Chapter 2: Understanding Security Policies Using a

Lifecycle Approach
I. Foundation Topics
II. Risk Analysis and Management
1. Secure Network Lifecycle
1. Security is never entirely done; the following is the lifecycle that should be followed
when securing a network.
a. Initiation This involves preliminary risk assessments and categorizing of risk,
such as with labels of low, medium, or high. These assessments and labels can
assist you in prioritizing security measures by focusing on the high-risk items
first
b. Acquisition and development This involves a more detailed risk assessment,
acquiring the products and tools needed to implement the countermeasures
needed to reduce risk, and testing those countermeasures (usually on a closed
network or as a pilot program) to verify their correct implementation.
c. Implementation This is the actual point where the rubber meets the road,
where you put the countermeasures in place on the production network
d. Operations and maintenance This involves monitoring and with the care and
feeding of our network security devices (and incident handling when issues
arise).
e. Disposition All things come to an end, and disposing of network gear
(including sanitizing/formatting/destroying media storage devices) is part of this.

2. Risk Analysis Methods

1. Methods:
a. Qualitative In this method, the data is gathered by an individual, who likely is
a subject matter expert (in this case as to the asset's value, its vulnerabilities,
potential threats, and the impact or risk based on those factors).
b. Quantitative In this method, you use raw data, numbers, and statistics to
determine the risk.

3. Security Posture Assessment

4. f
Table 2-2 Assessing the Current Security Posture of Network Devices
Key Activity
Explanation
General security
posture assessment

This provides a high-level idea about the security state of network devices,
including servers, desktops, and data storage. This should involve assessing
security from multiple perspectives, with the intent to identify relevant
vulnerabilities

Internal assessment

Attacks are likely to come from users inside the network, as well, and the
internal assessment is designed to see how well protected you are from the
inside attacks

External assessment This is to assess the security risk associated with attacks from external devices
on networks that connect to you (for example, from devices over the Internet).
Wireless assessment Wireless assessment identifies the vulnerabilities and weaknesses associated
with the wireless implementation. This includes the range of the access points
that might go beyond the walls of the building and provide a potential
opportunity for a threat
Analysis and
documentation

This combines the details about vulnerabilities that may exist from all the
assessments completed. This report should include countermeasures and
recommended solutions to mitigate the risk involved from an attack.

5. An approach to Risk Management

1. Considerations when assessing risk
a. Value of the asset
b. Vulnerabilities
c. Potential threats
d. Compliance issues
e. Business requirements
2. Vulnerabilities and Compliance regulations require constant vigilance however, and
a checklist of the above will not be enough. Usually senior management will direct
the IT staff on the current major vulnerabilities and compliance requirements.
3. New assets that are added to the network that are very similar to assets that have
already been calculated will not require extensive analysis.
4. For new assets, do the following:
a. Using qualitative/quantitative approaches, identify the risk (value of asset,
vulnerability, potential threats = risk).
b. Take action regarding the risk (which could include transferring the risk,
accepting the risk, or reducing the risk using countermeasures).
c. Monitor the risk. This includes verification that the countermeasures are
reducing the risk and making adjustments regarding that risk if it is increasing or
decreasing based on changes in the network, changes in access to data, or
changes based on new types of threats.

6. Regulatory Compliance Affecting Risk

1. Part of the overall plan for security and managing risk is to implement whatever
regulatory compliance is required in your local community, state, or country.
International business may require compliance with government agencies beyond
your own borders; examples are Sarbanes-Oxley (SOX) and Health Insurance
Portability and Accountability Act (HIPAA) from the United States.

III. Security Policies

1. This section examines who is responsible for the creation of security policies, the
implementation of security policies, and the lifecycle of a security policy.

2. Who, What, and Why

1. Security Policies mean different things depending on who you are in the company
Table 2-3 The Who, What, and Why of Security Policies
Security Policies
Explanation
Who creates
security policies?

The executive senior management team is ultimately responsible for the data and
the networks that carry the data for their company. From a technician's
perspective, this might seem a bit odd that the senior management team is
creating a security policy, but that is who specifies the overall goals of the
policy. The high-level security policy is often referred to as a governing policy.
It is up to the management teams and staff who have the skills to implement the
appropriate controls (which include physical, logical, and administrative
controls). At this level, we often use technical policies to implement the security
responsibilities based on the roles the staff are filling
It is up to the end users to agree to and abide by the policies set forth by the
company. This is referred to as an end-user policy, which is sometimes called
acceptable use policy (AUP).

