Policy and Procedures

The key to any successful intrusion detection and prevention program is based on sound policies, standards, guidelines, procedures, and baselines. This chapter attempts to define the differences among these as they’re often referred to in the same context. Then, the focus will be on the creation of policies and procedures that can help your organization achieve optimal success.

Policies, Standards, Guidelines, Procedures,and Baselines

First, let’s define the terms. A policy is a high-level statement of beliefs, goals, and objectives, and the general means by which they can be achieved. Policies help to determine strategies for standards, guidelines, procedures, and baselines. A standard is a mandatory activity, action, rule, or regulation designed to support policy structure and lend specific direction. Standards are often expensive to administer and, therefore, should be used judiciously.

A guideline is similar to a standard, but it’s a more general statement of how to achieve policy objectives. Guidelines provide the framework needed to implement procedures. Where standards are mandatory, guidelines are recommendations and more flexible. Guidelines are “recommended actions” only.

A procedure outlines the specific steps of how the policy, supporting standards, and guidelines will be implemented. A procedure is a description of tasks that must be executed in a specific order. Procedures are sometimes referred to as “practices.”

A baseline is a method of implementing security mechanisms and products. Baselines are platform unique and should be employed throughout an organization. They detect differences between various operating systems (OSs) to ensure uniform security implementation.

IDS IPS Policy

When creating a strong defense-in-depth policy, a good deal of time must be spent on researching the tools that will be used. Creating an IDS policy can be a daunting task, but one that can reap many benefits when done correctly. An IDS policy is a stand-alone policy, but it integrates with other policies, such as the firewall, routers, and incident response. When creating a policy, it’s important to include enough detail to be able to determine the strategies for standards, guidelines, procedures, and baselines. The policy needs to include why it’s important to the organization, and it must be prepared for signs of intrusion and lead to procedure development. Once the policy is written, it needs to undergo legal review. Once reviewed, the procedure can be drawn from the policy and implemented in the organization. Finally, it’s critical that the policy remain current with up-to-date procedures and information.

Creating an IDS IPS Policy

Earlier in this book, the importance of risk analysis was discussed. The relationship between risk analysis and the security policy is important for an effective security program. When defining your organizational needs, a risk analysis can and should help to determine what will go into your policies.

When you create a policy, having input from the organization as to what they want to achieve is critical. The policy wants to cover the why and the how. One effective way to do this is to cover the following seven steps:

The introduction and the purpose help set the stage for the rest of the document. Having the correct policy language in place can help prepare your organization to detect signs of intrusion in a timely, controlled manner. The introduction should give a general statement about what the document will cover. The purpose shows why this technology is important and why it’s necessary to have a policy. These could seem like simplistic topics that might not be needed but, for the nontechnical management, it helps to clarify the reasoning and gives a high-level definition of the technology. The scope is important because it helps define who this policy affects. This can be an entire department, all users, or a group of individuals. The scope must be defined for legal reasons to make certain it’s clear for whom the policy is intended and for clear understanding of the perspective on which the policy should be taken.

The policy itself is the section that states what’s expected. This section helps give general guidance and could include or refer to procedures that need to be taken. The policy section should be more clear and concise about what must occur in given situations. This is the how and why of the document.

Enforcement defines what the consequences are to those defined in the scope. This section can define specific consequences or point to other documents, such as an HR manual or a code of conduct.

Finally, there are the definitions and revisions sections. The definitions section helps put forth specific meaning for your organization and helps eliminate any assumptions. The revisions section reflects the current policy and indicates when it was last updated. This is important for keeping current and usable policies.

The following is an example policy using this seven-step process:

Sectionx

mm/dd/yy: Effective

 

mm/dd/yy: Revised

Policy x.xx Intrusion Detection Policy

Security Analyst Author

Step 1: Introduction

Intrusion detection is a critical piece of the organization’s security policy. Effective security systems must evolve to handle the vast amount of vulnerabilities introduced by the use of distributed systems. Having some type of reassurance that the systems and network are secure is important, and intrusion detection systems can help provide part of that assurance.

Step 2: Purpose

The purpose of this policy is to provide guidance for the use of intrusion detection at <Your Organization Here>. This document is to be followed for intrusion-detection monitoring using intrusion detection tools and system audit logs for the system servers, software, database, networks, and firewalls under its control.

Step 3: Scope

This policy applies to all constituents at <Your Organization Here>. More specifically, this policy applies to all individuals who are responsible for the installation of new information resources, the operations of existing information resources, and individuals charged with information resource security.

Step 4: Policy

247 intrusion-detection monitoring will be conducted by using intrusion-detection tools and system audit logs for the system servers, software, database, networks, and firewalls under its control. Reports will be submitted daily for assessment and possible corrective action. Immediate corrective action will be taken to help eliminate system vulnerabilities or to prevent future intrusion attempts. This can also be seen as a contract with the rest of the organization regarding the expected quality of service (that is, 247 or maximum response time).

Procedures for system break-ins:

Other procedures include the following:

Step 5: Enforcement

Any employee found to have violated this policy could be subject to disciplinary action, up to and including termination of employment. Additionally, individuals are subject to loss of information resources, access privileges, and the possibility of civil and criminal prosecution.

Step 6: Definitions

Step 7: Revision History

Legal Review

Creation of any security policy needs to be reviewed by your organization’s legal representation, so the policy can be legally reinforced and defensible. Your legal department can help determine if the policy reflects best practices and due care on the part of your organization. When investigations of an incident occur, it’s critical that your organization does everything in its power to protect the information and preserve evidence for legal proceedings. In addition, making sure that your organization adheres to all local, state, and federal regulations can help.

Another key issue is to make sure the policy is in touch with legislation that affects your organization. Your policy should include a clause regarding compliance with any legislation. Because much legislation is required, it’s wise to incorporate your policies with this legislation. Your legal department is in the best position to do this.

Procedure for Implementation of Your Policy

Just having a policy written isn’t nearly enough. Proper implementation of the policy is key. At this stage, the staff needs to be educated on the policy and what needs to be done for the policy to succeed. Therefore, all staff who have access to, or are responsible for, the IDS or the IPS program must have the policy made available to them. The policy should be easily accessible, but also secured. This can be done via an intranet site or on a server on the internal network.

Keeping Your Policy Current

Keeping your policy current is critical for a successful policy. If your policy is outdated, it won’t do anyone any good when it’s needed. Make certain you review your policy at least annually. Things that might need to be updated include the following:

Also important is to look at what happened during an incident and revise your policy to reflect these issues. You might find your policy lacks certain steps or actions that should have been addressed.

Summary

This chapter examined the need for a good intrusion policy. We looked at the creation and implementation of an intrusion detection policy. A seven-step methodology including Introduction, Purpose, Scope, Policy, Enforcement, Definitions, and Revisions was discussed. Once a policy is created, it is important to make sure that it is legally compliant and kept up-to-date, at least on an annual basis.

Категории