Security Policies

Why do we need security policies?

Internet is a mixed blessing. On the one hand, it allows millions of people to exchange information, offering chances for publicity, services, information gathering, and socializing. But whenever you get a community of people, you get crime. It's true in a city, it's true in an organization, and it's certainly true on the internet.

All but the smallest companies have a need of a Company Security Policy (CSP). A CSP is a document that specifies, at a high level, the behaviors that the organization will and will not allow.

It does not not discuss specific technologies but handles things like the procedures the last person leaving the building should follow before he/she turns off the light or where to safekeep (paper) documents, but also conditions for remote access to the corporate network, or the frequency with which passwords change.

It is the first step in achieving the wanted and needed level of security in the company but it is a difficult step. Research has shown that Creating security policies that support all of your organization's needs and objectives is a challenge. Less than half of the Security Officers believe their company's security policies are very well-aligned with its business goals, and another 45 percent believe their policies are only somewhat well-aligned with those goals.

A CSP must be created and approved by management, and communicated through the work force. It should be made available for every one to read.

A CSP does not only determine the do's and don'ts for the employees, it also determines what should be done on a technical level to implement the rules.

What should be in a CSP?

Explanations

The policy should be clear about why certain decisions have been made. Most people don't follow rules unless they understand why they are important.

Responsibilities

A policy should state the responsibilities of everyone involved. This includes users, system administrators and management.

Enforcement Authority

The policy should state who's responsible for enforcing the policy and for making the corrections that may be needed. Some examples are:

• Who has the authority to grant or revoke access?
• What are the penalties available to a manager for misconduct?
• Who is responsible when something goes wrong.
• ...

Review provisions

Setting up a policy and then forgetting it is a waste of time and money. The needs of the company will change over time, and policies that once were sensible can become too restrictive or too lax. The most frequent change is company size. What works for 3 people probably will not work for 3000, and thus, the CSP has to evolve with the company.

Plain English

It is of the utmost importance that your security policy is understandable. This is even more important than to make it precise or look official. You will not get people to comply unless they understand what you want.

How can ZZICT help?

Regarding CSPs, the ZZICT Security Lab offers 2 services. We have the expertise to guide corporate management in the creation of a Company Security Policy and we also review existing CSPs and report discrepancies between reality and the desired situation.

Custom Firewalls Architectures

Firewalls are a great aid in realizing the network related part of a CSP, but since CSPs vary widely, so will the firewalling needs. What fits a bank does not necessarily fit a fitness club and vice versa. Determining the right firewall setup for your company is not a trivial thing.

What's an internet firewall anyway?

Simply put, a firewall is a solution that serves multiple purposes:

• It restricts incoming network traffic at a carefully controlled point
• It restricts outgoing network traffic at a carefully controlled point
• It makes sure that all traffic between the network and the outside world is acceptable

Acceptable means that whatever is being done (ftp,email,...) conforms to the security policy of the site. Logically, a firewall is a seperator, while at a physical level, it most often is a set of hardware components: a router, a host computer, or a combination of routers, computers networks with appropriate software.

How can ZZICT help ?

There are a lot of possibilities to set up a firewall solution. A site that needs a firewall has several options. If they have the expertise, they can opt to build the solution themselves, or if they are short on expertice, they can purchase a commercial firewall product, and be done with it, now can they ? In reality after one decides to buy a firewall, one still needs a fair bit of understanding on how they're built and how they work.

Also, this is not an all or nothing decision: one may opt to buy components and complement them with freely available tools.

The ZZICT security Lab does not sell security products nor is it affiliated with security product vendors. This allows us to evaluate the different possibilities and determine the right firewalling solution for the customer.

Other security consultancy related services

Training and Presentations

ZZICT offers security related training and presentations. Together with the customer, descide upon topic and target audience.

Post Mortem analysis and clean up.

So you've been hacked and need to :

• find out how they did it
• assess the damage done
• clean up the hosts affected
• prevent future occurrence

We are glad to help. The ZZICT Security Lab has a cleaning team especially trained for these situations.