[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 486
  • Last Modified:

Internet Security Policies

So today I come into work (I work on the phones doing tech support, as well as administration and route planning for engineers for a very, very small salary - I work for love mainly) and get told that I am to research, teach myself and then create a robust Internet Security Policy to be installed on all servers we install (into schools, so it has to be good). Now, the problem is, before today I had never even thought about them, let alone tried to make one.

Where do I start? What do I need (notepad editor + lots of hair to pull out?)? How do I test it?

If anyone can point me in the right direction, I'd be grateful. I've tried google and it throws up essays broken down into essays broken down into essays that could take me an entire week to read, let alone understand - which isn't practical as they want it yesterday (at least that's how it seems).

Thanks
0
Vampireofdarkness
Asked:
Vampireofdarkness
  • 3
  • 3
  • 3
2 Solutions
 
sr1xxonCommented:
unfortunately for you, your policies must be legally compliant, which is why there is so much reading involved.

have a look at this site, which deals with security policies (and AUP's) for different verticals

http://www.infosyssec.org/infosyssec/security/secpol1.htm

it also depends on what international jurisdiction you are in, so in europe, you will have to be BASLE II compliant for a financial services company, but if you trade on US markets, you may also need to be SOX compliant.. This is an extremely complex issue, I would draw a draft probably on the recommendation of SANS http://www.sans.org/resources/policies/ - they also have some webcasts on same.

The SANS website has policy templates which are quite good - also some webcasts on same.

Ideally, you will need your compliance department / legal representative to validate your documentation.


0
 
VampireofdarknessAuthor Commented:
Ok.. that makes sense I guess.

So if I get it wrong, there could be legal implications? I also have to work to be compliant to BASLE II (I'm in UK/Europe) which I've never heard of?

Oh, there is no compliance department, and no legal representative. I don't know why they pay some guy thousands more than me to do networks, and more than I earn in a year to send another on a networking course to get me to write this. /sigh

I'll take a read of those sites and get back to you. I have a feeling I'm just going to have to throw in the towel and tell them to do it themselves.
0
 
sr1xxonCommented:
If you're not trading, you might not need to be BASLE compliant..
if it's a school, I don't know what jurisdiction that would come under.
I'd look at the following:
Acceptable Usage Policy - relevant for both students and staff
Internet Access Policy - as above
Server hardening policy - relevant to IT dept
DEFO a remote access policy - if you allow it.

if you are looking at the physical (technical) hardening of servers, that's also to be considered and documented.
again, several leads which might help you out
below is good for a general baseline, but way short on detail
http://searchwindowssecurity.techtarget.com/featuredTopic/0,290042,sid45_gci1069557,00.html

it would be rude to leave out microsoft's take on same
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/03osinstl.mspx

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
mellowmarquisCommented:
Check out these sites. Lots of good info...

Computer Security Resource Centre - US Gov National Institute of Standards and Technology
http://csrc.nist.gov/pcig/index.html

Centre for Internet Security
http://www.cisecurity.org/

Additionally, I think we need to identify what is meant by "Policy"
In general IT security terms, a policy is a definitive document outlining an organisations stance with regard to whatever aspect of security that particular policy relates to...ie:an acceptable use policy defines what a user is (and sometimes expressly is not) allowed to do...a wireless policy defines the conditions under which and controls required to permit an acceptable deployment within the organisation.

In order to be effective, such policies need the backing of management, and need to be supplemented with procedures (ie:how and when to implement), guidelines (for the low-level how-to's), standards and auditing procedures.

However - the policy that you are referring and the words you use... "to be installed on servers" sounds to me like you are referring to a different kind of policy.  Under Windows XP, 2000 and 2003, you can use policy editor to create a local security policy to lock down the server. You can define a single policy for all servers and then push it out automatically using group policy, or install it manually with a couple of mouse clicks. This policy controls password strength, disabled services, account lockout etc. Whilst these details too should be expressly defined and documented with due diligence, they can also be used quickly and easily to ensure a basic level of compliance across the network (provided they don't break anything!)
If this is what you are referring to, there are already a few policies already created on the CIS website that you can download and check out- make sure you review the settings and test first to ensure they don't break anything.

Details can be found here
http://technet2.microsoft.com/WindowsServer/en/Library/794f1a5d-13f3-4628-ade9-ec25c88d11961033.mspx?mfr=true

And here (for 2000):
http://www.microsoft.com/downloads/details.aspx?familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56&displaylang=en

And here (for 2003):
http://www.microsoft.com/downloads/details.aspx?familyid=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en

I would also question the need for Basel-II compliance. If the organisation does need to be compliant, then responsibility for failure to comply goes all the way to board level, so it would be in the organisations' best interests to put suitable money and expertise into developing a compliant framework. It's management who will be held accountable for negligence or at least lack of due diligence in the event of a significant security breach.

HTH
-Mark
0
 
VampireofdarknessAuthor Commented:
Points double and will be split evenly.

I decided to just throw in the towel and give up. A few days of reading and still not having much of an idea where to start is more than enough for me. The main problem was trying to find/produce one that was relevant to 7 year old children and IT illiterate school teachers, as opposed to big corporations (like all the examples and literature I found).

by "install with the servers" I meant implement - lay down the policy at the same time as the installation, or prior to.

Thanks for your time
0
 
mellowmarquisCommented:
No worries Vampire. I've been there before.

The MS windows stuff is pretty easy to implement though if that's what yr running.
Here's a quick and dirty example of how it's done. You can do this on yr own XP machine to test and just modify whatever details you want to change. No need for written policies etc...just apply the policy on a server and it will be enforced.

http://www.shavlik.com/Whitepapers/Customizing%20Microsoft%20Security%
20Templates.pdf

It's up to you whether you want to muck around any more though.

:)
0
 
sr1xxonCommented:
Your school principal should be able to get the sort of information you are looking for from your local teacher's association / union. - if it is in  fact a policy doc you are after.
If it is simply locking down servers, go ahead and use any of the suggestions above - the server hardening process isn't difficult at all.

best of luck.
0
 
mellowmarquisCommented:
Just to clarify:

"You can do this on yr own XP machine to test and just modify whatever details you want to change. No need for written policies etc...just apply the policy on a server and it will be enforced."

I mean you can test it through XP, but any actual real changes should be done on the appropriate OS - don't recommend applying an XP template to a server.

Probably obvious.....but thought I'd mention it if you do decide to check it out.

Have fun.
0
 
VampireofdarknessAuthor Commented:
I don't actually attend or work at the school. I work for an IT for schools company, so the policy would have needed to not be school-specific. I think it was more so our network guy can sit back and relax knowing that whatever problems happen at a school, he can just say "that's against policy, not our problem" and/or pass it on to me.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now