9

I've been in charge of systems administration for a small company for a couple of years and am now training some new collaborators to take over. So far, there has been no security policy, but I would like to leave behind a good security policy that clearly states:

  • a code of ethics agreed upon by all and the direction board;
  • rules on how to maintain, update and configure servers;
  • specifics on how to maintain the security structure: new attacks surface, etc and right now we don't have a structured way to deal with that;

I'm a bit lost on how to start and am sure that list is way incomplete, so I'd like to ask for some pointers on how to research this and get started.

Thank you.

AviD
  • 72,138
  • 22
  • 136
  • 218
tomeduarte
  • 345
  • 1
  • 9
  • you're saying that you are leaving and want to attempt to ensure through policy and controls that your replacements act ethically and effectively? Does your business have any other policies in place? I would start with ensuring there is an ethics policy, the move onto a internet use policy, and then potentially server and workstation configuration/security polices. – Ormis Jul 20 '11 at 18:02
  • I trust my replacements completely both on ethics and skill, that is not why I want to do this. It's just that since now the team has grown (it was just me and now it's 3 people) I think it's the time to start creating policies and standards in this department, to create room for growth and to ensure everyone's on the same page, so to speak. Yes, the company has policies in place in other departments. – tomeduarte Jul 20 '11 at 20:09
  • Very good then, you can start the policies for your group off on the right foot. Good luck to you, sir. – Ormis Jul 20 '11 at 20:16

4 Answers4

7

Alright, so this was originally intended as a comment to your response to the answer given by @jl01 but it became too long and it should have merit on it's own....

There's almost an art to creating policies. Ideally (though i'm sure some people would disagree with me) a policy would be a very general statement regarding the topic. For example, something not much more complex than "This company will operate with current best practices for system patching". The idea is that a policy should be established and not need changed (if done perfectly). It should be generalized enough that it will not need to be updated as different technologies, attack vectors, regulations, etc change.

It is very common to split policies up into each separate realm of business/technology. This lends itself to producing policies that are more custom fitted to your company and allows you to keep clarity when referring to those policies.

Another way to think of it is that a policy is the business' way of covering their hind ends. It is created to cover as much as possible so if something goes wrong the company can mold their response to each separate situation while still using the same policy.

Those policies would be expanded on via procedures, guidelines, and regulations (come to think of it, this should be fairly close to how SANs describes it). I believe SANs refers to what I call "procedures" as "standards". I apologize for any confusion because of that.

A procedure would be an actual practice which follows a policy (many policies that i have seen seem to refer to the applicable procedures within the policy itself).

A guideline on the other-hand is exactly that, a suggestion of acceptable practices. Though they are only suggestions, they are not to be taken lightly. When audits occur, these are the low hanging fruit that an auditor can latch onto.

Procedures and guidelines are the only things that you should need to update with changing business climate, environmental issues, threats, etc.

When i designed my first set of policies, granted this was from a class regarding information security policies, I set up these different policies:

  • Information Sensitivity Policy
  • Extranet Policy
  • Email Policy
  • Removable Media Policy
  • Password Policy
  • Security Monitoring Policy
  • Router Security Policy
  • Server Security Policy
  • System Update Policy
  • ASP Policy
  • Server Management Policy
  • Security Training Policy

This is not an exhaustive list, but it should give you an idea of some of the break downs that may take place. The way policies are divided are dependent on the needs of that company.

Last, but definitely not least, each policy should be created in such a way that there is do doubt as to what and how it's applied. By this, i mean that along with each policy the purpose, the scope, the enforcement, and the definitions regarding that policy should be established. I always have fun typing the phrase "will be subject to repercussions up to and including termination".

Though I did not list it earlier, an ethics policy should be in every policy set. Even when using ASPs, or any service for that matter, it's good practice to request their ethics policy and, depending on what you see, require by contract that they abide by your companies ethics policy for that job.

So, i may have dove a bit too far into the subject... but i hope it helped.

Disclaimer: I am more than aware that this isn't the only way policies can be constructed. From my experience, most companies have a set of policies that have been loosely constructed over years of regulation changes and compliance issues.

p.s. an ASP is an application service provider, i see that i haven't mentioned it's definition anywhere above.

Ormis
  • 1,940
  • 13
  • 18
  • Great answer, this really helped me make sense of how to start and break it down into actionable stuff and set direction. Could you perhaps mention the class you took? – tomeduarte Jul 20 '11 at 16:18
  • I wish i could say that it easily available online, but it was actually an undergrad course at Rochester Institute of Technology. Sorry about that. – Ormis Jul 20 '11 at 17:54
  • I have a friend who graduated from there, I believe. I'll see if I can make him look at the "finished product" then :) Thanks for the tip. – tomeduarte Jul 20 '11 at 20:18
6

My suggestion is going to sound simple, but I believe it is the cause of most unauthorized and undetected activities going on in your network right now. Don't just do policy, do the work! Study and implement the 20 Top Critical Controls, http://www.sans.org/critical-security-controls/.

We have a lot of people making policy, we don't have enough executing these policies, simple things like password controls, understanding all devices and software on your network network, and baselining your systems.

SANS has a class, Hacker Detection for System Administrators, which will teach you all the basics you need to know in 12 hours of classtime. The curriculum conforms to the Top 20 critical controls. It is not apporpriate for me to do more to promote this course in my answer here, but if you are interested in learning more, send me an email to sweil@sans.org.

Scott Weil The SANS Institute

Scott Weil
  • 61
  • 1
4

Check out http://www.sans.org/security-resources/policies/ for some great sample policies. Should be a good starting point.

jl01
  • 225
  • 2
  • 4
  • An excellent starting point. Is it usual to split policies by "areas" (ethics, internal lab security, etc) as shown there? I was under the impression this would be just one document with all the information in it. – tomeduarte Jul 20 '11 at 07:52
  • that's *very* thorough – Hubert Kario Jul 26 '11 at 18:57
2

The only distinct difference I would have to add in having created policies and standards for many organisations is that I would usually expect tiers; policies are high level, with standards describing particular technologies or products, and then build or configuration documents detailing how to create a server that matches the standard, for example. Policies should support and be driven by business needs. Build docs should be written by IT with feedback to and input from security.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320