Example of security policies

In order to develop an information security policy, it is necessary to rely on standards.

and methods. This task is usually the first mission that an Information Security Manager must carry out in
based on recognized standards and methods

Updated on 01/24/2005

International standards
An internationally recognized standard is the ISO 17999 'code of practice'
for information security management, that is to say the code of good practice for
the management of information security. This standard is a reference for best practices
security practices and controls related to their applications.

The ISO 17999 standard emerged in 2000 in the world of systems security.
information. It is intended for leaders, information system directors and
to the security officials (Chief Security Officer, RSSI). It was defined in order to respond
in need of a 'trust label' from an internationally recognized organization. Just like
the ISO9000 standard, well known to all in the field of quality, the ISO17999 standard has
to establish a trust label recognized by all regarding the
securing information from a global perspective.

National and international data exchanges between collaborators of a

the same organization, partners, and clients coupled with ICT imply the necessity
to agree on a standard that can help secure information and the
exchange processes. The ISO 1799 standard offers a set of measurements.
organizational and technical, but does not impose any specific technological solution.

This standard places particular importance on certain crucial aspects of the

security

the support of leaders regarding the implementation of a security policy and the
determination of the human resources to associate with it;
the identification of threats specific to the organization and the assessment of risks
partners;
the classification of information in order to only deploy resources on those that
necessary
the measures to be implemented to establish a 'safety culture'.

The group dedicated to information security within the ISO organization has published
different reports related to information systems security. Some of these
reports do not have the status of international standard, but rather of technical guideline:

ISO_13335
concepts and models for the management of ICT security
techniques for managing risks related to ICT security,
techniques for IT security management,
backup selection,
network security management guide;
ISO 14516: guidelines for the use and management of third-party services
trust
ISO 15408: evaluation criteria for ICT security;
ISO 18044: information security incident management;
etc.

Security policies derived from recognized standards are developed according to

of two scales of recommendations:

Light Information Security Policy: an information security policy

modest
 Reinforced Information Security Policy: an information security policy
reinforced.

Light Information Security Policy

Materials, peripherals and various equipment
Provide continuous power supply to critical equipment.
Use PSTN/ISDN modems or DSL lines with caution: all
transmission of critical or confidential information via these systems of
communication must be considered if no protection tool (cryptography) is
used.
Control the computer interconnection infrastructure (network cabling).
All access points to the network must be identified.
Remove data on obsolete equipment that is no longer used.
operating systems and installed applications can be preserved.
Lock each workstation (for example via a screensaver with)
lock) when its user is not at their station. Every server station must
must be locked when no manager is using it.

Work outside the organization's premises and use of personnel

external
Correctly define the framework associated with the mission of a service provider
external IT. The service provider should only have access to
systems or information that are related to the tasks associated with its mission. In addition, the
service provider must guarantee the confidentiality of the information that it will have to
manipulate.
Raise staff awareness about the risks associated with using computers.
portable by the staff. These risks arise from the 'mobile' nature of these
equipment and the strategic information they may contain.
Raise staff awareness about the risks associated with the use of access
remote (VPN, telecommuting, etc.). Indeed, the remote work site represents a
entry whose control is more difficult.

Access control to information systems and the content contained therein

presents
Implement a uniform, controlled, and managed authentication method.
centrally. As far as possible, it is important not to
replicate the computer accounts on each workstation.
Classify all information provided on the infrastructure
computer science and associate it with usage profiles. Each identified profile will be
equipped with a set of access rights allowing him to use the information that is available to him
are linked.
Prohibit 'standard' users from logging in on their workstation
using a local or network administrator account. If access is needed to
system features are required (for example, to install a
program), the user's own account can be inserted into the group
"local administrators" from their workstation, but in no case from each workstation of
work of the organization. In addition, the local or network administrator password
must remain confidential within the IT management group.
Define a password selection policy for accounts
If necessary, a generic account can be associated with a group.
of users with the same function. Empty passwords may be tolerated
in certain contexts.
Place sensitive computer systems (server, router, switch,
etc.) in restricted access premises. Physical access to these premises will be limited.
to authorized personnel.
Information processing
Reserve the installation and management of the network infrastructure to personnel
qualified. Special attention will be given to open wireless access points and
to technologies related to remote work (VPN without internal firewall).
•Reserve all system administration actions for qualified personnel. Failure
qualified personnel within the organization will call on a company
competent in the matter within the framework of a well-defined contract.

