Security and Privacy in a Networked World/Procedures: Thou shalt not...
As illustrated by the title above, any larger community of humans throughout the history has had "the rules of game" (written or unwritten). The larger the difference between the "initiates" and the "mere mortals", the more vital are written, universal and enforced rules (they are usually called laws) - and security of a larger organization tends to have large difference here. And due to the the principle of the weakest link determining the strength of the whole chain, the axiom of ignorantia juris non excusat also applies, necessitating efforts both training to promote security awareness and policies to maintain and enforce it.
That said, while not everyone can be a security professional in an organization, universal security awareness, shared responsibility and active participation (understanding and following the policies rather than complying mechanically) should be the goals.
Site and infrastructure policies
This is the most physical aspect of security policies, covering the security of premises (building(s), offices) as well as computing infrastructure (servers, desktops, laptops, mobile devices, networking equipment etc).
As seen from previous topics, many kinds of cybercrime actually benefit from physical access to the facilities (good examples include the Levin/Citibank case and many feats of Kevin Mitnick). Therefore, adequate policies must be defined for the infrastructure, including
- methods of physical access - actual means of access (keys, cards, biometric methods); policies should address eg. proper handling of keys.
- access change procedures (grant/modify/deny) - these must be clearly defined, including the personnel (who should I contact?) and necessary steps (which forms should I fill out?).
- status-based access restrictions - different privileges for different positions (vertically; management vs rank-and-file) as well as different forms of work (full-time, part-time, contractors, teleworkers etc).
- time-based restrictions (hours of operation) - even if there is little practical restrictions for off-hour work, these should be clearly defined in the policy (e.g. the weekend worker must guarantee that no outsiders enter with him/her).
- points of contact - staff members responsible for different aspects of security (e.g. Mr A. for networ security incidents, Ms B. for getting access to facilities etc).
- incident handling - can also include escalation levels that help staff members understand the situation and also make decisions about involving third parties (e.g. a sizable security breach may be reported to the police).
While these aspects are quite "common-sense" when planning information security, they still need a well-thought and balanced approach. The components include
- physical access - a wide range of policies including access to ordinary work desktops (e.g. what can users change in their machine), servers (services, data sharing, access control, backups etc) and public/visitor terminals.
- security of mobile devices - these rules have seen a lot of changes recently, first when laptops overtook desktops as main tools and then with the influx of smartphones and tablets. BYOD (Bring Your Own Device) has been a rising trend which on the one hand has made work more flexible and opened new possibilities, on the other hand give rise to the so-called end-node problem (the same device is connected to privileged corporate networks during the workday and to unprotected and potentially dangerous networks during the off-hours, making the situation very hard to regulate).
- network security - may also policies for visitor access and/or public wireless networks.
- remote access - e.g. using VPN (Virtual Private Network) for teleworkers: while remote access was a rather rare privilege earlier, in the days of mobile computing it is almost an universal need.
- monitoring and auditing - a sensitive area of policy that has to find a balance between too restrictive (privacy violation) and too permissive (ineffective).
- access control - possibly the most inclusive area in this section, access control is largely "everybody's business" ranging from weeding out weak passwords to spotting suspicious strangers (both online and offline).
This is the human side of information security. As said above, a goal should be to include both administration and ordinary users via security awareness training. Most responsibilities thus become shared (e.g. taking good care of equipment, choosing good passwords, reporting failures etc), but administrators should have extra policies to address their larger privileges. The policies should allow rapid reaction to security incidents while minimizing the chances for abusive behaviour. For example, accessing user files is only allowed during actively resolving a problem, monitoring must be announced and identifiable.
A rule only works when it is followed (while in some communities rules may be unwritten, they are in fact enforced and failure to comply will be punished). The information security policy should also promote awareness and the 'security mindset', thus policy enforcement helps to upkeep it.
First, there is the employment contract that the security policy is connected to. The binding nature of a signed contract and the understanding that serious breaches of security policy may also influence one's employment status also work in favour of heightened security awareness.
Another measure is the security audit which may be either notifies (preannounced) or "blind" (unannounced). The former is usually used in the sections where the situation needs improvement - the subjects will be given time for improvement and corrections. On the other hand, blind audits are used to keep the users "on the toes", to maintain constant high level of awareness. These audits may simulate actual attacks (using technology, social engineering or both), the results are later disclosed and the responses analyzed with the personnel.
International security standards
During the last decades, a number of standards have been developed internationally to address information security (mostly on enterprise level). Examples include
- ISO 17799
- ISO/IEC 27001
- ISO/IEC 27002
- IT-Grundschutz (Germany)
- ISKE (Estonia; based on the former)
- NIST 800 series (US)
Most of the standards focus on three central concepts:
- Confidentiality - information is accessible only to authorized users
- Integrity - accuracy and completeness of information and its processing methods
- Availability - authorized users must have access to information and related assets when needed
Note: while it has been suggested that the standards are also applicable for the context of smaller companies, most of them tend to focus on large organizations - on the one hand covering a wide range of diverse issues, on the other hand they can be rather generic. Sometimes, small organizations make use of the sections of the standards applicable to them, also making some adjustments where necessary (e.g. a more flexible small organization might consider maximum length of allowed downtime to be shorter than the same parameter at a large corporation).
That said, properly implemented information security standards can significantly reduce the danger of "re-inventing the wheel" and ensure coverage of all necessary areas. In Estonia, ISKE is mandatory for data processing systems managed by the state or municipalities. ISKE defines three levels of security - low, medium and high (L, M, H) - in the current version 6.00, the L and M levels contain 1096 measures and the H level adds 222. All entities using ISKE should periodically audit their systems depending on the security level - once in every four years for L, three years for M and two years for H. The audits should be carried out by a certified auditor - this has also been a source for criticism due to being costly for smaller organizations.
A sample policy (parallelly in Estonian and English) can be found here.
READ MORE at https://www.ria.ee/iske-en
- ANONYMOUS. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. 3rd ed. Sams Publishing, 2001.
- BARMAN, Scott. Writing Information Security Policies. Sams Publishing, 2001
- CARLSON, Tom. Information Security Management: Understanding ISO 17799. http://www.netbotz.com/library/ISO_17799.pdf
- The ISO27k Forum. http://www.iso27001security.com/html/forum.html
- Estonian Information Systems Authority. ISKE (in English). https://www.ria.ee/iske-en
- IT-Grundschutz. https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html
Study & Blog
- Study a security standard of your choice (Estonians could pick ISKE, as this could prove useful in later studies and/or work; others may take similar ones from your country, but may also study ISKE). Write a short opinion, including applicability of the standard in the contexts of SME/NGO/government/education (i.e. other than large enterprises).