New Policy | Policy and Information Flow

VM compliance policy is sometimes necessary for enforcement of remediation activities. Depending on your organization, a policy that directs IT managers to make remediation a priority is helpful. The policy should provide for the following:

• Prioritization of vulnerabilities: The vulnerabilities found will be prioritized. In many cases, more vulnerabilities are found than can possibly be fixed in a reasonable amount of time. You will have to specify what gets done first. It is even possible that you may want a policy statement of the circumstances under which systems administrators should drop everything they are doing and remediate or shut down the system in question.
• Valuation of assets: Every system is a company asset. It has to be given a value, which can be used in the prioritization process. 
• Time limits: Depending on the severity and type of vulnerability, time limits for remediation must be set. This is, in effect, an SLA for the organization. You will have to consider the risk or threat to the organization based on several criteria. Those criteria, however, would be left to a supporting standard.

1 Usage Policy

Another important type of policy pertains to the usage of the VM system itself. This policy would highlight key operational constraints. Among the types of constraints necessary are the following:

• Types of systems exempt from scanning: This can include other security devices or critical network devices that are known to be adversely affected by scanning.
• Operational requirements for scanning approval: One must have consent of a system owner and/or administrator.
• SLA parameters: This requirement specifies what parameters must be included in any scan specification for a given network or group of targets. This might include time of day, bandwidth limitations, operational impact assessment, and scan termination request response time. These parameters in particular are important to maintaining a healthy relationship with system owners. If scans interfere with the systems and their operating environment, system owners are not likely to grant ongoing permission to continue scanning.

2 Ownership and Responsibilities

Once a system proves itself to be a powerful tool in managing a critical part of the enterprise, questions such as “who is responsible for the scanning schedule?” and “who decides what gets scanned and when?” are likely to arise. These questions are reasonable, given the insecurity that comes with what is perceived as an invasive activity. The best thing to do is avoid contention over these issues by getting it all decided in advance. Be forewarned that ambiguity is the enemy of process.

The first step in establishing clear ownership is to build it into the policy. The roles for key functions in the process should be clearly specified in the title. At a minimum, these roles must at minimum include the following:

• Scan parameters definition: The business and technical parameters used for scanning must be defined and carefully controlled. Although others may participate in the process of scanning, careless changes to parameters can cripple a host or an entire network.
• Scan scheduling: The schedule for a scan has a lot of thought built into it. These considerations should not be trifled with. A change in a schedule can have as big an impact on business operations as a change in parameters.
• Report distribution: Vulnerability reports are confidential data. In the wrong hands, these reports can be very damaging. For a hacker or motivated, disgruntled employee, a vulnerability report is a road map to trouble.
• Local host remediation: When a host cannot be patched or fixed through an enterprise host management tool, it has to be remediated by a local administrator or other individual appropriate to your organization.
• Global remediation: Conversely to local host activities, global tools also remediate hosts over a network. One or more organizations are responsible for this remediation. For example, the desktop team may be responsible for general host patching and the security group may have to keep anti-virus and encryption programs updated. All such organizations should be identified in advance and made active participants and contributors to VM process development.

Hardware Firewall Architectures

Firewalls can be configured in many different hardware architectures providing various levels of security with different installation and operation costs. Organizations should match their risks to the type of firewall architecture selected. The following briefly describes firewall architectures.

Multiple-homed host. This is a firewall that has more than one network interface card, NIC. Each NIC is logically and physically connected to separate network segments. A dual-homed host, one with two NICs is the most common example of a multi-homed host. One NIC is connected to the external or untrusted network, like the Internet, and the other NIC is connected to the internal or trusted network. In this configuration, the key point is not to allow computer traffic to be passed from the untrusted network directly to the trusted network. The firewall acts as an intermediary

Screened hosts. Screened firewall architecture uses a host called a bastion host. It usually has two network interface cards, but may have several NICs, making it a multiple-homed device. All outside hosts connect to this device rather than allowing direct connection between inside and outside hosts. To achieve this character, a filtering router is configured in such a fashion as to remove all unnecessary services, thereby earning its name as a hardened host. If superfluous services and features are removed or disabled, they cannot be exploited to gain unauthorized access. In the bastion host, a filtering router is installed and configured so that all connection traffic from between the internal and external networks must pass through the bastion host. No direct internal-network-to-external-network connections are allowed.

