORK CONFIGURATION POLICY.

Next in the series: “Information Security Policy 101 – “Network Access Policy”

Previous: “Information Security Policy 101 – “Incident Management Policy”
 Read more!

Posted by The Trusted Toolkit at 3:08 PM 0 comments

Labels: ,

Monday, July 16, 2007

Information Security Policy 101 – Incident Management Policy



Part 8 in the Information Security Policy 101 Series

Let’s start off with a scenario. Bill Johnson works as the Information Security Officer of a medium-sized regional bank and its Monday morning. Bill receives a phone call from the bank service desk reporting that a laptop was lost or stolen over the weekend. Uh oh, Bill doesn’t have incident response policy or procedures.

Try to put yourself in Bill’s shoes for a moment. What risk does this incident pose? Does the laptop contain regulated data, i.e. social security numbers, credit card numbers, other personally identifiable (PII) data, etc.? Does the laptop contain usernames and passwords? Will this incident make the evening news? Who should Bill notify? Should Bill contact the authorities, i.e. local police, Secret Service, FBI, etc.? Panic might begin to set in for Bill. Maybe Bill should just drop everything, run, and find a new profession.

Bill shouldn’t have to worry about how to respond to such an incident.

All companies large and small should have an incident management program. What the program looks like and how it is run will differ from company to company as expected, but they all start with policy.

NOTE: The first actions taken following an incident are often critical and could dictate the entire course of an investigation. If an incident is handled incorrectly, cause identification and eventual prosecution could be impossible.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Incident Management Policy is to describe the requirements for dealing with computer security incidents. Security incidents include but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Acceptable Use Policy.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Incident Management Policy applies to all individuals in an organization. The policy is meant to be referred to by personnel charged with incident response.

SAMPLE:
Audience
The %ORGANIZATION% Incident Management Policy applies equally to all individuals that use any %ORGANIZATION% Information Resource

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Incident Management Policy
The Incident Management Policy is intended to communicate what is expected of personnel when confronted with an incident pertaining to information resource confidentiality, integrity, and/or availability. The policy provides the vital framework necessary to develop detailed incident response procedures.

NOTE: Incident response procedures will detail (preferably step-by-step) how personnel are expected to respond to an incident. Incident response procedures should be tested on a regular basis (quarterly, semi-annually, or yearly).

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% management will establish and provide overall direction to an %ORGANIZATION% Incident Response Team (IRT)
- %ORGANIZATION% IRT members have pre-defined roles and responsibilities which can take priority over normal duties

Conclusion
Do yourself a favor and create an incident management program. The incident management program does not need to be complicated and account for every possible scenario that could occur. Supporting procedures can be written in such a manner to be flexible enough to apply to most conceivable incidents. Incidents WILL occur, so be prepared!

Download the SAMPLE INCIDENT MANAGEMENT POLICY.

Next in the series: “Information Security Policy 101 – Network Configuration Policy”

Previous: “Information Security Policy 101 – “Data Classification Policy”
 Read more!

Posted by The Trusted Toolkit at 11:50 AM 0 comments

Labels: ,

Thursday, July 12, 2007

Information Security Policy 101 – Data Classification Policy



I will forewarn you, data classification can be a real doozy. The policy is simple enough to write and the concepts are simple enough to sell, but adoption and implementation is usually a whole different story. If done well the benefits can far outweigh the risks.

The purpose for most data classification projects (yours may differ) is to identify the data that is sensitive to an organization, classify (or label) this data, and apply appropriate controls based on the sensitivity-label pair.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Data Classification Policy is to provide a system for protecting information that is critical to the organization, and its customers. In order to provide more appropriate levels of protection to the information assets entrusted to %ORGANIZATION%, data must be classified according to the risks associated with its storage, processing, and transmission. Consistent use of this data classification policy will facilitate more efficient business activities and lower the costs of ensuring adequate information security.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Data Classification Policy applies to all entities that interact with data in any tangible manner.

SAMPLE:
Audience
The %ORGANIZATION% Data Classification Policy applies equally to any individual, or process that interacts with %ORGANIZATION% Information Resources in any tangible manner. All personnel who may come in contact with Confidential information are expected to familiarize themselves with this Data Classification Policy and consistently use it.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Data Classification Policy
The Data Classification Policy differs from most other information security policies due to the additional information required. The Data Classification Policy will introduce new concepts, roles, and responsibilities.

