General discussion

Locked

Security Policy

By dcs2 ·
Hello All.
I am a college student and I am trying to create a security policy for a fictional video game software developer. It must include a topology, inventory (software and hardware), usage policies, threat worksheets, mitigation worksheets, etc.. I know you all have done this either in your positions or in college.
I am looking for examples and maybe some templates to use in this creation. I would love to hear if you have any ideas where to look for such items.
Thanks Dave

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Ok, good idea...

by dawgit In reply to Security Policy

First thing you'll need established is the company infrastructure. The 'What' in what it is you intend to secure. After you have all you're needs, and interior structure 'build' (as in a draft) then you can determine to security. (and then we might could help too.)
As it stands now, there is no information to go on to build much of anything. Kind of putting the cart before the horse. It gets expencive that way. (leads to waste) And you don't even have the horse yet.

Collapse -

didnt want to get too wordy

by dcs2 In reply to Ok, good idea...

I am sorry for the original post not being clear enough. I will try to tell you what I know.
There is 1 Location. Capable of supporting 62 users in these depts. Accounting and Payroll,4; R&D, 12; Sales and Marketing, 10; Order Processing and Shipping and Recieving, 14; Secretarial and office staff, 4; HR, Upper management, (including the President, Vice President and General Manager), 10; Customer Relations and Support,6; Technology Support, 2.

1 full t-1 connection
1 Router
1 Ftp/Web Server
1 E-Commerce Server
1 E-mail/Communications Server
1 Application/File/Print Server
1 Management Server
1 Database Server
3 External Firewalls
6 24 Port Ethernet switchs
Cat6 UTP Cabling

I need to create a hardware and software inventory (wish list) for all depts. Basically anything needed to supply this Company. ( remember this company creates and sells video games)

I need to do a risk analysis including a
Business process identification worksheet, using the business process, Department, Assets used, and priority of the process

I need to do a threat mitigation worksheet, including the asset, threat to that asset, and mitigation technique to protect that asset.

I need an asset identification worksheet to show the asset, how many of that asset, where it is located and its value, and its priority of need.

I need a Threat Identification and Assessment worksheet listing possible threats, the assets affected, consequence of the threat and severity of the threat.

Next I need to build a security policy that covers everything from acceptable use to incident handling down to password policy.

How am I doing so far, have i put anyone to sleep.

Next I need to compare and impliment a Log file analysis tools that will help me to recognize suspicious events from traffic signitures to packet discrepancies.

Ok I will stop here. Remember folks that I am looking for information or templates that will help me to put this thing together.

This is a process in the works like all security policies should be and I will be working on it for another 7 weeks.

Thanks again to all who may be able to contribute
Dave

Collapse -

Try....

by gadgetgirl In reply to didnt want to get too wor ...

using an ISMS template as a basis for the security side.

(Information Security Management System)

The basic ISMS policy forms the "umbrella" of the system, allowing all other security-type policies to "hang" from it. ( i.e. AU Policy, Incident Investigation Policy, Mobile equipment Usage policy etc. etc.)

If you do a general search on google for ISO 27001 there are some great sites. If you don't want to go *that* far into the security side, you can still make sure you've covered everything by using a basic BS7799 checklist (same: google!)

There is no such thing as a definitive list of policies for security, though, it's all relevant to what you are trying to secure.

If this is a "game selling" company, you'll need a specific "physical" section too, to ensure that none of the games can walk out of the door with your employees......

Hope this helps - let me know if you need anything else on the security side!

GG

Collapse -

Useful links and templates/outlines

by greenjohnsmith In reply to Try....

Here is a list of useful links and templates. I am also in college and have been having a tough time constructing similar reports, mostly due to the awful fact that I have yet to find one complete source for reference. Let us know how the report develops and if any other better sources are found. I am in an information assurance major and will be entering the IA workforce in a couple years. I would really like to see the report when you are done with it if you don't mind sharing.