Bastion hosts can be deployed to partition sub-networks from other interior networks; for example, an interior network handling company e-mail is partitioned by a bastion host from another interior network where employee records are kept. This architecture is known as a screened sub-network, and adds an extra layer of security by creating a separate but connected internal network or sub-network

Firewall Administration
Firewalls consisting of hardware, software, or appliances have to be the ongoing job of a responsible and senior employee. After all, this employee literally has the "keys to the kingdom." It is a wise business practice to have two firewall administrators, assuring continuity and institutional knowledge in the event of an absence

Firewall Administrators
For each duty-day, it is recommended that two experienced employees are available to address firewall issues. In this manner, the firewall administrator function is constantly covered. It is compulsory that these employees have a thorough understanding of network architectures, TCP/IP protocols, and security policies

Remote Firewall Administration
Firewalls are usually the first line and sometimes the last line of defense against attackers. By design, firewalls are supposed to be difficult to attack directly, causing attackers to attack the accounts on the firewall itself. Additionally, there should be no user accounts on the firewall host other than those of the administrators. User names and passwords must be strongly protected. One of the most common protections is strong physical security surrounding the firewall host and permitting firewall administration from one attached terminal. Only the primary and secondary firewall administrators should have physical access to the firewall host. Depending on the sensitivity of the data stored on the protected network, it is strongly recommended that firewall administrators are not allowed to remotely access firewalls. Depending on the business' operations, it may be prudent to have a firewall administrator on duty constantly. What degree of profit losses will be incurred if users are unable to access information assets because of firewall problems? Although having a firewall administrator on duty full-time, in the long run it provides increased integrity and availability for firewalls and the systems they protect

Internet Firewall Policy

Because the Internet is not trustworthy, an organization's system connected to the Internet is vulnerable to abuse and attack. Enabling a firewall between the organization's local area network and the Internet can go a long way to control access between trusted parties and less-trusted ones. A firewall is not a single component; rather it is a strategy for protecting an organization's Internet-reachable assets. Firewalls serve as gatekeepers between the untrustworthy Internet and the more-trusted organization networks.



The primary function of a firewall is to centralize system access controls. If remote users, authorized or not, can access the internal networks without traversing the firewalls, their effectiveness is diminished. If a traveling employee has the ability to connect to his office workstation, circumventing the organization's firewall architecture, then an attacker can do the same. Firewalls have the ability to allow network services to be passed or blocked; consequently, system administrators must consult with firewall administrators relative to which services are necessary for business operations. All unnecessary services must be disabled, denied, or blocked.

Firewalls provide several layers and types of protection:

- Firewalls can block unwanted traffic, essentially partitioning the inside network from the outside network.

- Firewall can direct incoming traffic to more trustworthy internal systems.

- Firewall can conceal vulnerable systems that cannot be secure from the Internet.

- Firewall can provide audit trails logging traffic to and from the organization's private networks and the Internet.

- Firewalls can conceal information such as system addresses, network devices, and user identification from the Internet.

Authentication
Firewalls located at the perimeter of the organization's network, interfacing between the Internet and the internal networks, do not provide user authentication. Host-based firewalls usually provide these types of user authentication:

User names and passwords. User names and unique passwords are compared against authorized user lists and verified by correct passwords. This is one of the least secure methods.

One-time passwords. One-time passwords using software or hardware tokens produce a new password for each user session. Old passwords cannot be reused if they were stolen, intercepted, or borrowed. This method is one where the user must know something and must possess something before gaining access.

Digital certificates. Digital certificates use a certificate generated using public key encryption from a trusted third party. This access method is one where the user must know something and have something.

Firewall Types
Packet-filtering firewalls are gateways located at network routers that have packet-screening abilities based on policy rules granting or denying access based on several factors:

Information packet source address. It is capable of denying system access from specific source addresses; for example, it is possible to deny outside entry of any information packet having a source address of a competing company.

Information packet destination address. It is capable of denying access to any internal workstation or host based on its IP address; for example, all traffic can be blocked attempting to connect to the client list file server.

Service port. Firewalls are capable of blocking or allowing access to specific services; for example, connection attempts to workstation TCP Port 139 are denied.

Packet-filtering firewalls offer minimum security but very low cost. They can be an appropriate choice for a low-risk network environment. However, there are some drawbacks:

- They do not protect against IP or DNS address spoofing.

- Attackers will have direct access to any host on the internal network once access has been granted by the firewall.

- Strong user authentication is not a feature supported with many packet-screening firewalls.

- They do not generally provide complete or useful logging features.