Roles and Responsibilities:
The following are typical roles and responsibilities defined in the Data Classification policy:

Data Owner
The Data Owner is normally the person responsible for, or dependent upon the business process associated with an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.

- The Data Owner determines the appropriate value and classification of information generated by the owner or department;
- The Data Owner must communicate the information classification when the information is released outside of the department and/or the organization;
- The Data Owner controls access to his/her information and must be consulted when access is extended or modified; and
- The Data Owner must communicate the information classification to the Data Custodian so that the Data Custodian may provide the appropriate levels of protection.

Data Custodian
- The Data Custodian maintains the protection of data according to the information classification associated to it by the Data Owner.
- The Data Custodian role is delegated by the Data Owner and is usually Information Technology personnel

Data User
The Data User is a person, organization or entity that interacts with data for the purpose of performing an authorized task. A Data User is responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy.

Data Classifications
Confidential
Confidential Data is information protected by statutes, regulations, organizational policies or contractual language. Managers may also designate data as Confidential.

Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only.

Disclosure to parties outside of the organization must be authorized by executive management, approved by a Vice President and General Counsel, or covered by a binding confidentiality agreement.

Examples of Confidential Data include:

- Medical records
- Clinical trial data
- Credit card numbers
- Social Security Numbers
- Personnel and/or payroll records
- Any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction
- Any data belonging to an %ORGANIZATION% customer that may contain personally identifiable information
- Patent information
- Regulatory filings

Internal
Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel designated by %ORGANIZATION%, who have a legitimate business purpose for accessing such data.

Examples of Internal Data include:
- Employment data
- Business partner information where no more restrictive confidentiality agreement exists
- Internal directories and organization charts
- Planning documents
- Contracts

Public
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to organizational disclosure rules, is available to all %ORGANIZATION% employees and all individuals or entities external to the corporation.

Examples of Public Data include:
- Publicly posted press releases
- Publicly available marketing materials
- Publicly posted job announcements

Disclosure of public data must not violate any pre-existing, signed non-disclosure agreements.

NOTE: The policy MUST NOT define HOW data will be classified (or tagged), use standards, guidelines and/or procedures to communicate how the different types of data should be appropriately labeled.

SOME SAMPLE Classification Protections
Confidential
- When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords, wherever possible.
- When stored on mobile devices and media, protections and encryption measures provided through mechanisms approved by %ORGANIZATION% IT Management must be employed.

Internal
- Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
- Must be protected by a confidentiality agreement before access is allowed

Conclusion
In my experience, the Data Classification Policy has been the most difficult policy to create and receive approval on. The most common and valid question I receive is “How will we ever comply?” Compliance with a Data Classification Policy has proven to be extremely difficult is most organizations due to a number of primary factors:

- People do not want to assume the responsibilities that come with their role, primarily the data owner
- Labeling standards are sometimes extensive and time consuming to write
- Data is strewn throughout the organization without centralized management
- Classifications assigned will vary from data owner to data owner and management is not “cut and dry”

Understand that information security is a science of evolution and it will take time to get data classification properly implemented. This is expected and accepted. All things in information security should start in policy and data classification is no exception. Approval of a policy does not mean formal adoption and compliance (we will cover post-approval of policy in “Information Security Policy 101 – Policy Approval” due on 7/30).

Download the SAMPLE DATA CLASSIFICATION POLICY.

TIP: Write your Data Classification Policy without worrying about the details of implementation, but at the same time make sure you will be able to implement each statement through the use of additional supporting documentation.

Next in the series: “Information Security Policy 101 – "Incident Management Policy”

Previous: Information Security Policy 101 – “Information Security Policy 101 - Backup Policy”

 Read more!

Posted by The Trusted Toolkit at 5:52 PM 0 comments

Labels: ,

Wednesday, July 11, 2007

Information Security Policy 101 – Backup Policy



On the surface it may seem that data backups are mundane and simple tasks to carry out. Backups are often repetitive and change infrequently. Don’t believe it! Although there are SOME tasks that a backup administrator does that are simple and mundane, anyone who has spent any amount of time with or as a backup administrator knows how complex the job can be. There are a vast number of options and methods available to conduct and manage backups. Of these options and methods, some are more secure than others.

