Security Policies

This page provides a list of computer security policies that may help organizations define their enterprise security controls. Set security policies must be communicated, enforced, and audited to be effective. Security policies may include:

  1. Password policy * - Defines minimum and maximum length of passwords, password complexity, how often it must be changed.
  2. Network login policy - May be defined by the password policy. Defines how many bad login attempts over what specific amount of time will cause an account to be locked. This may be included in the password policy.
  3. Remote access policy * - Specifies how remote users can connect to the main organizational network and the requirements for each of their systems before they are allowed to connect. This will specify the anti-virus program remote users must use, how often it must be updated, what personal firewalls they are required to run, and other protection against spyware or other malware. Also defines how users can connect remotely such as dial up or VPN. It will specify how the dial up will work such as whether the system will call the remote user back, and the authentication method. If using VPN, the VPN protocols used will be defined. Methods to deal with attacks should be considered in the design of the VPN system.
  4. Internet connection policy * - Specifies how users are allowed to connect to the internet and provides for IT department approval of all connections to the internet or other private network. Requires all connections such as connections by modems or wireless media to a private network or the internet be approved by the IT department and what is typically required for approval such as the operation of a firewall to protect the connection. Also defines how the network will be protected to prevent users from going to malicious web sites. Defines whether user activity on the network will be logged and to what extent. Specifies what system will be used to prevent unauthorized viewing of sites and what system will log internet usage activity. Defines whether a proxy server will be used for user internet access.
  5. Approved Application policy * - Defines applications which are approved to operate on computer systems inside or connected to the organizational network.
  6. Asset control policy * - Defines how assets such as computers are tracked. This policy will allow the locations and users of all assets to be tracked. This policy will define a property move procedure. This policy will define what must be done when a piece of property is moved from one building to another or one location to another. It will define who signs off on the movement of the property. This will allow the database to be updated so the location of all computer equipment is known. This policy will help network administrators protect the network since they will know what user and computer is at what station in the case of a worm infecting the network. This policy must also cover the fact that data on the computer being moved between secure facilities may be sensitive and must be encrypted during the move.
  7. Equipment and media disposal policy - May be incorporated into the asset control policy. Ensures that electronic equipment or media to be disposed of does not contain any kind of harmful data that may be accessible by third parties.
  8. Media use and re-use policy - May be incorporated into the asset control policy. Defines the types of data that may be stored on removable media and whether that media may be removed from a physically secure facility and under what conditions it would be permitted.
  9. Mobile computer policy * - Defines the network security requirements for all mobile computers which will be used on the network, who is allowed to own them, what firewall they must run, what programs may be run on them, how the system will be protected against malware, how often the system must be updated, and more. Also defines what data may be stored on them and whether the data must be encrypted in case of theft.
  10. -Computer Training policy - This policy defines the minimum training for users on the network to make them aware of basic computer threats to protect both themselves and the network. This policy especially applies to employees with access to sensitive or regulated data.
  11. IT Resource acceptable use policy - Defines how users may use IT computer resources. Available at:
    http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf
    http://www.sans.org/resources/policies/Acceptable_Use_Policy.doc
  12. Wireless Use Policy * - Defines whether wireless will be used on the network, what protocols can be used, and how it will be kept secure from unauthorized access including allowing only specific computers to connect.
  13. Information security policy available at http://www.sans.org/resources/policies/Information_Sensitivity_Policy.pdf http://www.sans.org/resources/policies/Information_Sensitivity_Policy.doc http://www.sans.org/resources/policies/
  14. Anti-virus and malware policy * (data protection plan) - Defines anti-virus policy on every computer including how often a virus scan is done, how often updates are done. Defines what programs will be used to detect, prevent, and remove malware programs. It may define what types of files attachments are blocked at the mail server and what anti-virus program will be run on the mail server. It may specify whether an anti-spam firewall will be used to provide additional protection to the mail server. It may also specify how files can enter the trusted network and how these files will be checked for hostile or unwanted content. For example it may specify that files sent to the enterprise from outside the trusted network be scanned for viruses by a specific program.
  15. System update policy * - How often systems and applications are checked for security updates and whose responsibility it is to do them. How the updates for client computers and servers will be done. Will an update service be used?
  16. User privilege policy * - Defines what privileges various users are allowed to have, specifically defining what groups of users have privileges to install computer programs on their or other systems. Defines the users who have access to and control of sensitive or regulated data. Also may define internet access to specific sites for some users or other ways they may or may not use their computer systems.
  17. - Application implementation policy - Defines how major computer to computer applications will be implemented on the network to protect both the data used in the application and the rest of the computer network. Defines who will be involved, and who will sign off on the project plan.
  18. - System lockdown policy (baseline host/device security) - Defines what kind of lockdown process will be used on what types of systems. May include:
    1. Services not to be installed or run due to excessive vulnerability such as Windows messenger or Windows File and Print Sharing.
    2. Recommendation to limit the number of services run on a server.
    3. Recommendation to operate host intrusion detection on all servers or specific high risk or high impact servers.
    4. Policy to make it difficult for an attacker to access password files on any system.
  19. - Server Monitoring Policy - Provides for monitoring servers for file space and performance issues to prevent system failure or loss of service.
  20. - IT Equipment Purchase and Failure Prevention Policy - Defines technologies to be used in specific areas of functionality to reduce the chance of any serious disruption of service.
  21. Incident response plan * - Defines the response to a security incident such as a virus, network intrusion, abuse of a computer system or other situations.
  22. - Intrusion detection policy - Defines what devices will be used on the network to detect any suspicious activity or intrusion. Defines what should be logged and the details of the logs.



