Table of Contents
INTRODUCTION
- Who Should Read This Book
- How This Book Is Organized
-
- Part I: Starting the Policy Process
- Part II: Writing the Security Policies
- Part III: Maintaining the Policies
-
- Chapter 11: Acceptable Use Policies
- Chapter 12: Compliance and Enforcement
- Chapter 13: The Policy Review Process
- Part IV: Appendixes
-
- Appendix A: Glossary
- Appendix B: Resources
- Appendix C: Sample Policies
- Conventions
PART I: Starting the Policy Process
Chapter 1: What Information Security Policies Are
- About Information Security Policies
- Why Policies Are Important
- When Policies Should Be Developed
-
- Mitigating Liability
- After A Security Breach
- Document Compliance
- Demonstrate Quality Control Processes
- How Policies Should Be Developed
-
- Define What Policies Need to Be Written
- Perform a Risk Assessment/Analysis or Audit
- Review, Approval, and Enforcement
- Summary
Chapter 2: Determining Your Policy Needs
- Identify What Is to Be Protected
-
- Hardware and Software
- Non-Computer Resources
- Inventorying Human Resources
- Identify From Whom It Is Being Protected
- Data Security Considerations
-
- Handling of Data
- Personal and Personnel Data
- Backups, Archival Storage, and Disposal of Data
-
- Backup Considerations
- Archival Storage of Backups
- Disposing of Data
- Incident Response and Forensics
-
- Incident Response Strategies
- Summary
Chapter 3: Information Security Responsibilities
- Management Responsibility
-
- Information Security Management Committee
- Information Ownership
-
- Assigning Information Ownership
- Security Responsibilities of Information Ownership
- Information Security Compliance Plans
- Role of the Information Security Department
-
- Use of Consultants for Information Security
- Other Information Security Roles
-
- Integrating Information Security into the Business Process
- Individual Information Security Roles
- Auditing and Monitoring
- Understanding Security Management and Law Enforcement
- Information Security Awareness Training and Support
- Summary
PART II: Writing the Security Policies
Chapter 4: Physical Security
- Computer Location and Facility Construction
-
- Facility Construction
- Locks and Barriers
- Environmental Support
- Inventory Maintenance
- Facilities Access Controls
-
- Building Access Controls
- Restricting Access to Computer Facilities
- Visitors
- Contingency Planning
-
- Emergency Response Plans
- Disaster Recovery
- Security Alert and Alarms
- General Computer Systems Security
-
- Preventative Maintenance
- System Availability
- Periodic System and Network Configuration Audits
- Staffing Considerations
- Summary
Chapter 5: Authentication and Network Security
- Network Addressing and Architecture
-
- Network Planning
- Network Addressing
-
- Domain Name Service Configuration
- Network Address Translation
- Other Addressing Concerns
- Policies for Expanding the Network
- Network Access Control
-
- Gateways
- Virtual Private Networks and Extranet
- Authorization of Services
- Login Security
-
- Login Requirements and Procedures
-
- Guests and Other Users
- Login Banners
- Login Controls
- Login Reporting
- Setting Session Restrictions
- User Access Administration
- Working with Special Privileges
- Passwords
-
- Policies Defining Valid Passwords
- Storage of Passwords
- Special Passwords
- User Interface
- Access Controls
- Telecommuting and Remote Access
-
- Employee Equipment Guidelines
- Remote Access Data Security Guidelines
- Employee Responsibilities
- Telecommuting and Remote Access Facilities
-
- Dial-up Security
- Tunneling Through The Internet
- Summary
Chapter 6: Internet Security Policies
- Understanding the Door to the Internet
-
- Architecture Issues
-
- Policies Managing Incoming Traffic
- Guarding the Gate
- Network Address Translation
- Allowable Services
- Usenet News
- Administrative Responsibilities
-
- Maintenance
- Outsourcing Agreements
- Enforcement
- User Responsibilities
-
- Training
- Understanding What Internet Usage Represents
- Transmitting of Sensitive Information
- Reliability of information downloaded
- World Wide Web Policies
-
- Web Access to Network and Infrastructure
- Security and Maintenance of CGI and Other Support Programs
- Content Enhancers
- Content Control
- Privacy Policy
- User Access to the Web
- Application Responsibilities
-
- Data and File Transfers
- Authentication of Internet Transactions
- VPNs, Extranets, Intranets, and other Tunnels
- Modems and Other Backdoors
- Employing PKI and Other Controls
- Electronic Commerce
- Summary
Chapter 7: Email Security Policies
- Rules for Using Email
- Administration of Email
-
- Establish the Right to Monitor Email
-
- Handling of Email
- Archiving Email
- Scanning Email
- Limiting The Size of Email
- Use Of Email for Confidential Communication
-
- Encrypting Email for Confidentiality
- Digitally Signing Email
- Summary
Chapter 8: Viruses, Worms, and Trojan Horses
- The Need for Protection
- Establishing the Type of Virus Protection
-
- Testing for Viruses
- System Integrity Checking
- Distributed and Removable Media
- Rules for Handling 3rd Party Software
- User Involvement with Viruses
- Summary
Chapter 9: Encryption
- Legal Issues
-
- International Encryption Policies
- Liability Concerns
- Managing Encryption
- Handling Encryption and Encrypted Data
- Key Generation Considerations
- Key Management
-
- Disclosure of Keys
- Key Storage
- Transmission of Keys
- Summary
Chapter 10: Software Development Policies
- Software Development Processes
-
- Identifying Software Development Responsibilities
- Establishing Software Development Policies
-
- Access Controls in Software
- Other Policy Considerations
- Authentication Design Rules
- Testing and Documentation
-
- Generating Test Data
- Testing and Acceptance
- Documentation Requirements
- Revision Control and Configuration Management
-
- Revision Control Request Procedures
- Configuration Management and Security Fixes
- Configuration Management and Maintenance
- Testing Before Installation
- Installation Procedures
- Third Party Development
-
- Policy to Guarantee Integrity
- Restriction Commercial Distribution
- Escrow for Third Party Software
- Intellectual Property Issues
- Summary
PART III: Maintaining the Policies
Chapter 11: Acceptable Use Policies
- Writing the AUP
- User Login Responsibilities
- Use of Systems and Network
- User Responsibilities
- Organization’s Responsibilities and Disclosures
-
- Monitoring and Examination of Network Data
- Collection of Private Data
- Common Sense Guidelines About Speech
- Summary
Chapter 12: Compliance and Enforcement
- Testing and Effectiveness of the Policies
- Publishing and Notification Requirements of the Policies
- Monitor, Control and Remedies
-
- Monitoring
- Controlling
- Remedies
- Administrator’s Responsibility
- Logging Considerations
- Reporting Of Security Problems
-
- Handling of Information Security Incident Reporting
- Required Actions
- Auditing and Data Capturing
- Considerations When Computer Crimes Are Committed
-
- Working With Law Enforcement
- Consideration for Preservation of Evidence
- Summary
Chapter 13: The Policy Review Process
- Periodic Reviews of Policy Documents
- What Should the Policy Reviews Include
- The Review Committee
- Summary
PART IV: Appendixes
Appendix A: Glossary
Appendix B: Resources
- Incident Response Teams
- Other Incident Response Information
- Virus Protection
- Vendor-Specific Information
- Security Information Resources
- Security Publications
- Industry Consortia and Associations
- Hacker and “Underground” Organizations
- Survivability
- Health Insurance Portability and Accountability Act
- Cryptography Policies and Regulations
- Security Policy References
Appendix C: Sample Policies