Practical Connection Assignment: Create User Policy
Learning Objectives and Outcomes
- Create a report detailing user access policies based on research.
- Explain the details of user policy creation in organizations.
ScenarioYou work for a large, private health care organization that has server, mainframe, and RSA user access. Your organization requires identification of the types of user access policies provided to its employees. Sean, your manager, just came into your office at 6:00 p.m. on Friday and asks you to write a report detailing these user access policies. He needs you to research a generic template and use that as a starting point from which to move forward. He wants you to complete this task over the weekend as he has just been given a boatload of tasks in the management meeting which ended a few minutes ago. He is counting on you to take some of the load off his shoulders. The report is due to senior management next week. Assignment RequirementsChoose only (1) SANS template of your choice that is attached within the assignment, fill out throughly.You will be graded on quality of content in addition to the baseline template and the use of APA references. The last page before the References “Project Summary” section, will summarize why you chose to work on that specific template and account for some of the high-level objectives you plan to present to Sean on your next meeting.
. Required Deliverables SAN Template
Be Sure to include a section with APA ReferencesSubmission Requirements
- Format: Microsoft Word
- Font: Times New Roman, 12-Point, Double-Space
- Citation Style: APA
- Length: 4–6 pages
Consensus
Policy
Resource Community
Security Response Plan Policy
Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or updated version of this policy, please send email to
policy-resources@sans.org
.
Last Update Status: Updated June 2014
1 Overview
A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines. By requiring business units to incorporate an SRP as part of their business continuity operations and as new products or services are developed and prepared for release to consumers, ensures that when an incident occurs, swift mitigation and remediation ensues.
2 Purpose
The purpose of this policy is to establish the requirement that all business units supported by the Infosec team develop and maintain a security response plan. This ensures that security incident management team has all the necessary information to formulate a successful response should a specific security incident occur.
3 Scope
This policy applies any established and defined business unity or entity within the
Policy
The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the specific business unit for whom the SRP is being developed in cooperation with the Infosec Team. Business units are expected to properly facilitate the SRP for applicable to the service or products they are held accountable. The business unit security coordinator or champion is further expected to work with the
4.1 Service or Product Description
The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.
4.2 Contact Information
The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).
4.3 Triage
The SRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.
4.4 Identified Mitigations and Testing
The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.
4.5 Mitigation and Remediation Timelines
The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.
5 Policy Compliance
5.1 Compliance Measurement
Each business unit must be able to demonstrate they have a written SRP in place, and that it is under version control and is available via the web. The policy should be reviewed annually.
5.2 Exceptions
Any exception to this policy must be approved by the Infosec Team in advance and have a written record.
5.3 Non-Compliance
Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up to and including termination of employment, should a security incident occur in the absence of an SRP
6 Related Standards, Policies and Processes
None.
7 Definitions and Terms
None.
8 Revision History
Date of Change | Responsible | Summary of Change |
June 2014 | SANS Policy Team | Updated and converted to new format. |
SANS Institute 2014 – All Rights Reserved Page 3
Consensus Policy Resource Community
Employee Internet Use Monitoring and Filtering Policy
Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or updated version of this policy, please send email to
policy-resources@sans.org
.
Last Update Status:
Retired
1. Overview
See Purpose.
2. Purpose
The purpose of this policy is to define standards for systems that monitor and limit web use from any host within
3. Scope
This policy applies to all
This policy applies to all end user initiated communications between
4. Policy
4.1 Web Site Monitoring
The Information Technology Department shall monitor Internet use from all computers and devices connected to the corporate network. For all traffic the monitoring system must record the source IP Address, the date, the time, the protocol, and the destination site or server. Where possible, the system should record the User ID of the person or account initiating the traffic. Internet Use records must be preserved for 180 days.
4.2 Access to Web Site Monitoring Reports
General trending and activity reports will be made available to any employee as needed upon request to the Information Technology Department. Computer Security Incident Response Team (CSIRT) members may access all reports and data if necessary to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to associates outside the CSIRT upon written or email request to Information Systems from a Human Resources Representative.
3.3 Internet Use Filtering System
The Information Technology Department shall block access to Internet websites and protocols that are deemed inappropriate for
· Adult/Sexually Explicit Material
· Advertisements & Pop-Ups
· Chat and Instant Messaging
· Gambling
· Hacking
· Illegal Drugs
· Intimate Apparel and Swimwear
· Peer to Peer File Sharing
· Personals and Dating
· Social Network Services
· SPAM
, Phishing and Fraud
· Spyware
· Tasteless and Offensive Content
· Violence, Intolerance and Hate
· Web Based Email
3.4 Internet Use Filtering Rule Changes
The Information Technology Department shall periodically review and recommend changes to web and protocol filtering rules. Human Resources shall review these recommendations and decide if any changes are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering Policy.
3.5 Internet Use Filtering Exceptions
If a site is mis-categorized, employees may request the site be un-blocked by submitting a ticket to the Information Technology help desk. An IT employee will review the request and un-block the site if it is mis-categorized.
Employees may access blocked sites with permission if appropriate and necessary for business purposes. If an employee needs access to a site that is blocked and appropriately categorized, they must submit a request to their Human Resources representative. HR will present all approved exception requests to Information Technology in writing or by email. Information Technology will unblock that site or category for that associate only. Information Technology will track approved exceptions and report on them upon request.
5. Policy Compliance
5.1 Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
5.2 Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6 Related Standards, Policies and Processes
None.
7 Definitions and Terms
The following definition and terms can be found in the SANS Glossary located at:
https://www.sans.org/security-resources/glossary-of-terms/
· Peer to Peer File Sharing
· Social Networking Services
· SPAM
· Phishing
· Hacking
8 Revision History
Date of Change | Responsible | Summary of Change |
July 2014 | SANS Policy Team | Converted to new format and retired |
SANS Institute 2014 – All Rights Reserved Page 1
Consensus Policy Resource Community
Remote Access Policy
1. Overview
Remote access to our corporate network is essential to maintain our Team’s productivity, but in many cases this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network. While these remote networks are beyond the control of Hypergolic Reactions, LLC policy, we must mitigate these external risks the best of our ability.
2. Purpose
The purpose of this policy is to define rules and requirements for connecting to
3. Scope
This policy applies to all
4. Policy
It is the responsibility of
General access to the Internet for recreational use through the
Authorized Users will not use
For additional information regarding
4.1 Requirements
4.1.1 Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. For further information see the Acceptable Encryption Policy and the Password Policy.
4.1.2 Authorized Users shall protect their login and password, even from family members.
4.1.3 While using a
4.1.4 Use of external resources to conduct
4.1.5 All hosts that are connected to
4.1.6 Personal equipment used to connect to
5. Policy Compliance
5.1 Compliance Measurement
The Infosec Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager.
5.2 Exceptions
Any exception to the policy must be approved by Remote Access Services and the Infosec Team in advance.
5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6 Related Standards, Policies and Processes
Please review the following policies for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of
· Acceptable Encryption Policy
· Acceptable Use Policy
· Password Policy
· Third Party Agreement
· Hardware and Software Configuration Standards for Remote Access to
7 Revision History
Date of Change | Responsible | Summary of Change |
June 2014 | SANS Policy Team | Updated and converted to new format. |
April 2015 | Christopher Jarko |
Added an Overview; created a group term for company employees, contractors, etc. (“Authorized Users”); strengthened the policy by explicitly limiting use of company resources to Authorized Users only; combined Requirements when possible, or eliminated Requirements better suited for a Standard (and added a reference to that Standard); consolidated list of related references to end of Policy. |
SANS Institute 2014 – All Rights Reserved Page 3