Electronic messaging and Internet/Intranet/Extranet access

Submit all emails (incoming and outgoing) and any downloaded documents from
from an unreliable source (such as the Internet) to virus detection and
malicious code. A protection tool must therefore be present on each workstation
work. A daily update of this is essential.
Use privacy tools (encrypted zip for example) for exchange
emails concerning sensitive information.
•Set up a firewall. This implementation will be carried out according to the principle of the
global closure of all entries, followed by the opening of the required services.
Handle all unsolicited emails with caution.
Any document received from an unidentified source must be considered
as a suspect and immediately removed.
Check the destination addresses when sending or tracking a mail.
electronics.
Send emails with discernment that are of size
impressive (several Mb). It is important to take into account the capacity of
transmission available on the network and the potential reception capacity of the
recipient in order not to block any other transmission.

Reinforced Information Security Policy

Policy
Material, peripherals and various equipment
Provide continuous power supply to critical equipment (UPS).
Plan for a power generator as a backup for UPS.
Limit the use of fax (machine or modem) in order to reduce the potentiality
of information leak.
Use PSTN/ISDN modems or DSL lines with caution: any
transmission of critical or confidential information via these systems of
communication must be thoughtful if no protection tool (cryptography) is
used.
•Control the use of printing tools (local printer, printer
network, etc.). No critical or confidential information should be printed without
to have the assurance that the transmission is not secure. Moreover, the use of
remote printing resources must take into account that an unauthorized individual
can potentially seize the printed documents.
•Control the computer interconnection infrastructure (network cabling).
All access points to the network must be identified and each unused port
must be formally identified, or even disconnected.
Delete data on obsolete equipment that is no longer in use.
Lock each workstation (for example via a screensaver with
lock) when its user is not at their post. The necessary measures
(for example, an automatic lock after a certain period of inactivity)
will be put in place to address any potential shortcomings of the user. Any
server station must be locked when no manager is present.
management does not use it.
•Check when setting up an Intranet/Extranet that no door
The breach has not been opened. Indeed, such a flaw would allow for the circumvention of the
Identification systems put in place.
Work outside the organization's premises and use of personnel
external
Correctly define the framework associated with the mission of a service provider.
external IT. A 'Service Level Agreement' must define the roles, rights and
obligations that the service provider must comply with to ensure the good
operation of the tasks entrusted to him, as well as the confidentiality of
information he might be required to handle.
Control the allocation of laptops to staff. The use of
this laptop must be restricted to only authorized applications in the
framework of the professional function. To do this, a robust system administration
must be implemented on the portable computer system to ensure that the
rule cannot be circumvented. Ultimately, the necessary measures (encryption of
local disk, restricted user rights, strong authentication system, etc.) will have to
to be implemented in order to ensure the confidentiality of information that may be
available in case of loss or theft of the mobile equipment.
Control remote access (VPN, telecommuting, etc.) by staff to
IT resources. The necessary measures (restricted user rights,
strong authentication system, filtering of inappropriate network traffic, etc.) will need to be
implementation to ensure complete protection of the remote antenna of
the organization.