The Backup Policy is meant to address some of the grey area and provide direction to the development of more detailed procedural and standardization documentation.

General Policy Format

All information security policies should have the following sections at a minimum:



Purpose – This is the stated purpose of the policy and clearly communicates why it was written.



SAMPLE:

Purpose

The purpose of the %ORGANIZATION% Backup Policy is to establish the rules for the backup and storage of electronic %ORGANIZATION% information.



Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Backup Policy applies to IT administrative personnel and those persons responsible for data backups specifically.



SAMPLE:

Audience

The %ORGANIZATION% Backup Policy applies to all individuals within the enterprise whom are responsible for the installation and support of %ORGANIZATION% Information Resources, individuals charged with %ORGANIZATION% Information Resource backups, security and data owners.


Policy – The section that contains the actual policy statements.



Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.



Backup Policy

A Backup Policy is written to provide rules and expectations around the treatment and management of data backups. It is a simple policy that rarely exceeds a page in length, but should/could be viewed as important in many organizations.

NOTE: A Backup Policy should not state backup settings requirements except in a general sense. The Backup Policy should not be confused with a Disaster Recovery Plan (DRP) which is much more extensive and outside of the scope of this article.


SAMPLE BACKUP POLICY STATEMENTS:
- The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
- The %ORGANIZATION% Information Resource backup and recovery process for each system must be documented and periodically reviewed.

Conclusion
Do not assume that backups are simple tasks with limited options and flexibility. Backups are often a critical process for many organizations so it would only make sense to develop some policy around them.



Download the SAMPLE BACKUP POLICY.



Next in the series: “Information Security Policy 101 – Data Classification Policy”



Previous: Information Security Policy 101 – "Administrative and Special Access Policy"

 Read more!

Posted by The Trusted Toolkit at 11:55 AM 0 comments

Labels: ,

Tuesday, July 10, 2007

Information Security Policy 101 – Administrator and Special Access Policy



And now I present to you the Administrative and Special Access Policy! OK, I admit it isn’t all that exciting, but it is a policy that provides value in many organizations. In many instances users of administrative accounts have the ability to do just about anything in a corporate server and/or network environment. Administrators can often create accounts, change passwords, change access rights, delete audit logs, etc. Without proper control, the risk of inadvertent errors and malicious abuse of rights is unacceptable.

All information security controls must have their roots in policy and those meant to limit the risk inherent with the use administrative access accounts is no different.

NOTE: This has been stated before, but I state it again in order to drive the point home. Supporting standards, guidelines, and/or procedures will need to be created in support the policy after the policy has been formally approved and adopted by management.

General Policy Format

All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Administrative and Special Access Policy is to establish the rules for the creation, use, monitoring, control and removal of accounts with special access privilege.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Administrative and Special Access Policy applies to IT administrative personnel or persons authorized and responsible for information resource management.

SAMPLE:
Audience
The %ORGANIZATION% Administrative and Special Access Policy applies equally to all individuals that have, or may require, special access privilege to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Administrative and Special Access Policy
The Administrative and Special Access Policy is written to communicate the general rules and guidance to those persons in an organization with authorized access to administrative accounts. The policy also applies to users of accounts that have access rights that exceed those of "general" user accounts.

As with all information security policies, the Administrative and Special Access Policy should be general in nature and not detail specific settings requirements. The Administrative and Special Access Policy should adequately address all areas of administrative access that reflect expected and acceptable use.

SAMPLE POLICY STATEMENTS:

- All users of Administrative and Special access accounts must have account management instructions, documentation, and authorization

- Each individual that uses Administrative and Special access accounts must refrain from abuse of privilege and must only perform the tasks required to complete his/her job function

Conclusion
Remember that a policy is a series of statements that accurately reflect management’s expectations with respect to information security in the organization. It is easy to forget about those users in an organization that have “special” rights and privileges. This is a mistake. Users with these rights and privileges, if not properly informed and trained can pose one of the most significant threats to the confidentiality, integrity and/or availability of organizational information.

Download the SAMPLE ADMINISTRATIVE AND SPECIAL ACCESS POLICY.

