Symantec Security Response - Importance of Corporate Security Policy

Importance of Corporate Security Policy
Defining corporate security policies, basing them on industry standards, measuring compliance, and outsourced services are keys to successful policy management.

In today's high-tech and interconnected world, every corporation needs a well thought out security policy. Threats exist from both within the walls of each enterprise as well as from external sources such as hackers, competitors and foreign governments. The goal of corporate security policies is to define the procedures, guidelines and practices for configuring and managing security in your environment. By enforcing corporate policy, corporations can minimize their risks and show due diligence to their customers and shareholders.

I. Why Have A Security Policy?

Information security is a business issue, not just a technology issue. The reason organizations want to protect information should be for sound business purposes. Corporate knowledge and data are arguably the most important assets of any organization. Corporations must ensure the confidentiality, integrity and availability of their data. These three security objectives answer the questions: "Who sees the data?", "Has the data been corrupted?" and "Can I access the server or data when I need it?"

Corporate Security Policies provide several benefits. They provide a standard baseline of security policy modules and checks, based on the organization's information security policies and standards. They establish a solid, scaleable basis for an enterprise-wide product deployment such as ESM. Policies heighten security awareness of company personnel. They also help organizations demonstrate their commitment to protecting their vital information assets.

Having a security policy that is easily measured and enforced is key. Tools, such as Symantec Enterprise Security Manager™ (ESM) are designed to measure enterprise-wide security policy compliance. It answers the question "How secure are we?" The Symantec Security Response team provides pre-configured security policies based on industry standards and best practices, easing the burden of effective security policy development. Policies are designed very specifically, protecting the confidentiality, integrity, and availability of your data.

II. Where To Start

The first step toward implementing information security is to formulate a security policy. Identify the key assets to secure, and which assets will be extended to whom. The role of the policy is to guide users in knowing what is allowed, and to guide administrators and managers in making choices about system configuration and use. This process will help you establish specific security goals and a plan to tackle them. Before you can manage security you have to have a way to measure its effectiveness. Your corporate security policy provides the acceptable baseline standards against which to measure compliance.

There is no need to start from scratch. Rather than analyzing every risk, look at what others are doing. Meet standards of due care by using existing standards and industry "best practices". Pay attention to regulations and requirements from government, industry and partners.

Some small organizations have the tendency to define security policy from the bottom up, starting with the capabilities of the tools at hand. Medium and large enterprises know that sound security policies begin from the top down.

As the policy pyramid shows, the best security begins with upper management creating an actual policy or mandate to implement security. The policy should be based on industry standards and regulations such as ISO 17799 and HIPAA. Procedures, guidelines and practices form the basis for all security technology. Products such as ESM measure policy compliance with modules and policies for operating systems, databases and applications. These then interact with the actual computer environment.

A thorough security policy doesn't stay static. It is a living document, changing with corporate needs. It evolves to guard against perceived threats and changing system architectures. Tools to implement and measure corporate security policy compliance exists in products like Symantec Enterprise Security Manager™ and Symantec NetRecon™.

Organizations must also maintain a "best practice" level of compliance, in order to pass audits measured against standards and regulations.

III. Standards And Regulations

A host of information security standards and government regulations have been published over the years providing a great foundation for corporate security policy.

Standards are often based on user consensus or international adaptation. The ISO/IEC 17799 international standard is based on security requirements established by the British Government form BS 7799 Part I. Its stated purpose is to "give recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization". The Center for Internet Security (CIS) is an emerging worldwide standards consortium developing benchmarks to determine if minimum standards of due care are taken. The SANS/FBI Top 20 Internet Security Threats combines top 10 lists from multiple security vendors and experts.

Regulations are developed by U.S. and foreign governments to address specific industries such as finance and health care. HIPAA defines security and privacy standards for the health care industry. The Gramm-Leach-Bliley Act is legislation addressing financial services in the United States.

The table below lists several standards and regulations that enterprise customers and government agencies are required to adhere to.

Standard/Regulation	Industry	Type	Comments/URLs
ISO/IEC 17799	International - Baseline	Standard	"The International Organization for Standardization" www.iso-17799.com
BS 7799 Part 1	British Government	Standard	British Standard. Predecessor to ISO 17799 standard
AS4444/NZS4444	Australian Government	Standard	Australian Standard/New Zealand Standard. Replaced by ISO 17799 standard
HIPAA	Health Care	Regulation	Health Insurance Portability And Accountability Act of 1996.
CIS Benchmarks	Worldwide Consortium	Standard	The Center for Internet Security Solaris Benchmark
Gramm-Leach-Bliley Act (GLBA)	US Financial Services Law	Regulation	US Legislation passed Nov. 1999.
SANS/FBI Top 20 List	General Security	Standard	System Administration, Networking and Security/Federal Bureau of Investigation
CVE	General Security	Standard	MITRE's Common Vulnerabilities and Exposures
VISA	Banking	Standard	Visa International and Visa USA
ISO 15408 (Common Criteria)	International Security Program - Systems	Standard	May be replacing NSA's Red Book and Orange Book
CASPR	GNU Best Practices	Standard	Commonly Accepted Security Practices & Recommendations
OCC	Banking	Regulation	Office of the Comptroller of the Currency
FDIC	Banking	Regulation	Federal Deposit Insurance Corporation
SysTrust	AICPA	Standard	American Institute of Certified Public Accountants
FISCAM	GAO (Federal Govt.), Financial Systems	Regulation	Federal Information Systems Control Audit Manual
CobiT	ISACA	Standard	Control Objectives for Information and Related Technology
IETF Security Handbooks	Internet Community	Standard	The Internet Engineering Task Force
SEC	Brokerage	Regulation	U.S. Securities and Exchange Commission
Rainbow Series (Orange Book)	Military commands and contractors	Regulation	Being replaced by Common Criteria
FDA	Pharmaceutical	Regulation	Food and Drug Administration
NPG 2810 (NASA)	Facilities and Contractors	Regulation	NASA Policy Guideline
1974 Privacy Act and Amendments	US Companies	Regulation	www.usdoj.gov/04foia/privstat.htm
ISO 13335(Parts 1,2,3,4,5)	International - Educational	Technical Report	A five-part technical report giving guidance on security management.
SAS70	Auditing	Standard	Statement on Auditing Standards
GASSP	Older than CASPR	Standard	Generally Accepted Systems Security Principles
DITSCAP/NIACAP	Department of Defense (DOD)	Regulation	DoD Information Technology Security Certification and AccreditationProcess
AS/NZS 4360:1999	Australian/New Zealand Government	Standard	Australian Standard / New Zealand Standard
FCC	US Government	Regulation	Federal Communications Commission
Other Standards	---	Standard and Regulation	---

