{"id":216,"date":"2009-03-24T16:00:38","date_gmt":"2009-03-24T21:00:38","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=216"},"modified":"2009-04-09T11:29:52","modified_gmt":"2009-04-09T16:29:52","slug":"security-policy-architecture-how-to-fix-your-current-disaster","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/24\/security-policy-architecture-how-to-fix-your-current-disaster\/","title":{"rendered":"Security Policy Architecture &#8211; How to fix your current disaster"},"content":{"rendered":"<p>One of the sessions that I attended during the day on the Tuesday of TRISC 2009 was by Doug Landoll from Lantego on &#8220;Security Policy Architecture&#8221;.\u00a0 The presentation was a very good overview of how to put good security policies in place that are easily auditable should that need arise and that are as comprehensive as necessary.\u00a0 The actual presentation slides are available <a href=\"http:\/\/trisc.org\/presentations\/Landoll_Policy_Disasters.pdf\" target=\"_blank\">here <\/a>and because he had some very good visual aids in his presentation, I&#8217;m going to just recommend that you check out the actual slides.\u00a0 My notes, however, are below just in case the slides ever get deleted for some reason:<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Importance of Security Policies<\/strong><\/span><\/p>\n<ul>\n<li>Govern expected behavior and process\n<ul>\n<li>Expected and prohibited behavior<\/li>\n<li>Security process<\/li>\n<\/ul>\n<\/li>\n<li>Establishes roles and responsibilities\n<ul>\n<li>Management &amp; oversight<\/li>\n<li>Execution<\/li>\n<\/ul>\n<\/li>\n<li>Define protection measures\n<ul>\n<li>Access controls<\/li>\n<li>Physical security measures<\/li>\n<li>Monitoring, audit, and oversight<\/li>\n<li>Response priorities<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Hazards of Weak Security Policies<\/strong><\/span><\/p>\n<ul>\n<li>Unclear expected behavior\n<ul>\n<li>Personnel guess at what is allowable &amp; expected<\/li>\n<li>Minor \u201cinfractions\u201d \u2013 undefined &amp; unnoticed<\/li>\n<li>Leads to eroding culture of trust<\/li>\n<\/ul>\n<\/li>\n<li>Unclear roles and responsibilities\n<ul>\n<li>No oversight \u2013 administrator actions go unchecked<\/li>\n<li>No management \u2013 activities according to whim<\/li>\n<\/ul>\n<\/li>\n<li>Unclear protection measures\n<ul>\n<li>\u201cHeroes\u201d define network security<\/li>\n<li>Extremely tech-centric security posture<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Security Architecture Mistakes<\/strong><\/span><\/p>\n<ul>\n<li>Mixed audience policies\n<ul>\n<li>Ex: Encryption policy\n<ul>\n<li>Use of encryption \u2013 users<\/li>\n<li>Selection of encryption algorithms \u2013 system owners<\/li>\n<li>Implementation of encryption \u2013 custodians<\/li>\n<li>Key escrow \u2013 system owners<\/li>\n<li>Oversight \u2013 auditors\/management<\/li>\n<\/ul>\n<\/li>\n<li>Ex: Security Updates\n<ul>\n<li>Do not block network updates \u2013 users<\/li>\n<li>Patch every Tuesday \u2013 admins<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Who is the audience?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Common Policy Architecture Mistakes<\/strong><\/span><\/p>\n<ul>\n<li>One topic = one policy<\/li>\n<li>Magic Policies\n<ul>\n<li> Templates<\/li>\n<li>Handbooks<\/li>\n<\/ul>\n<\/li>\n<li>Pros\n<ul>\n<li>Solves the \u201cblank piece of paper\u201d problem<\/li>\n<\/ul>\n<\/li>\n<li>Cons\n<ul>\n<li>Old<\/li>\n<li>No consideration for your environment, culture, or organization<\/li>\n<li>Discourages analysis<\/li>\n<li>No SME (Subject Matter Expert) involvement<\/li>\n<li>Thwarts adoption<\/li>\n<\/ul>\n<\/li>\n<li>Match policy to requirements\n<ul>\n<li>PCI Policy project<\/li>\n<li>HIPAA Policy project<\/li>\n<li>TAC 202 Policy project<\/li>\n<li>Etc<\/li>\n<\/ul>\n<\/li>\n<li>Problem\n<ul>\n<li>Requirements by controls<\/li>\n<li>Policies organized by audience &amp; topic<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Clean Slate Approach<\/strong><\/span><\/p>\n<ol>\n<li>Assess what you have\n<ul>\n<li>Independent &amp; complete review process<\/li>\n<\/ul>\n<\/li>\n<li>Determine controls framework\n<ul>\n<li>COBIT, ISO 27001<\/li>\n<\/ul>\n<\/li>\n<li>Map in requirements\n<ul>\n<li>PCI DSS, HIPAA, TAC 202<\/li>\n<\/ul>\n<\/li>\n<li>Organize create policy statements\n<ul>\n<li>For each control (rows) and requirement (column)<\/li>\n<\/ul>\n<\/li>\n<li>Create policy architecture\n<ul>\n<li>According to audience &amp; topic<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>Policy Assessment Approach<\/strong><\/span><\/p>\n<ul>\n<li>Step 1 (Essential Elements Checklist)<\/li>\n<li>Steps 2 (controls &amp; framework) &amp; 3 (map requirements)<\/li>\n<li>Steps 4 (policy statements) &amp; 5 (policy architecture)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Conclusion<\/strong><\/span><\/p>\n<ul>\n<li>Administrative Controls\n<ul>\n<li>Management, oversight, process<\/li>\n<li>Address organizational and insider issues<\/li>\n<\/ul>\n<\/li>\n<li>Lack of policy architecture\n<ul>\n<li>Leads to weak administrative controls<\/li>\n<li>Unplanned technology implementation\n<ul>\n<li>\u201cimplementation by appointment\u201d<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Ensure your controls are complete<\/li>\n<li>Reaction is NOT a strategy (Don\u2019t do it because a vendor called you or because an auditor said to do it)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>One of the sessions that I attended during the day on the Tuesday of TRISC 2009 was by Doug Landoll from Lantego on &#8220;Security Policy Architecture&#8221;.\u00a0 The presentation was a very good overview of how to put good security policies in place that are easily auditable should that need arise and that are as comprehensive [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[222],"tags":[239,238,622],"class_list":["post-216","post","type-post","status-publish","format-standard","hentry","category-texas-regional-infrastructure-security-conference-2009","tag-architecture","tag-policy","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-3u","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=216"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/216\/revisions"}],"predecessor-version":[{"id":217,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/216\/revisions\/217"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}