Internet Security Policies

Posted on 2006-05-31
Last Modified: 2013-11-16
So today I come into work (I work on the phones doing tech support, as well as administration and route planning for engineers for a very, very small salary - I work for love mainly) and get told that I am to research, teach myself and then create a robust Internet Security Policy to be installed on all servers we install (into schools, so it has to be good). Now, the problem is, before today I had never even thought about them, let alone tried to make one.

Where do I start? What do I need (notepad editor + lots of hair to pull out?)? How do I test it?

If anyone can point me in the right direction, I'd be grateful. I've tried google and it throws up essays broken down into essays broken down into essays that could take me an entire week to read, let alone understand - which isn't practical as they want it yesterday (at least that's how it seems).

Question by:Vampireofdarkness
    LVL 6

    Accepted Solution

    unfortunately for you, your policies must be legally compliant, which is why there is so much reading involved.

    have a look at this site, which deals with security policies (and AUP's) for different verticals

    it also depends on what international jurisdiction you are in, so in europe, you will have to be BASLE II compliant for a financial services company, but if you trade on US markets, you may also need to be SOX compliant.. This is an extremely complex issue, I would draw a draft probably on the recommendation of SANS - they also have some webcasts on same.

    The SANS website has policy templates which are quite good - also some webcasts on same.

    Ideally, you will need your compliance department / legal representative to validate your documentation.

    LVL 9

    Author Comment

    Ok.. that makes sense I guess.

    So if I get it wrong, there could be legal implications? I also have to work to be compliant to BASLE II (I'm in UK/Europe) which I've never heard of?

    Oh, there is no compliance department, and no legal representative. I don't know why they pay some guy thousands more than me to do networks, and more than I earn in a year to send another on a networking course to get me to write this. /sigh

    I'll take a read of those sites and get back to you. I have a feeling I'm just going to have to throw in the towel and tell them to do it themselves.
    LVL 6

    Expert Comment

    If you're not trading, you might not need to be BASLE compliant..
    if it's a school, I don't know what jurisdiction that would come under.
    I'd look at the following:
    Acceptable Usage Policy - relevant for both students and staff
    Internet Access Policy - as above
    Server hardening policy - relevant to IT dept
    DEFO a remote access policy - if you allow it.

    if you are looking at the physical (technical) hardening of servers, that's also to be considered and documented.
    again, several leads which might help you out
    below is good for a general baseline, but way short on detail,290042,sid45_gci1069557,00.html

    it would be rude to leave out microsoft's take on same

    LVL 2

    Assisted Solution

    Check out these sites. Lots of good info...

    Computer Security Resource Centre - US Gov National Institute of Standards and Technology

    Centre for Internet Security

    Additionally, I think we need to identify what is meant by "Policy"
    In general IT security terms, a policy is a definitive document outlining an organisations stance with regard to whatever aspect of security that particular policy relates acceptable use policy defines what a user is (and sometimes expressly is not) allowed to do...a wireless policy defines the conditions under which and controls required to permit an acceptable deployment within the organisation.

    In order to be effective, such policies need the backing of management, and need to be supplemented with procedures (ie:how and when to implement), guidelines (for the low-level how-to's), standards and auditing procedures.

    However - the policy that you are referring and the words you use... "to be installed on servers" sounds to me like you are referring to a different kind of policy.  Under Windows XP, 2000 and 2003, you can use policy editor to create a local security policy to lock down the server. You can define a single policy for all servers and then push it out automatically using group policy, or install it manually with a couple of mouse clicks. This policy controls password strength, disabled services, account lockout etc. Whilst these details too should be expressly defined and documented with due diligence, they can also be used quickly and easily to ensure a basic level of compliance across the network (provided they don't break anything!)
    If this is what you are referring to, there are already a few policies already created on the CIS website that you can download and check out- make sure you review the settings and test first to ensure they don't break anything.

    Details can be found here

    And here (for 2000):

    And here (for 2003):

    I would also question the need for Basel-II compliance. If the organisation does need to be compliant, then responsibility for failure to comply goes all the way to board level, so it would be in the organisations' best interests to put suitable money and expertise into developing a compliant framework. It's management who will be held accountable for negligence or at least lack of due diligence in the event of a significant security breach.

    LVL 9

    Author Comment

    Points double and will be split evenly.

    I decided to just throw in the towel and give up. A few days of reading and still not having much of an idea where to start is more than enough for me. The main problem was trying to find/produce one that was relevant to 7 year old children and IT illiterate school teachers, as opposed to big corporations (like all the examples and literature I found).

    by "install with the servers" I meant implement - lay down the policy at the same time as the installation, or prior to.

    Thanks for your time
    LVL 2

    Expert Comment

    No worries Vampire. I've been there before.

    The MS windows stuff is pretty easy to implement though if that's what yr running.
    Here's a quick and dirty example of how it's done. You can do this on yr own XP machine to test and just modify whatever details you want to change. No need for written policies etc...just apply the policy on a server and it will be enforced.

    It's up to you whether you want to muck around any more though.

    LVL 6

    Expert Comment

    Your school principal should be able to get the sort of information you are looking for from your local teacher's association / union. - if it is in  fact a policy doc you are after.
    If it is simply locking down servers, go ahead and use any of the suggestions above - the server hardening process isn't difficult at all.

    best of luck.
    LVL 2

    Expert Comment

    Just to clarify:

    "You can do this on yr own XP machine to test and just modify whatever details you want to change. No need for written policies etc...just apply the policy on a server and it will be enforced."

    I mean you can test it through XP, but any actual real changes should be done on the appropriate OS - don't recommend applying an XP template to a server.

    Probably obvious.....but thought I'd mention it if you do decide to check it out.

    Have fun.
    LVL 9

    Author Comment

    I don't actually attend or work at the school. I work for an IT for schools company, so the policy would have needed to not be school-specific. I think it was more so our network guy can sit back and relax knowing that whatever problems happen at a school, he can just say "that's against policy, not our problem" and/or pass it on to me.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now