IV. Symantec's Vulnerability Management Products

A large portion of a corporate security policy is proactive in nature. Tools that help measure risk as well as security policy compliance are often grouped under the category of vulnerability management (VM) products. This is equivalent to the physical security analogy of "putting locks on the doors." Intrusion detection products should also be deployed. These tend to be reactive in nature. This is equivalent to the physical security analogy of "sounding burglar alarms." Both are needed. Both should work together and compliment each other.

Symantec currently offers two enterprise-class VM products to assess risk and measure policy compliance. Symantec ESM is a host-based policy compliance product, while Symantec NetRecon is a network-based vulnerability assessment tool.

Symantec Enterprise Security Manager 5.5™
Symantec Enterprise Security Manager™ (ESM) is an enterprise class vulnerability assessment and policy compliance product. Its three-tier architecture meets large scalability requirements required by large organizations. ESM supports a diverse set of operating systems, including Windows, Solaris, HP-UX, AIX, Red Hat Linux, NetWare, Tru64, IRIX, Sequent and more. Its database stores both policies and policy run data. ESM agents are installed on each platform being assessed. Each agent has privileged access to all operating system parameters. It is not uncommon for some customers to deploy over 10,000 agents reporting to several ESM managers.

To do vulnerability assessment and auditing, ESM deploys a series of binaries called modules. ESM's UNIX agents have 18 modules total to audit systems for specific vulnerable configuration settings, the state, etc. For example, the Password Strength module measures password length, minimum and maximum password aging, and other password related issues. Other modules include File Permissions, Windows registry, Auditing, Network Integrity and others. ESM provides a lot of general-purpose security modules to control policies. An ESM policy turns on checks in one or more modules. ESM templates and word lists provide much of the data. Templates are files that give complex module input. ESM also integrates network-based scan data from Symantec NetRecon.

Symantec NetRecon 3.5™
Symantec NetRecon is a software application used to detect network and system vulnerabilities. It answers the question, "What can an attacker see, use, and exploit on my network?"

NetRecon works by scanning network resources for numerous vulnerabilities. After you have scanned the desired network resources and learned what your vulnerabilities are, you can generate reports that will help you make your network resources more secure. Symantec has thoroughly documented NetRecon's vulnerabilities, so administrators can understand what the vulnerabilities are and how to eliminate them.

No security solution is complete without both products and services.

V. Symantec's Security Policy Compliance Services

Companies may have an information security policy to protect critical assets and sensitive data, but they rarely have the means to effectively monitor compliance in accordance with that policy. Symantec provides clients with the means to monitor compliance with information security policies in a way that fully supports their business requirements. Symantec's Security Policy Compliance Implementation Service ensures proper security planning and policy definition, then installs, deploys and optimizes the benefits of ESM.

ESM defines acceptable activities and system configuration standards for a diverse set of operating systems. Companies use ESM to automatically check for security policy violations and generate concise reports.

The Security Policy Compliance Implementation Service provides the following:

PLANNING ACTIVITIES. Symantec security professionals develop a project plan and thoroughly prepare for each engagement to ensure success. They identify the customer's systems targeted for ESM installation and document the ESM deployment environment.
SECURITY POLICY DEFINITION. Symantec identifies the client's security policy checks that ESM will perform on each system in the target environment. For clients who do not have security policies, or where the policies are incomplete, Symantec provides customized information security policy consulting as an optional service.
ESM DEPLOYMENT. Symantec security professionals install, configure and test the ESM architecture. Symantec implements the baseline security policies and practices and maps them to compliance checks on the appropriate ESM Managers across the deployed environment.
ESM CONFIGURATION GUIDE. Symantec provides a guide that describes the client's ESM security architecture, detailing authorized system configurations, responsibilities for configuration management, and responsible authorities. The guide also explains how clients should check and enforce compliance with their established security policies.
ESM DAILY OPERATIONS GUIDE. The guide provides basic instruction on how to administer the installed ESM software, run policy checks, create reports, and view and interpret the results.

IV. Summary

Organizations need security policies, standards and procedures to enforce information security in a structured way. The choice of policies needed by the organization should be acquired through a thorough risk analysis, which includes security vulnerability assessments. The assessment results, combined with a proper policy framework and standards, should determine which policies are needed for your organization. Using tools such as Symantec Enterprise Security Manager can assist in measuring corporate policy compliance. Additional services can ensure the corporate policy is always up to date and implemented correctly. Corporate security policy is absolutely essential for securing an organization.