TIP: The use of administrative and special access accounts needs to be strictly monitored and reviewed. Include regular monitoring and auditing in supporting procedures.

Next in the series: “Information Security Policy 101 – Backup Policy”

Previous: Information Security Policy 101 – Account Management Policy

Read more!

Posted by The Trusted Toolkit at 12:40 AM 0 comments

Labels: ,

Monday, July 9, 2007

Buy your exploits here?



Are you in the market for a previously undisclosed exploit and/or vulnerability? If so, maybe you should check out the WabiSabiLabi MarketPlace, an online exploit auction site (or not).

So far, I have only seen four exploits listed for sale with only two receiving bids. Supposedly, I can become the high-bidder on a Yahoo! Messenger 8.1 remote buffer overflow exploit for only 2000 Euro (~$2720 US).

Let’s take a look at this.

The Site



If you have used eBay or U-Bid before, you already understand how online auctions work so I won’t explain any of that.

What sets this online auction site apart from others is the commerce, previously undisclosed exploits. Upon first examination of the site it appears to be legitimate, but due to my nature I want to dig a little more.

Call me naïve, but I gotta tell ya I am a bit suspicious.

First off, I had not heard of “WabiSabiLabi Ltd.” before this encounter. Before I do business with anyone, I certainly want to know who they are and rarely will I take their word for it.

There is little or no history of the company presumably because they are a startup. DNS provides little information as it is a GoDaddy private registration. The site itself (http://www.wslabi.com/) is hosted through California Regional Intranet, Inc. (cari.net).

Let’s say for a second that I have a “zero-day” exploit that I would like to profit from, and let’s say that I am a good guy (I am!). Should I sell my work through WabiSabiLabi and trust that they will make sure it is sold to another good guy?

WabiSabiLabi FAQ:
Q: Can everybody purchase vulnerabilities from the market place?

A: No, all purchasers will be carefully evaluated before granting them access to the market platform to minimize the risk of selling the right stuff to the wrong people.

Personally, I would like a little more disclosure on “how” WabiSabiLabi will evaluate a purchaser.

Now let’s say that I am a bad guy with a zero-day exploit to sell. Should I sell my work through WabiSabiLabi and risk disclosure of my identity or should I sell it to the highest bidder within “my network”? This is a simple question to answer!

Hey, maybe I am a bad guy with money to buy a zero-day exploit. Will the exploit be worth squat after the extensive “hinting” that takes place by disclosing even trivial details on http://www.wslabi.com/.

And lastly, let’s say I am a good guy again (following me?) and I work for one of the vendors mentioned with an exploit on http://www.wslabi.com/. Would I buy? What happens if I don't buy the exploit when I could have and it turns out to be a good one that causes harm to my customers? This scenario could hurt. Tough decision, but almost sounds like blackmail by WSLabi.

There is just not enough information on http://www.wslabi.com/ for me to make the decision to disclose anything, i.e. submit any zero-day information I had on hand. I agree that security researchers need to get paid for their work as I know the work can be extremely detailed, time-consuming, and stressful. I am just not convinced that this is the place to do it. I will take a wait and see approach to this one.

You will have to make your own decision.

WabiSabiLabi Information, According to the site:
“WSLabi laboratory in Switzerland covers a large quantity of high-severity ITSEC issues through its global research network of independent security researchers and third part organizations”

Their moto: “The art of continuous improvement of imperfect security “

Their Blog: http://wabisabilabi.blogspot.com/


Read more!

Posted by The Trusted Toolkit at 8:31 AM 0 comments

Labels: , ,

Sunday, July 8, 2007

Information Security Policy 101 – Account Management Policy



The Account Management Policy is next in our alphabetical list of information security policies that I will be covering as part of the Information Security Policy 101 series. Typically an Account Management Policy has more usefulness in organizations with a group of individuals whom are authorized to create, monitor, control, and/or remove user accounts.

The business assessment process that we covered in “Information Security Policy 101 – Assess the Business” should give information security personnel the information needed to determine if an Account Management Policy will provide value to the organization.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %Organization% Account Management Policy is to establish the rules for the creation, monitoring, control, and removal of user accounts.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Account Management Policy applies to persons authorized and responsible for account management.

