Writing Information Security Policies

Table of Contents

INTRODUCTION

PART I: Starting the Policy Process

Chapter 1: What Information Security Policies Are

  • About Information Security Policies
  • Why Policies Are Important
  • When Policies Should Be Developed
    • Mitigating Liability
    • After A Security Breach
    • Document Compliance
    • Demonstrate Quality Control Processes
  • How Policies Should Be Developed
    • Define What Policies Need to Be Written
    • Perform a Risk Assessment/Analysis or Audit
    • Review, Approval, and Enforcement
  • Summary

Chapter 2: Determining Your Policy Needs

  • Identify What Is to Be Protected
    • Hardware and Software
    • Non-Computer Resources
    • Inventorying Human Resources
  • Identify From Whom It Is Being Protected
  • Data Security Considerations
    • Handling of Data
    • Personal and Personnel Data
  • Backups, Archival Storage, and Disposal of Data
    • Backup Considerations
    • Archival Storage of Backups
    • Disposing of Data
  • Incident Response and Forensics
    • Incident Response Strategies
  • Summary

Chapter 3: Information Security Responsibilities

  • Management Responsibility
    • Information Security Management Committee
    • Information Ownership
      • Assigning Information Ownership
      • Security Responsibilities of Information Ownership
    • Information Security Compliance Plans
  • Role of the Information Security Department
    • Use of Consultants for Information Security
  • Other Information Security Roles
    • Integrating Information Security into the Business Process
    • Individual Information Security Roles
    • Auditing and Monitoring
  • Understanding Security Management and Law Enforcement
  • Information Security Awareness Training and Support
  • Summary

PART II: Writing the Security Policies

Chapter 4: Physical Security

  • Computer Location and Facility Construction
    • Facility Construction
    • Locks and Barriers
    • Environmental Support
    • Inventory Maintenance
  • Facilities Access Controls
    • Building Access Controls
    • Restricting Access to Computer Facilities
    • Visitors
  • Contingency Planning
    • Emergency Response Plans
    • Disaster Recovery
    • Security Alert and Alarms
  • General Computer Systems Security
    • Preventative Maintenance
    • System Availability
  • Periodic System and Network Configuration Audits
  • Staffing Considerations
  • Summary

Chapter 5: Authentication and Network Security

  • Network Addressing and Architecture
    • Network Planning
    • Network Addressing
      • Domain Name Service Configuration
      • Network Address Translation
      • Other Addressing Concerns
    • Policies for Expanding the Network
  • Network Access Control
    • Gateways
    • Virtual Private Networks and Extranet
    • Authorization of Services
  • Login Security
    • Login Requirements and Procedures
      • Guests and Other Users
      • Login Banners
      • Login Controls
      • Login Reporting
    • Setting Session Restrictions
    • User Access Administration
    • Working with Special Privileges
  • Passwords
    • Policies Defining Valid Passwords
    • Storage of Passwords
    • Special Passwords
  • User Interface
  • Access Controls
  • Telecommuting and Remote Access
    • Employee Equipment Guidelines
    • Remote Access Data Security Guidelines
    • Employee Responsibilities
    • Telecommuting and Remote Access Facilities
      • Dial-up Security
    • Tunneling Through The Internet
  • Summary

Chapter 6: Internet Security Policies

  • Understanding the Door to the Internet
    • Architecture Issues
      • Policies Managing Incoming Traffic
      • Guarding the Gate
      • Network Address Translation
    • Allowable Services
    • Usenet News
  • Administrative Responsibilities
    • Maintenance
    • Outsourcing Agreements
    • Enforcement
  • User Responsibilities
    • Training
    • Understanding What Internet Usage Represents
    • Transmitting of Sensitive Information
    • Reliability of information downloaded
  • World Wide Web Policies
    • Web Access to Network and Infrastructure
    • Security and Maintenance of CGI and Other Support Programs
    • Content Enhancers
    • Content Control
    • Privacy Policy
    • User Access to the Web
  • Application Responsibilities
    • Data and File Transfers
    • Authentication of Internet Transactions
  • VPNs, Extranets, Intranets, and other Tunnels
  • Modems and Other Backdoors
  • Employing PKI and Other Controls
  • Electronic Commerce
  • Summary

Chapter 7: Email Security Policies

  • Rules for Using Email
  • Administration of Email
    • Establish the Right to Monitor Email
      • Handling of Email
      • Archiving Email
      • Scanning Email
    • Limiting The Size of Email
  • Use Of Email for Confidential Communication
    • Encrypting Email for Confidentiality
    • Digitally Signing Email
  • Summary

Chapter 8: Viruses, Worms, and Trojan Horses

  • The Need for Protection
  • Establishing the Type of Virus Protection
    • Testing for Viruses
    • System Integrity Checking
    • Distributed and Removable Media
  • Rules for Handling 3rd Party Software
  • User Involvement with Viruses
  • Summary

Chapter 9: Encryption

  • Legal Issues
    • International Encryption Policies
    • Liability Concerns
  • Managing Encryption
  • Handling Encryption and Encrypted Data
  • Key Generation Considerations
  • Key Management
    • Disclosure of Keys
    • Key Storage
    • Transmission of Keys
  • Summary

Chapter 10: Software Development Policies

  • Software Development Processes
    • Identifying Software Development Responsibilities
    • Establishing Software Development Policies
      • Access Controls in Software
      • Other Policy Considerations
    • Authentication Design Rules
  • Testing and Documentation
    • Generating Test Data
    • Testing and Acceptance
    • Documentation Requirements
  • Revision Control and Configuration Management
    • Revision Control Request Procedures
    • Configuration Management and Security Fixes
    • Configuration Management and Maintenance
    • Testing Before Installation
    • Installation Procedures
  • Third Party Development
    • Policy to Guarantee Integrity
    • Restriction Commercial Distribution
    • Escrow for Third Party Software
  • Intellectual Property Issues
  • Summary

PART III: Maintaining the Policies

Chapter 11: Acceptable Use Policies

  • Writing the AUP
  • User Login Responsibilities
  • Use of Systems and Network
  • User Responsibilities
  • Organization’s Responsibilities and Disclosures
    • Monitoring and Examination of Network Data
    • Collection of Private Data
  • Common Sense Guidelines About Speech
  • Summary

Chapter 12: Compliance and Enforcement

  • Testing and Effectiveness of the Policies
  • Publishing and Notification Requirements of the Policies
  • Monitor, Control and Remedies
    • Monitoring
    • Controlling
    • Remedies
  • Administrator’s Responsibility
  • Logging Considerations
  • Reporting Of Security Problems
    • Handling of Information Security Incident Reporting
    • Required Actions
    • Auditing and Data Capturing
  • Considerations When Computer Crimes Are Committed
    • Working With Law Enforcement
    • Consideration for Preservation of Evidence
  • Summary

Chapter 13: The Policy Review Process

  • Periodic Reviews of Policy Documents
  • What Should the Policy Reviews Include
  • The Review Committee
  • Summary

PART IV: Appendixes

Appendix A: Glossary

Appendix B: Resources
  • Incident Response Teams
  • Other Incident Response Information
  • Virus Protection
  • Vendor-Specific Information
  • Security Information Resources
  • Security Publications
  • Industry Consortia and Associations
  • Hacker and “Underground” Organizations
  • Survivability
  • Health Insurance Portability and Accountability Act
  • Cryptography Policies and Regulations
  • Security Policy References

Appendix C: Sample Policies

Pin It on Pinterest