Creating a Aegis Policy

Creating a Aegis Policy

A absolute aegis action is axiological to an able advice security

program, accouterment a close base for all activities accompanying to the aegis of

information assets. In creating their policies, organizations booty one of two basic

approaches: that which is not especially banned is allowed, or that which is not

explicitly accustomed is prohibited.The called access is usually cogitating of the

organization’s all-embracing culture.

www.syngress.com

Introduction to Aegis and Firewalls • Chapter 1 9

Figure 1.1 shows a hierarchical aegis model. Anniversary band builds on the ones

beneath it, with aegis behavior confined as the foundation. An alignment that

implements aegis accoutrement after defining adequate behavior and architectonics is

likely to appointment difficulties.

www.syngress.com

Developing a Absolute Aegis Policy

A adequate aegis action addresses the afterward areas:

 Defines roles and responsibilities

 Defines adequate use of the organization’s computing

resources

 Serves as a foundation for added specific procedures and

standards

 Defines abstracts acuteness classifications

 Helps anticipate aegis incidents by authoritative bright management’s

expectations for attention information

 Provides advice in the accident of a aegis incident

 Specifies after-effects of noncompliance

Designing & Planning…

Figure 1.1 Aegis Hierarchy

Layer 1

Policies and Standards

Layer 5

Auditing, Monitoring, and Investigating

Layer 4

Technologies and Products

Layer 3

Awareness and Training

Layer 2

Architecture and Processes

Validation

10 Chapter 1 • Introduction to Aegis and Firewalls

Creation of the aegis action is guided by management’s akin of assurance in the

organization’s people, de facto processes, and technology. Many organizations

resist formalizing their behavior and administration them, back they do not appetite to

risk damaging their familial and dupe culture.When a aegis adventure occurs,

however, these organizations ascertain that they ability acquire little or no guidance

on how to handle it or that they do not acquire a acknowledged foundation to arraign or

even abolish an agent who breaches security. Others chase a commandand-

control archetypal and acquisition that defining behavior fits appropriate into their culture.

These organizations, however, could wind up spending a abundant accord of money to

enforce controls that accommodate little incremental abridgement in accident and actualize an

oppressive atmosphere that is not accessory to productivity. For best organizations,

a average access is best, afterward the adage “Trust, but verify.”

The action conception action ability not be easy. Bodies acquire actual different

ideas about what behavior represent and why they are needed.The action should

strive to accomplish a accommodation amid the assorted stakeholders:

 Executive managers

 Internal auditors

 Human resources

 IT staff

 Aegis staff

 Acknowledged staff

 Agent groups

As you can see, some akin of buy-in from anniversary of these stakeholder groups is

necessary to actualize a acknowledged policy. Particularly important is abounding abutment from

executive management.Without it, a aegis action will become aloof another

manual acquisition dust on the shelf. Employees charge to see that administration is

behind the policy, arch by example.

Once a adumbrative action development aggregation has been put together, its

members should activate a risk-assessment process.The aftereffect of this accomplishment is a document

that defines how the alignment approaches risk, how accident is mitigated,

and the assets that are to be adequate and their worth.The action should also

broadly ascertain the abeyant threats that the alignment faces.This information

will be a guideline to the bulk of accomplishment and money that will be expended to

address the threats and the akin of accident that the alignment will accept.

www.syngress.com

Introduction to Aegis and Firewalls • Chapter 1 11

The abutting footfall is to accomplish a business needs assay that defines information

flows aural the alignment as able-bodied as advice abounding into and out of it.

These flows should anniversary acquire a business charge defined; this charge is again matched

with the akin of accident to actuate whether it will be allowed, accustomed with additional

controls, or restricted.

A adequate action has these characteristics:

 States its purpose and what or who it covers

 Is astute and accessible to implement

 Has a abiding focus—in added words, does not accommodate specifics that

will change often

 Is bright and concise

 Is up to date, with accoutrement for approved review

 Is announced finer to all afflicted parties, including regular

awareness training

 Is counterbalanced amid aegis of assets and affluence of use

Probably the best important basic of a aegis action is the definition

of adequate use. It covers how systems are to be used, user countersign practices,

what users can and cannot do, user albatross in advancement security, and disciplinary

action if users appoint in abnormal activity. It is capital that all users

sign this policy, acknowledging that they acquire apprehend and accepted it. Ideally,

users should analysis the adequate use action on an anniversary basis.This practice

helps reinforce the bulletin that aegis is important.

Finally, an organization’s aegis action guides the conception of a perimeter

security action (including firewalls), which we awning in a after section.

NOTE

You’ll acquisition examples of aegis policies, including a sample acceptable

use policy, on the SANS Aegis Action Resource folio amid at

www.sans.org/newlook/resources/policies.