SAMPLE:
Audience
The %Organization% Account Management Policy applies equally to all individuals whose authorized business duties include account management pertaining to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Account Management Policy
The Account Management Policy is written to communicate the general rules and guidance to those persons in an organization with account management responsibilities. As with all information security policies, the Account Management Policy should be general in nature and not detail specific settings requirements. The Account Management Policy should adequately address account creation, monitoring, control, expiration, disablement, and deletion.

SAMPLE POLICY STATEMENTS:

  • All accounts created must have an associated and documented request and approval
  • All accounts must be uniquely identifiable using the user name assigned by MGI IT

Conclusion
In the companies that I have had the opportunity to assess, many did not include an Account Management Policy in their greater global information security policy, although most of these companies could benefit from having one. The Account Management Policy is a very simple policy to write due to its limited scope and in most cases its creation, approval, and adoption is well worth the investment

Download the SAMPLE ACCOUNT MANAGEMENT POLICY.

TIP: Be sure that each account in your organization corresponds to a single entity (person, service, application, etc.) whenever possible.

Next in the series: “Information Security Policy 101 – Administrator/Special Access Policy”

Previous: Information Security Policy 101 – Acceptable Use Policy


Read more!

Posted by The Trusted Toolkit at 10:12 PM 0 comments

Labels: ,

Friday, July 6, 2007

When a DBA goes bad



What happens when a DBA goes bad? In the recent case involving Certegy Check Services (a Fidelity National Information Services), the confidentiality of 2.3 million consumer records containing credit card, bank account, and other personal information is compromised.

In the July 3rd press release:


“Fidelity National Information Services Announces Misappropriation of Consumer Data by Employee of Certegy Check Services Division

Data sold to Marketing Solicitation Companies;
No Fraudulent Activity of Identity Theft Detected”

The data was stolen and subsequently sold to data brokers by a high-level DBA at Certegy who was entrusted with defining and enforcing data-access rights. The DBA; a guy named William Sullivan also allegedly owns a side-business named S&S Computer Services in Largo Florida. Allegedly, Mr. Sullivan took the data out of the building "via physical processes" not by transmission.

How does a business protect itself (and customers)?
I can think of two things right off the bat; extensive employee screening for employees with access to sensitive information and segregation of duty.

Employee Screening
Obviously employee screening does very little to protect against someone who has never been caught or someone who goes bad after being hired, but it is a good precaution nonetheless. I would be surprised if this was the first thing that Mr. Sullivan had ever stolen or if this was the first time he had done something unethical if not illegal. Perhaps he would have been screened out, perhaps not. Screening is only one layer of defense.

Segregation of Duty
DBAs are very powerful people in most companies. A DBA typically has access to vast amounts of very sensitive data, defines who else can access the data, and also audits who has accessed the data! Bad news. As security professionals, we should never accept a single entity with all three of these rights. There are good products in the marketplace to audit what DBAs do. Any company storing sensitive (and/or regulated) data would do well to have their security personnel look into these products.

Certegy
Although Certegy assures the public that no fraudulent activity has been detected with any of the personal information that was disclosed, there is essentially no effective way to prevent such things. Once confidential data is disclosed to unauthorized individuals, confidentiality can no longer be assured in any tangible manner. The best thing Certegy can do is take steps to ensure that this will not happen again and disclose to its customers what these steps are.

Certegy's Actions (thus far)
Certegy has filed suit against Mr. Sullivan in the case of Certegy Check Services Inc. v. William Sullivan, No. 076271CI13, Circuit Court, Pinellas County, Florida (St. Petersburg.)

NOTE: This really does nothing to protect the victims (consumers) and will do little to remedy the situation other than make people feel better that someone pays a price.

Certegy is implementing a fraud watch associated with the stolen records, and has notified credit-reporting agencies TransUnion, Equifax and Experian of the incident.

NOTE: TransUnion, Equifax, and Experian are three of the BIGGEST data brokers in the world! I would not trust them to do too much other than alert after the fact.

From Renz Nichols, president of Certegy Check Services "It's a reminder that the best security systems are not immune to rogue employees." I agree with Mr. Nichols in the respect that you cannot stop all rogue employees, but I think you can certainly do more to detect them.


Read more!

Posted by The Trusted Toolkit at 11:11 AM 30 comments

Labels: , , ,

Subscribe to: Posts (Atom)