Application Firewalls
Application firewalls use server programs, called proxies, running on the firewall. These proxies arbitrate transactions between interior and exterior networks. They accept requests, examine them, and forward legitimate requests to internal hosts that provide appropriate service. Application firewalls generally support functions as user authentication and logging features. Application firewalls require that a proxy is configured for each applicable service such as FTP, HTTP, etc.

Application-level firewalls generally offer the solution of network address translation (NAT). This feature may be configured so that outbound traffic appears as if the traffic had originated from the firewall itself. In this fashion, all IP addresses of the hosts behind the firewall are protected from discovery in that once they depart the firewall outbound, they all have the same IP address.

- Application firewalls supporting proxies for different services prevent direct access to internal network services, protecting the business against insecure or poorly configured internal servers.

- Application firewalls generally offer strong user authentication.

- Application firewalls generally provide detailed logging of user activities.

Employee Privacy Policy

Employee Privacy Policy
Personal privacy is a cherished value closely linked to concepts of personal freedom and well being. At the same time, personal privacy parallels fundamental principles of the First Amendment to the Constitution, the most important hallmark of personal freedom, the protection of free flow of information in society.

Most organizations require personal information about their employees to carry out business goals and objectives. It is imperative that collected information is safeguarded from intentional or accidental disclosure. Increasingly, automation of personal records permits this information to be used and analyzed in ways that would reduce employee privacy without adequate safeguards.

Organizations must have policies requiring compliance with legal, regulatory, and moral safeguards relative to employee information. These policies should assure that information technologies sustain and do not erode personal information protections in the organization's use, collection, and disclosure of personal information.

It is important that organizations constantly evaluate legislative and regulatory requirements involving the collection, use, and disclosure of personal information

Forensics Policy: Looking for Evidence

There are many compelling reasons for employing computer forensics, but before business managers make the decision to do so, they need to understand what it is and when to use it. Risk management is the leading reason for deploying computer forensics. Any business that does not have a policy and procedure to stop malicious behavior may count on being victimized with little recourse against the perpetrator. Computer forensics is the investigative practice of collecting, examining, and analyzing evidence retrieved from computers and computer-related equipment. At times it would seem that computer forensics analysis is akin to magic in that trained, experienced professionals can find relevant evidence through sophisticated collection and restoration techniques. More than one competent analyst has been called "a miracle worker."

Collecting and analyzing computer evidence is useful for confirming or dispelling concerns about whether an unlawful act has been committed. Further, this type of work has been able to document workstation, applications, and network vulnerabilities after a critical incident.

Organizations today must have policies regarding when computer forensics examiners should be called in. Usually information-related threats involve a computer of some kind or a communication's network because they are the means by which companies conduct their business and information processes. Businesses employ computer forensics when there is a serious risk resulting from compromised intellectual property, a threat of lawsuits stemming from employee conduct, or potential damage to their reputation or brand. There are many organizations that regularly use forensic means to audit employee workstations with the idea that employees who know and recognize they are being monitored are less likely to stray from policies and procedures. When a random selection of employees' computers is made monthly, and forensic examinations are conducted, the appropriate steps are taken if unauthorized use, pornography, or abuse is discovered.

Any experienced computer forensics examiner starts and completes assignments with his or her testimony in mind. This means the examiner must always collect, analyze, and preserve evidence according to the rules of evidence. A good standard for this professional is the Federal Rules of Evidence. Basically, the examiner has three important tasks: finding, preparing, and preserving evidence.

Another aspect of forensic computer examination is the testimony of the forensics professional. This person must never attempt to perform an examination for which he or she is not trained. There are times when untrained or inexperienced persons are tempted to conduct examinations, which can corrupt or damage potential evidence. Just because a person has a detailed knowledge of computers and networks does not mean the person is qualified to conduct forensics examinations. Following is a list of what to look for when selecting forensics computer examiners:

- Prior experience in computer forensics examinations

- Specialized training

- Specialized experience in collecting, analyzing, and preserving evidence

- Experience as an expert witness

- Possession of pertinent professional certifications

- Personal and professional integrity; examiners must withstand thorough scrutiny on technical and personal levels

- A laboratory equipped with tools for evidence recovery

Another matter of significance: organizations should understand that reporting unlawful activities is required under many state statutes and is required under U.S. law. According to Title 18, USC 4, "whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years or both"

Policy Distributions

Drafting is not the only step to developing complete and effective policy documents. Policies must be disseminated to the target audience in the most-effective and efficient means possible.