What is in a
security policy?

In a security policy, a primary aspect is risk management. In that light, it could

include items such as access controls, backups, virus protection, incident
handling, encryption, monitoring, password requirements, disposing of
resources, inspections and reviews, personal/physical security, systemconfigured change process, auditing, security awareness and training,
documentation, AUP (and the list goes on).
A security policy should begin with a general overview about why the policy
was written and what it covers and what it does not cover. This is often referred
to as the scope of the policy.

Why do we have
security policies?

Besides risk management, security policies are also used to educate users, staff,
and other workers about what the policy of the company is. It can also be used
to establish a baseline for which security measures must be implemented to
protect assets. Without a security policy in place, the risk (which is a factor of
assets that are vulnerable being attacked and resulting in a loss) is too great.

3. Specific Types of Policies

1. Creating policies for every type of technology on a network is normal; especially for
high-security networks. For example:
a. Guideline policies These include AUPs, audit policies, password policies, risk
assessment policies, web server policies, and so on.
b. Email policies These include email-forwarding policies, spam policies, and so
on.
c. Remote-access policies These include VPN remote access, dial-in access, and
minimum requirements for remote access with regard to virus scanning or
patches
d. Telephony policy This includes guidance about the acceptable use of
telephony services related to voice/data over that media
e. Application policies These include minimum security requirements that need
to be included in new applications that are added to the network and restrictions
about what end users are allowed to install and or run on their local computers.
f. Network policies These include standards for access via wireless or wired
connections, and could include minimum requirements for the PCs that are
connecting, such as minimum service packs, specific antivirus properties (such
as current antivirus that has been updated in the past 4 days), and other networkrelated activity.

4. Standards, Procedures, and Guidelines

5. f
Table 2-4 Standards, Procedures, and Guidelines
Security Practice
Explanation
Vocabulary
Standards

A standard specifies the use of specific technologies as a countermeasure.

These help the IT staff be consistent in their approach to mitigating a specific
risk.

Procedures

This is a detailed document about the standards and guidelines, which helps
staff to implement security for the network. Using a procedural list, an
implementation on the network can be done by any one of the staff, and if the
procedure is followed in a consistent manner, the result will be the same each
time. Having good procedures that are easily followed to implement network
security correctly is an important aspect of a secure network

Guidelines

Guidelines are simply suggestions and are not mandatory. They usually
represent best practice techniques, but are not actually required to be used. If
policy and procedure and standards are vague, following the guidelines
provided will be a good indication of what to do to maintain and continue the
spirit of the security policy. (When in doubt, check with the manager for
clarification before implementing any changes outside of procedure or
standards.)

Policies

The policies themselves are high level in nature and come from the senior
management team. They usually do not include the technical details about how
to implement the policy. (The implementation is left up to their staff.)
Ultimately, the senior executive team is responsible as the owner of the data,
and is also responsible to ensure that staff implements the policies.

6. Testing the Security Architecture

1. Companies may spend a lot of money on security, but in order to really secure your
network you must test the security to make sure it's working. Some of the following
are techniques you may want to use to test security.
a. Network scanning
b. Vulnerability scanning
c. Password cracking
d. Penetration testing
e. Social engineering attempts
2. Make sure you have logs and document everything if an attack is suspected
3. Use the Initiation, Acquisition and Development, Implementation, Operations and
Management, and Disposition.

7. Responding to an Incident on the Network

1. Hopefully your security is in place and mitigating attacks when they happen.
However if an incident happens (a successful attack) that has a negative impact; an
incident response policy should:
a. Assist in the recovery of business operations, while at the same time preserving
any evidence about the attack that might be needed for forensics.
b. Document all possible details of the incident, including what systems were
involved, when it occurred, who was involved, and any of the details that might
assist in the clear documentation of what occurred
c. Prevent, if possible, future incidents similar to the one just experienced. This is
yet another way to reduce future risk.

8. Collecting Evidence
1. A policy should be in place if an attack happens to gather evidence while at the same
time recovering from the attack. Do not let recovery erase any evidence of the
attack.
2. This policy will probably be generic but more specific policies should probably be
put in place for the various types of equipment in use on the network
3. An example if an attack happened that involves disk storage, make a snapshot of the
drive before recovering it. The checksum of the drive should be the same as the
original drive to show it is exactly the same.
4. Take pictures of the equipment, gather logs etc. This will all be important for
forensics and prosecution.

