Securing Linux: A Survival Guide for Linux Security (Version 2.0)

1.1 SECURITY POLICIES

Security Policies are the blueprints used to build a security program. Your organization probably has a policy that states a system must be hardened before connecting it to the network. In this book, we will show you how to harden a Linux system, step by step, so that you can adhere to that policy. In very basic terms, Security Policies are the rules by which we secure environments. There are many types of security policies. These include:

• Corporate Security Policy “ Defines overall security rules that apply to the entire corporation.

• Remote Access Policy “ Defines rules for connecting to a company's network from a remote host.

• Password Policy “ Defines rules for creating, changing and maintaining strong passwords.

• Anti-Virus Policy “ Defines rules for the implementation and maintenance of an anti-virus program.

• Acceptable Use Policy “ Defines rules for the acceptable use of corporate resources, such as Internet, e-mail, workstations, network, etc.

Samples of these policies can be found at http://www.sans.org/newlook/resources/policies/policies.htm

Your company may already have many of these policies implemented. If you are involved in writing security policies, there are some guidelines you should remember.

• Security Policies should answer the Who, What, When, Where and Why of your objective.

  Some elements of a security policy that help achieve this include a purpose, background, scope, action and responsibility. Guidelines, Standards and Procedure documents answer the question of how the policy will be implemented.

• Security Policies should be clear and concise .

  Security Policies are useless if they cannot be understood or contain the same number of pages as War and Peace .

• Security Policies should be enforceable.

  If your Senior Management will not follow the policy, you cannot expect the rest of your employees to. A classic example of this is an e-mail policy that forbids sending personal e-mail from work. The first time your CEO sends an e-mail to his wife, your policy became unenforceable.