Intranet Journal
The online resource for intranet professionals

Security Policies 101

1/6/03

Go to page: 1 2

Administrative Policies vs. Technical Policies

Technical security policies describe how technology should be configured and used, and administrative security policies describe how people (end-users and management) should behave. The intended security rules for technology systems and data should be explicitly described in technical security policies. Technical security policies describe a rule or regulation pertaining to a piece of equipment, facility, or data.

Administrative security policies describe the intended behavior rules for people. Serving as a guide for both end-users and management, administrative policies should spell out the roles and responsibilities for all users of technology systems in the organization. It is very important to inform end-users and other management team members of administrative security policies. Users cannot be expected to follow policies if they do not know what they are. After reviewing the administrative policies, it is a good idea to get the user to sign the policy document attesting to the fact that they have read it, understand it and will abide by it.

Many organizations take the time to define technical security policies, while administrative security policies are often overlooked. While many technical security policies can be audited with online scanning tools, administrative security policies can only be audited with an in-person review. Auditors who review administrative policies will typically ask to see the actual formal policy document. Efficient auditors will also interview end-users and management to see if they understand their roles and responsibilities.

Administrative Security Policy Samples

• Users must change their passwords each quarter.
• A designated employee should securely maintain a master list of passwords.
• End-users will update their virus signatures at least once a week.
• Users will not e-mail passwords across the corporate infrastructure.
• Users must use a card-key to enter the data center.
• Employees shall not use dial-out modems from their desktops.
• All users must read, sign and abide by the end-user security policies.
• Users will report suspicious network activity to the security officer.
• The security officer will manage and respond to all security incidents.
• Company information marked Proprietary must be used only for legitimate business purposes.

If your organization was being audited, here are some questions that an auditor might ask in regards to your administrative security policies:

1. Are employees informed about reporting security incidents? How would they know what to report, and to whom to report it? Where can employees turn for information to guide them on how to handle security incidents?
2. Are there security policies associated with change-management?
3. Who is responsible for risks associated with third-party vendors and partners?
4. Are there regular security reviews of IT systems? Are reports generated to capture the current security posture and make recommendations for corrective action? (You should assume that if an auditor asks if reports exist they will ask to see them.)
5. Is there a policy that defines acceptable use of the Internet?
6. What authorization is needed to change user IDs?
7. Are procedures for the disposal of media documented?
8. Who is responsible for enforcing policy breaches?
9. What are the reasons for allowing employees remote access?
10. How are employees made aware of security policies and procedures?

Technical Security Policy Samples

• Servers will be configured to expire passwords once every quarter.
• Anti-virus software will be installed and properly configured on all user desktops.
• A card-key system will be installed at every data center entrance.
• All data and information must be assigned a custodial owner.
• All access control systems must be monitored for compliance.
• Online penetration tests should be conducted twice a year.
• Accounts must initiate a lock out after four unsuccessful attempts to login.
• Encryption is used to prevent access to sensitive and proprietary information.
• Incoming attachments must be scanned for viruses on the boundary server.
• Passwords must be at least 8 characters long and include upper and lower case characters and at least one numeric character.

1. Are stored passwords on the Web site encrypted? How?
2. How is the logical access to the Web site server controlled?
3. What controls are in place to protect audit log files?
4. Is there a master backup of router and firewall configuration files?
5. What outbound and inbound connections and services are being allowed through the firewall?
6. What is the process for authenticating firewall administrators?
7. Are Web servers protected from buffer overflow attacks? How?
8. What security controls exist to protect credit cards numbers? Are the credit card number encrypted?
9. How is the security of dial-up connections controlled?
10. Does the enterprise system architecture documentation include all physical and logical (VLAN) connections?

Writing security policies take a long time and a lot of thought. It may be useful to have your human resources department review the administrative policies since many of these policies are associated with employee behavior. It is possible that human resources will want to include some of the administrative policies into job descriptions or other employee policies.

The technical teams that are responsible for administering servers, routers, switches and applications should review the appropriate technical policies that are related to their respective responsibilities. Before etching the security policies in stone, the security officer should make sure that they undergo sufficient peer review. Organizations without security policies are putting themselves at risk and exposing themselves to numerous liabilities. If your organization has anything at stake as far as proprietary information goes, financial information, customers or shareholders, writing security policies are worth the trouble.

Go to page: 1 2