9. Reasons for Not Being an Attacker

10.Liability
1. Liability comes with information the company holds such as credit card information
and health information. Reducing risk also reduces the potential liability that comes
with that risk.

11.Disaster Recovery and Business Continuity Planning

1. DR and BC policies are focused on availability after a disaster.
2. Options
a. Multiple operational sites
b. Multiple sites, one operational and another on cold standby but ready to bring up
within 24 or 48 hours for example.
3. Terms
a. MTD (Maximum Tolerable Downtime) b. RTO (Recovery Time Objective) The objective in time for resuming the
business process in the event of disaster.
c. RPO (Recovery Point Objective) The point at which data is restored before
the disaster happened. Basically if the RPO was 4 hours, this means that data is
restored to the point of 4 hours before the disaster.

IV. Do I Know This Already? Quiz

1. Which of the following are methods of risk analysis? (Choose all that apply.)
a. Risk acceptance
b. Risk avoidance
c. Quantitative
d. Qualitative
2. What are the primary reasons for documenting the value of an asset, in combination
with the vulnerabilities of that asset? (Choose all that apply.)
a. Identifying risk
b. Identifying countermeasures
c. Return on investment (ROI)
d. Vulnerability
3. Which of the following drivers compel a company to implement security? (Choose
all that apply).
a. Revenue generation
b. Regulatory Compliance
c. Liability
d. Confidential data
4. Which portion of an incident management process involves becoming aware that an
incident occurred?
a. Preparation
b. Detection and analysis
c. Containment and recovery
d. Forensics
5. Who is ultimately responsible for the data and security on the network?
a. Senior management
b. IT staff
c. End users
d. Customers
6. Which policy does the senior executive team create?
a. Acceptable use policy
b. Unacceptable use policy
c. Governing policy
d. Procedure documents
7. Which of the following is an example of a technical or end-user policy? (Choose all
that apply).
a. Email policy
b. Network policy
c. Application policy
d. Life insurance policy
8. When a network device is no longer being used, which lifecycle elements are
implemented?
a. Media sanitation
b. Initiation
c. Disposition
d. Operations

V. Review All the Key Topics

Table 2-5 Key Topics
Key Topic
Description
Element

Page
Number

Text

Secure network lifecycle -

25

Text

An approach to risk management -

27

Table 2-3

The who, what, and why of security policies -

29

VI. Complete the Tables and Lists from Memory

Table 2-3 The Who, What, and Why of Security Policies
Security Policies
Explanation
Who creates security
policies?

The executive senior management team is ultimately responsible for

the data and the networks that carry the data for their company. From
a technicians perspective, this might seem a bit odd that the senior
management team is creating a security policy, but that is who specifies
the overall goals of the policy. The high-level security policy is often
referred to as a governing policy.
It is up to the management teams and staff who have the skills to
implement the appropriate controls (which include physical, logical,
and administrative controls). At this level, we often use technical
policies to implement the security responsibilities based on the roles
the staff are filling.
It is up to the end users to agree to and abide by the policies set forth
by the company. This is referred to as an end-user policy, which is
sometimes called acceptable use policy (AUP).
Policies may also apply to individuals outside of the company,
including customers, suppliers, contractors, and so on.

What is in a security
policy?

In a security policy, a primary aspect is risk management. In that

light, it could include items such as access controls, backups, virus
protection, incident handling, encryption, monitoring, password
requirements, disposing of resources, inspections and reviews, personal/
physical security, system-configured change process, auditing, security
awareness and training, documentation, AUP (and the list goes on).
A security policy should begin with a general overview about why the
policy was written and what it covers and what it does not cover. This is
often referred to as the scope of the policy.

Why do we have
security policies?

Besides risk management, security policies are also used to educate

users, staff, and other workers about what the policy of the company is.
It can also be used to establish a baseline for which security measures
must be implemented to protect assets. Without a security policy in
place, the risk (which is a factor of assets that are vulnerable being
attacked and resulting in a loss) is too great.

VII. Define Key Terms

1.
2.
3.

qualitative quantitative regulatory compliance -