While conducting an operational assessment, the auditor asked to see the organization's manual of policies and procedures. She was presented with a six-volume set of operational and administrative policies and procedures comprising near 3000 pages. These binder pages were a hodgepodge of legal terminology, operational guides, and executive mandates. Later the auditor was presented with additional policy volumes relevant to procurement requirements, a funding guide, and an operations policy binder. There was no central index, nor were there searchable electronic versions available. These volumes were kept at several locations and access was very limited to two of the volumes. The auditor asked to whom these policies applied? The senior manager replied, "all employees."

To be truly effective and efficient, policies must be distributed to the intended audience to convey the message. It is not reasonable to expect all policies to apply to all employees at all times. Applicable policies should be distributed to the intended audience in a timely and effective fashion. After distributing the policies, it is important in some cases for employee acknowledgments to be executed and returned to the Human Resources unit for accountability purposes. This would be the case with policies such as the use of e-mail.

Consider the use of online policy manuals. Using this online method, a smaller number of policies with application to specific business departments or functional units can be developed, disseminated, and easily modified. They are easier to disseminate and are more easily updated and distributed than the larger companywide paper versions.

Policy Writing Techniques

Writing policies is a lot like creative writing. Very few folks have the skills right away, but with some experience and practice nearly everyone can write policies and become proficient at drafting a document that is easy to understand and carries substantial weight in the organization. Here are some general best practices in drafting policy documents.

Plain Language
Generally, policies are written to specific employees in particular business units. For example, information technology policies are replete with language and abbreviations that are so cryptic that other employees have little appreciation or understanding of the policy's purpose or direction. Policy language should aim to be as clear as possible and every sentence should say exactly what it is intended to say. For example, a drafted policy may say an employee is entitled to two weeks of vacation annually. What does this policy mean? Does the employee accrue vacation time during the year? What is the term of that year? Is it a calendar year or other term of year? Can the employee take vacation in less than a two-week period? Is the term "2 weeks" a 15-day period or is it 10 work days?

Policies should be drafted in the simplest words possible that still convey the meaning to the reader. Avoid colloquial terms, unexplained foreign language terms, technical terms, and slang. For example, what is the meaning of the term "rip-off." Today's usage would include definitions such as defraud, theft, or embezzle. However, to those of previous generations it refers to an action similar to removing wallpaper.

A major problem with technical writers is that they often aim at correctness and choose the biggest and most specific words. Remember, words serve little useful purpose if they are not understood. Policies should not be written like college textbooks requiring exhaustive study. Employees do not have the time or interest to engage in deep study. On the other hand, do not draft policies using terminology that makes them seem simplistic and condescending.

Spelling and Grammar
Avoid careless spelling and grammar mistakes. Word processors and spreadsheet applications have spell checkers and grammar checkers for a reason: the credibility of your policy documents depend on them.

Gender Words
In recent years, writers have been trying to avoid using "he" because it implies masculinity and possible bias. Sometimes we see a trend of using the terminology of "he/she" or "he or she." This phraseology gets tiresome very quickly in written form and is very awkward in conversation. It is acceptable to use a combination of "he and she" in writing or in conversation, depending on the location of the intended audience. It is important to remember to geography of the audience; for example, in some Middle Eastern nations it is appropriate to use the male gender and masculine words, while other nations prefer nongender words such as "team members" or "performance analysts." Policy documents must avoid offending employees if they are going to be considered credible. When drafting policies, it is a matter of credibility to be sensitive to the intended audience.

Eternal View
Policies should be in a written tone as though they have always existed and will continue to exist. Unless specific references are critical to the policy's application, avoid references to specific products, current computer architecture, or technologies. Also, policies should always refer to positions in the organization rather than to specific persons. Whenever possible, policies should not reference an employee's name, address, telephone number, floor, or mail station unless absolutely necessary. Rather, policies should reference positions such as the Human Resources Manager, located at a given location, telephone number, mail stop, and so on. If named business functions are referenced in the policy, they should be carefully identified, leaving no uncertainty in the mind of the reader. Be certain to do your homework when referring to a position; with recent restructuring and business unit consolidations happening on a daily basis, it is important that the correct position and office is named.

Application
"I did not think it applied to me." This is a common explanation given to auditors when an employee avoids policy compliance. The most-effective way to remove this excuse is to specifically state who must comply with the instructions of the policy. Such application statements are probably best stated in the context of which employees are responsible for adherence rather than stating those employees who are not required to comply. For example: "This policy applies to all employees who have remote network access." This is a much better policy statement than "This policy does not apply to those without remote network access."

