for the guard to examine or it may include a call to another employee to vouch for the indi - vidual. Some organizations rely only on the employee’s signature in the appropriate regis - ter. This method may allow an intruder to gain access to the facility. When implementing physical security mechanisms, you should also consider the se - curity of the data center. Access to the data center should be restricted and the data center should be properly protected from fire, high temperature, and power failures. The imple - mentation of fire suppression and temperature control may require extensive remodeling of the data center. The implementation of a UPS will certainly result in systems being un - available for some period of time. Such disruptions must be planned. Staff With the implementation of any new security mechanisms or systems, the appropriate staff must also be put in place. Some systems will require constant maintenance such as user au - thentication mechanisms and intrusion detection systems. Other mechanisms will require staff members to perform the work and follow up (vulnerability scans, for example). Appropriate staff will also be needed for awareness training programs. At the very least, a security staff member should attend each training session to answer specific ques- tions. This is necessary even if the training is to be conducted by a member of human re- sources or the training department. The last issue associated with staff is responsibility. The responsibility for the security of the organization should be assigned to an individual. In most cases, this is the manager of the security department. This person is then responsible for the development of policy and the implementation of the security plan and mechanisms. The assignment of this re- sponsibility should be the first step performed with a new security plan. AWARENESS TRAINING An organization cannot protect sensitive information without the involvement of its employees. Awareness training is the mechanism to provide necessary information to employees. Training programs can take the form of short classes, newsletter articles, or posters. A sample poster is shown in Figure 7-2. The most effective programs use all three forms in a constant attempt to keep security in front of employees. Employees Employees must be taught why security is important to the organization. They must also be trained in the identification and protection of sensitive information. Security aware - ness training provides employees with needed information in the areas of organization policy, password selection, and prevention of social engineering attacks. Training for employees is best done in short sessions of an hour or less. Videos make for better classes than just a straight lecture. All new hires should go through the class as part of their orientation, and all existing employees should take the class once every two years. 110 Network Security: A Beginner’s Guide TEAMFLY Team-Fly ® Administrators Training is also important for system administrators. System administrators must be kept up-to-date on the latest hacker techniques, security threats, and security patches. This type of training should be performed more often (perhaps as often as once a month) and should be taught by members of the security department. Updates such as these could be included in regular administrator staff meetings to reduce the time nec - essary for administrators. In addition to the periodic meetings, the security department should send updates to administrators as they appear rather than waiting for regular meetings. In this way, the security staff and the system administration staff maintain a strong working rela - tionship as well. Developers Training for developers should be an extension of the employee training class. The addi - tional material should include proper programming techniques to reduce security vul - nerabilities and the proper understanding of the security department’s role during the development process. For all new development projects, the security department should be involved in the design phase. This will allow new projects to be reviewed for security issues prior to the expenditure of significant resources on the project. The training of developers should ex - plain the value of such involvement early on. Chapter 7: Information Security Process 111 Figure 7-2. A sample security awareness poster 112 Network Security: A Beginner’s Guide Executives Presentations to executives of an organization are part education and part marketing. With - out the support of organization management, the security program will not exist. Therefore, management must be informed of the state of security and how the program is progressing. Periodic presentations to management should include the results of recent assessments and the status of the various security projects. If possible, metrics should be established that indicate the risks to the organization. For example, the number of system vulnerabilities and the number of system policy violations might be tracked and reported. During these presentations, information similar to that used as part of the em - ployee awareness training may also be provided to remind the executives of their se - curity responsibilities. Security Staff Security staff must also be kept up-to-date in order for them to provide appropriate ser - vice to the organization. External training is important but it is also important to perform internal training programs. For example, each staff member could be assigned a date to provide training to the rest of the staff on a topic of his or her choice. The topics should be security-related and either a current topic of interest for the staff or a skill that is lacking in the staff. AUDIT The audit is the final step in the Information Security Process. After identifying the state of information security within an organization, creating the appropriate policies and pro- cedures, implementing technical controls, and training staff, the audit function ensures that controls are configured correctly with regard to policy. When we discuss the audit portion of the security process, we are actually talking about three different functions: ▼ Policy adherence audits ■ Periodic and new project assessments ▲ Penetration tests Each of these functions has a place in the security process. Policy Adherence Audits Policy adherence audits are the traditional audit function. The organization has a policy that defines how security should be configured. The audit determines if this is so. Any variations are noted as violations. Such audits may be performed by internal staff or by external consultants. In either case, this function cannot be performed without the assis - tance of the system administration staff. Policy adherence audits should not be confined to system configurations. They should also address concerns about how information in other forms is handled. Is the in - formation policy being followed? How are sensitive documents stored and transmitted? Audits should be performed once per year. These audits can be performed by the se - curity staff but it may be more appropriate for the organization’s audit department or an external firm to perform the audit. The reason for this is that the security staff may be measured on the results of the audit. If this is the case, a conflict of interest would exist. Periodic and New Project Assessments Computer and network environments within an organization are in a constant state of change. This change can make assessment results obsolete in short periods of time by re - ducing some risks and introducing new ones. For this reason, assessments should be per - formed periodically. Full assessments of the organization should be performed every one to two years. As with major audits, major assessments can be performed by the security staff if the staff has the required skills but it may be more appropriate for an external firm to perform the assessment. Smaller assessments should be performed as new projects are being developed and as changes are made to the organization’s environment. For each new project, security should be involved in the design phase to identify if the project has any inherent risks and if the project introduces or reduces risk within the organization. This type of assessment should examine the new project in the context of how it will be used and the ramifications to other parts of the organization. If risks are identified early in the project, the design can be adjusted or other mechanisms can be introduced to manage the risk. Penetration Tests Penetration testing is a controversial