Additional Policies and security areas to cover include:

  1. Emergency Contact Plan - Provides an emergency contact plan defining where emergency contact information is stored, the people to contact based on the emergency type, and how employees will learn about closings.
  2. Tracking of applications and operating systems for licensing purposes.
  3. - File backup and restore policy - Defines what computers, equipment, and software will be used to perform file backups and what files and systems will be backed up by which devices.
  4. Disaster recovery * - Ensures that data won't be lost.
  5. Network documentation policy * - Defines the level of network documentation required such as documentation of which switch ports connect to what rooms and computers. Defines who will have access to read it and who will have access to change it. Defines where documentation will be stored.
  6. Server documentation policy * - Defines the level of server documentation required such as documentation of server services and configuration. Defines who will have access to read it and who will have access to change it. Defines where documentation will be stored.
  7. - Network Scanning Policy - Describes what type of network scanning that can be done, who is allowed to perform network scans, and under what conditions. May specify what procedure will be followed when performing different types of network scans. The procedure or policy may define who is to be notified when network scans are done and for which type of scans they will be notified.
  8. - Network Risk evaluation - Evaluate threats to the network to determine where to improve defences.
  9. Computer and printer naming policy
  10. IP address assignment policy - Defines how IP addresses are assigned, who assigns them, how IP use is tracked, the file IP information is stored in, and who has the ability to read or change the file.
  11. Physical Security
  12. Diligence in hiring employees
  13. Perimeter security - How maintained. Who is responsible for it? How changes to perimeter security devices are managed? How changes are requested and approved. Who has access to perimeter devices.
  14. Information protection - Provides guidelines to users and administrators about the storage, transmission, and protection of sensitive information. Defines information sensitivity levels. Goal to ensure information is protected properly. Defines sho has access to information. Defines how to store and transmit sensitive information at various levels. Defines what systems sensitive information can be stored on. Where information can be printed. Removal of sensitive information, scrub hard drive, shread paper, degaussing.

Other Security Concerns

  1. Automatic logoff of inactive sessions after some period of time.
  2. Logging and audit controls - Must log activity in systems with sensitive information