Responsibility for Compliance
Well-written policies will explicitly identify the group or individual responsible for enforcing policy compliance. This statement can include those responsible for monitoring compliance, auditing adherence, and those who are responsible for uniform application of the policy across the organization.

Et Tu, Policy

Policies constitute an established course of action directed toward accepted business goals and objectives. Procedures are methods by which policies performed. Standards are definitions of quality generally accepted by industry. An example of standards is the Institute of Electronic and Electrical Engineers standard 802.11. This is a measure for standard information technology telecommunications and information exchange between information networks.

Each procedure has an action, decision or repeated step. In other circumstances, the word procedure can also take a variety of usages such as, Standard Operating Procedure (SOP), Department Operating Procedure (DOP), or Quality Operating Procedure (QOS). Regardless of the terminology used, policies are written to carry out the details of the business process. In some business cultures, there may not be a significant distinction between policy and procedure. In other cultures, there may be a great difference between policy and procedures.

In times passed, there were many businesses that did not think they needed well-developed policies and procedures. However, in today's legislated world, there is hardly an organization that is not specifically addressed by laws and regulations. For example, in the area of healthcare, data collected must undergo a high level of access restriction because failure to do so could result in criminal or civil penalties. The content of privacy statutes, directed to healthcare providers, is detailed in very specific language.

Organizations must ensure that the content of policies and procedures does not violate rules, regulations, and laws under which they must operate, and good business sense. The rationale for establishing policies that are disseminated throughout an organization is twofold:

1. They establish clear and consistent processes. Organizations must show widespread uniformity in applying laws and regulations.

2. To allow employees, who are not legally minded, to have confidence that they are performing their duties in conformity with the law. For example, a township finance office has the responsibility of accounting for sales tax revenues collected from local businesses. Local ordinances require such taxes to be paid to the township government one quarter after collection. Recently, the township council decided they would offer certain qualifying business rebates on their collected sales taxes as an incentive to remain in the township, as there had been some difficult economic times. The township had a policy that described the process for creating, amending, and depreciating policies. Accordingly, the finance office drafted, vetted, and implemented a series of policy changes. Policy changes were proposed by the finance office and vetted through their legal counsel, the audit unit, and the township executive committee. After all parties approved the policies, they were adopted and installed. Corresponding changes in check processing software were made for tax rebate checks having two signatures: (1) the signature of one of the five township executives and (2) the signature of the comptroller. This policy observed changes made to the law and the internal controls of least privilege and separation of duties. Under the policy, no one person or office could authorize the release of revenue rebate checks.

There are many other reasons for documenting policies:

Performance standards. Written policies enable managers and their subordinates to define and understand their requirements, boundaries, and responsibilities. Policies create performance baselines to which subsequent changes can be referred, enabling orderly process changes to be made.

Performance metrics. Policies enable managers to determine whether a subordinate's action was simply poor judgment or an infringement of the rules. If specific rules did not exist, then employees could not be held accountable for their actions. Having a written baseline of performance expectations, those in authority can decide if disciplinary action or reward is warranted.

Management metrics. Policies provide substantial freedom to employees in the performance of their duties, allowing them to make decisions within previously defined boundaries. Well-defined policies allow employees to do their jobs without micro-managers meddling in their work. In this same vein, policies enable managers to manage by exception rather than by controlling every action and decision of their subordinates. Before an action begins, employees know the rules and are more likely to produce the right result the first time.

Quality models. The International Standards Organization developed a series of worldwide quality standards known as ISO 9000. This is a set of documents addressing quality systems applicable to most settings. They specify requirements and recommendations for the design and assessment of management systems, ensuring that goods and services reach specified requirements. ISO 9000 standards apply to most processes and require that policies and procedures are documented, understood, and executed.

The Capability Maturity Model® (CMM) process developed by the Scientific Engineering Institute located at the Carnegie Mellon University is a framework that describes key components of effective systems and software development. The CMM is very powerful as it provides the necessary detail to understand the requirements of each maturity level, allowing organizations to examine and compare their practices. In this fashion, gap analyses are completed and improvements are prioritized addressing specific needs. The CMM has five maturity levels, with each level requiring specific policies and procedures before advancing to the next level.

Both ISO 9000 and the CMM are important industry standards representing desirable and pursued quality standards. They are important to organizations in terms of process improvement, but they also are considered an excellent source for policy content.