Access control to information systems and the content therein

presents
Establish a uniform, controlled, and managed authentication method
in a centralized manner. Furthermore, it is advisable to be able to use this same
authentication infrastructure with the different systems requiring a
user identification (single sign-on).
Classify all information made available on the infrastructure
IT and associate it with usage profiles. Each identified profile will be
equipped with a set of access rights allowing him to use the information that is granted to him
are linked. In addition, information identified as critical or confidential
will be subject to special measures ensuring the necessary security (encryption of
certain content on their storage media and when transferring it over the network
communication, introduction of a consultation audit system, etc.).
Associate access to network resources (printer, scanner, unit of
storage, Internet, etc.) to an identification and audit mechanism. The hardware
Necessary for network resources will also be protected against access in mode
direct, that is to say without going through the access control system (print queue on
mandatory server, proxy for the Internet, etc.).
Reserve 'administrator' rights for the members of the administration group
IT. All workstations must be managed in such a way
that no opportunity to obtain such system rights is possible by
unauthorized personnel. This includes the inability for a user to modify
(adding/removing program) the configuration and stability of one's position
work. In addition, each workstation will only include the applications
essential for carrying out the tasks associated with the user's function of this
post.
Define a password selection policy for accounts
No generic account can be associated with a group.
users with the same role. Empty passwords are not tolerated and the
The validity period will be determined, with a mandatory renewal system. For the
IT administration group, each manager will have their own account
associated with system administrator rights and all administrative actions
will be carried out under the effective identity of the person responsible. In addition, an audit system
will be put in place to allow for the traceability of the actions undertaken.
•Place sensitive IT systems (server, router, switch,
etc.) in restricted access premises. Physical access to these premises will be limited.
to authorized personnel. The premises will be closed and an identification mechanism (badge
 electronic, personal code, etc.) will be implemented, as well as an audit system,
if this is possible. Special attention will be given to the panel
network interconnection (patch panel). Access will preferably be limited by a
closed cabinet reserved for network managers.
•Perform all remote administration operations via
secure communications (for example SSH, terminal server, etc.).
The goal is not to transmit account authentication parameters.
administration in clear and without protection.

Information processing
Reserve the installation and management of the network infrastructure to personnel
qualified.No connection to the infrastructure should be possible without intervention
of the responsible personnel (MAC address filtering, deactivation of doors
unused on the switch, establishment of firewall filtering rules for the
internal traffic within the organization, etc.). In addition, any addition of communication systems
Wireless (WiFi) must be associated with strong encryption (WPA and not WEP) and the access
Remote (VPN) connections will be subject to strict control. Finally, all material
communication not being under the total control of the manager will be prohibited (by
example a modem on the workstations.
Reserve the "system" administration for qualified personnel appointed by
the organization.
Record every unsuccessful attempt to access documents or the system
information(log).
Regularly analyze the recordings of the log files
(access log, error log, authorization log, etc.). This analysis will be conducted by
competent personnel. Furthermore, it is essential that each computer system
synchronize its clock with a reference clock (NTP server).

Email and Internet/Intranet/Extranet access

Submit all emails (incoming and outgoing) and all documents downloaded from
from an unreliable source (the Internet for example) to virus detection and
malicious code. A protection tool must therefore be present on each workstation.
work. Furthermore, a centralization of the management of these tools must be imperative.
carried out by the IT managers and the software update must be
must be carried out several times a day.
Carry out the exchanges of emails concerning information
and sensitive documents using tools enabling encryption
messages following a public/private key system. Any exchange of this
the type must also be associated with an electronic signature. The administration of
Certificates will be managed centrally by the IT managers.
•Check during the implementation of an Intranet/Extranet that no door
The hidden one has not been opened. Before setting up an extranet, an engineering of
network communications must be implemented to restrict access to resources
exclusively internal to the organization to partners with access rights
sufficient. In addition, an audit system must be put in place.
•Set up a firewall. This setup will be done according to the principle of the
global closure of all entries, followed by the opening of the required services. The
the firewall must be of 'stateful' type and the notification messages must be recorded and
saved (syslog).
Handle all unsolicited email with care. The administration
IT will have to implement tools (anti-spam filter) at the server level
to minimize this type of requests as much as possible.
Any document received from an unidentified source must be considered
as suspect and immediately deleted. The IT department must be informed.
informed.
Check the destination addresses when sending or tracking a mail.
electronics.
 Establish systems to prevent the sending of emails
large size. These messages could indeed block any other transmission.
It is the IT administration that is responsible for this task (for example via a
rule on the mail server.
Implement network analysis tools (for example IDS) in order to
to identify any abnormal traffic or behavior. It is the administration
computer science is responsible for this task.

Written by Walloon Agency for Telecommunications