topic. Many times, penetration tests are sold as a substitute for an assessment. Penetration tests are not substitutes for assessments. In fact, penetration tests have very limited utility in a security program. The reason for this is simple: penetration tests attempt to exploit an identified vulnerability to gain access to systems and information within an organization. If the penetration test succeeds, the only information that is gained is that at least one vulnerability exists. If the penetration test fails, the only information that is gained is that the tester was unable to find and exploit a vulnerability. It does not mean that a vulnerability does not exist. Why then should a penetration test be performed? If the organization has conducted an assessment and put in place appropriate controls to manage risk, the organization may choose to test some of these controls through the use of a penetration test. Penetra - tion tests are appropriate to test the following controls: ▼ The ability of an intrusion detection system to detect an attack ■ The appropriateness of an incident response procedure ■ The information that can be learned about the organization’s network through the network access controls Chapter 7: Information Security Process 113 ■ The appropriateness of the physical security of a site ▲ The adequacy of information provided to employees by the security awareness program No matter what reason a penetration test is being conducted, a detailed test plan should be provided to the organization prior to the beginning of the test. For each step in the plan, the purpose of the test should be identified. The organization should also define the scope of the test. External network penetra - tion tests are limited to the organization’s external network connections. This may or may not include dial-up access to the organization’s network. Physical penetration tests in - clude individuals who will attempt to gain unauthorized access to a facility. The scope of such tests can be limited to business hours or it may include after-hours attempts. Social engineering tests include the testing of employee awareness and allow the testers to be in contact with employees in an attempt to get them to divulge information or to grant the tester access to internal systems. Many organizations choose to begin the security process with a penetration test. Doing this does not serve the organization well as the test will not provide sufficient in- formation to allow the organization to manage its risks. 114 Network Security: A Beginner’s Guide CHAPTER 115 8 Information Security Best Practices Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. 116 Network Security: A Beginner’s Guide T he concept of “best practices” refers to a set of recommendations that generally pro - vides an appropriate level of security. Best practices are a combination of those practices proved to be most effective at various organizations. Not all of these prac - tices will work for every organization. Some organizations will require additional poli - cies, procedures, training, or technical security controls to achieve appropriate risk management. The practices described in this chapter are intended to be a starting point for your or - ganization. These practices should be used in combination with a risk assessment to iden - tify measures that should be in place but are not or measures that are in place but are ineffective. ADMINISTRATIVE SECURITY Administrative security practices are those that fall under the areas of policies and proce - dures, resources, responsibility, education, and contingency plans. These measures are in - tended to define the importance of information and information systems to the company and to explain that importance to employees. Administrative security practices also define the resources required to accomplish appropriate risk management and specify who has the responsibility for managing the information security risk for the organization. Policies and Procedures The organization’s security policies define the way security is supposed to be within the organization. Once policy is defined, it is expected that most employees will follow it. With that said, you should also understand that full and complete compliance with pol- icy will not occur. Sometimes policy will not be followed due to business requirements. In other cases, policy will be ignored because of the perceived difficulty in following it. Even given the fact that policy will not be followed all of the time, policy forms a key component of a strong security program and thus must be included in a set of recom - mended practices. Without policy, employees will not know how the organization expects them to protect the organization’s information and systems. At a minimum, the following policies are recommended as best practices: ▼ Information Policy Defines the sensitivity of information within an organization and the proper storage, transmission, marking, and disposal requirements for that information. ■ Security Policy Defines the technical controls and security configurations that users and administrators are required to implement on all computer systems. ■ Use Policy Identifies the approved uses of organization computer systems and the penalties for misusing such systems. It will also identify the approved method for installing software on company computers. This policy is also known as the acceptable use policy. ▲ Backup Policy Defines the frequency of information backups and the requirements for moving the backups to offsite storage. Backup policies may also identify the length of time backups should be stored prior to reuse. Policies alone do not provide sufficient guidance for an organization’s security pro - gram. Procedures must also be defined to guide employees when performing certain du - ties and identify the expected steps for different security-relevant situations. Procedures that should be defined for an organization include ▼ Procedure for User Management This procedure would include information as to who may authorize access to which of the organization’s computer systems and what information is required to be kept by the system administrators to identify users calling for assistance. User management procedures must also define who has the responsibility for informing system administrators when an employee no longer needs an account. Account revocation is critical to making sure that only individuals with a valid business requirement have access to the organization’s systems and networks. ▲ Configuration Management Procedures These procedures define the steps for making changes to production systems. Changes may include upgrading software and hardware, bringing new systems online, and removing systems that are no longer needed. Hand in hand with configuration management procedures are defined methodolo- gies for new system design and turnover. Proper design methodologies are critical for managing the risk of new systems and for protecting production systems from unautho- rized changes. Resources Resources must be assigned to implement proper security practices. Unfortunately, there is no formula that can be used to define how many resources (in terms of money or staff) should be put against a security program based simply on the size of an organization. There are just too many variables. The resources required depend on the size of the orga - nization, the organization’s business, and the risk to the organization. It is possible to generalize the statement and say that the amount of resources should be based on a proper and full risk assessment of the organization and the plan to manage the risk. To properly define the required resources, you should apply a project management approach. Figure 8-1 shows the relationship of resources, time, and scope for a project. If the security program is treated as a project, the organization must supply sufficient resources to balance the triangle or else extend the time or reduce the scope. Chapter 8: Information Security Best Practices 117 . and the proper understanding of the security department’s role during the development process. For all new development projects, the security department should be involved in the design phase Security: A Beginner’s Guide Executives Presentations to executives of an organization are part education and part marketing. With - out the support of organization management, the security program. make for better classes than just a straight lecture. All new hires should go through the class as part of their orientation, and all existing employees should take the class once every two years. 110 Network