1) I need to do a risk analysis including a Business process identification worksheet, using the business process, Department, Assets used, and priority of the process
A. Risk Analysis
What is risk? Risk is a statement of probability. It is the probability that a given threat will actually exploit a given vulnerability and cause harm.
http://www.hud.gov/offices/cio/sdm/devlife/tempchecks/ratemplate.doc (Risk analysis template)
http://www.dir.state.tx.us/pubs/framework/gate2/riskplan/template.doc (Risk management plan template)
http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf (9 Steps to risk management)
http://csrc.nist.gov/fasp/FASPDocs/risk-mgmt/RAR_Template_FINAL.doc (Risk assessment report template)
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf (NIST SP800-30 Risk management guide for IT systems)
https://infosec.uga.edu/riskmanagement/index.php (Criticality matrix)
Responses to risk
Acceptance: Agree the risk exists but elect to live with it.
Rejection: Deny the risk exists and do nothing.
Transference: Pass the risk to someone or something else.
Mitigation : Establish countermeasures to reduce risk.
Additional Resources for Risk Analysis/Management:
http://www.ussecurityawareness.org/highres/risk-management.html
http://www.projects.uts.edu.au/resources/templates/RiskPlan.doc (Simple risk management plan)
http://gunston.gmu.edu/healthscience/RiskAnalysis/RiskAnalysis.asp (Risk analysis in healthcare)
http://www.cse.ohio-state.edu/~xuan/courses/551/xuan_part4_1.ppt (Risk management)
B. Business continuity planning (disaster recovery and business impact analysis)
http://www.tasscc.org/presentations/annual_2006/Business_Impact_Analysis.pdf (Cost effective business impact analysis)
http://www.sans.org/reading_room/whitepapers/recovery/?portal=aa8afecd0ac47150653236c8250cba89 (SANS Disaster Recovery Reading Room)

2)I need to do a threat mitigation worksheet, including the asset, threat to that asset, and mitigation technique to protect that asset.
http://www.caci.com/business/ia/threats.html (computer security threats table)
http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/ipsecapd.mspx#EHC (Threats identified by stride)
http://deneb.cs.kent.edu/~mikhail/classes/os.s03/l23security.PDF (Threats and countermeasures)

3) I need an asset identification worksheet to show the asset, how many of that asset, where it is located and its value, and its priority of need.
Asset valuation
Asset identification
Asset classification
http://www.doit.wisc.edu/security/docs/IT_Assets.pdf (BCP Asset identification worksheet)

4) I need a Threat Identification and Assessment worksheet listing possible threats, the assets affected, consequence of the threat and severity of the threat.
See above for information

5)Next I need to build a security policy that covers everything from acceptable use to incident handling down to password policy.
http://www.sans.org/resources/policies/ (SANS security policy project *Free to use and modify)
http://www.windowsecurity.com/whitepaper/policy_and_standards/Internet_Security_Policy (IT Security policies)

6)Next I need to compare and impliment a Log file analysis tools that will help me to recognize suspicious events from traffic signitures to packet discrepancies.

http://www.loganalysis.org/ (great list of information and a section for log management vendors and user comments on products).
Here is something I wrote up for a course concerning outsourced log/security monitoring, feel free to use it however you want.
All firewalls log information. Reviewing firewall logs first thing in the morning will provide a quick recap of probed ports, unsuccessful logins, suspicious outbound and inbound connections, and attacks against the network among other potential concerns. Information presented in log files is helpful in securing a company's networked infrastructure. When handled properly, logs are usually considered a form of physical evidence and they can show that the network is actually under attack. Monitoring log files daily will provide the capability of determining what a normal and abnormal connection is. Researching abnormal connections provides an organization with the requisite knowledge in order to take further action. In effect, if log files are not analyzed regularly then the organization is missing out on a valuable portion of the entire security picture. Depending on responsibilities and duties of security staff it may be preferable for some company to look toward outsourcing the monitoring (and possibly management) of their security devices (firewalls, routers, and IDS/IPS) to a third party. There are a variety of companies that provide real-time log monitoring and management services. Verisign for example has a real-time log management service. Similar to log management, a managed security monitoring (MSM) company is dedicated to the monitoring and sometimes management of other company's security logs/devices, and therefore, it is probable that the monitoring company employs highly trained, dedicated, and qualified individuals who are expert at monitoring security devices. Additionally, the MSM is likely subscribed to or a member of various network security update services that provide it with the latest intelligence on threats, vulnerabilities, and tools. Counterpane Internet Security, Inc. calls this resource 'Network Intelligence.' Counterpane is a well-known MSM company with a 24x7x365 MSM solution, which it provides to a wide-variety of companies in various industries.

Collapse -

Log Analysis Resources

by haimko In reply to Useful links and template ...

Have a look on http://www.loganalysis.com
A web site dedicated for log analysis tool, and information.

Collapse -

IT Security

by gario In reply to Security Policy

You definately need the inventory: hardware, OS, App software, for all components including the newtorking ones. A network boundary map with all devices and locatations is nice. Also, who are the owners of the data, how is it protected and what acts are you complying with and how you audit. When it comes to policy and such, check this site for starters:

http://csrc.nist.gov/publications/nistpubs/index.html#sp800-37

It's alot of work and detail. Good Luck!

Back to Hardware Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums