4 Steps To Managing Your Security Documents

**UPDATE** I shared this post on the InfoSec Island and a member commented on it with a link to a post on the Awareity Lessons Learned Blog. Check out this post as it talks about a vital step in this process that I failed to talk about. The step is the “Implementation Step” - Blot Post, What is a “Failure to Implement”?

What is document management? It seems pretty straight-forward, but many people have looked at me cross-eyed when I’ve used the term, and some have come right out and said “What do you mean, document management?” There are many document management systems out there, both proprietary and open-source. Before I talk about systems we need to understand the process. Document management isn’t just storing documents, its a process of reviews, approvals, storage and communication . So lets dissect these processes.

Reviews: Reviewing documentation is a key step in ensuring it’s accuracy of the content. You may not always be an expert with topic you are writing about. So when writing documentation its important to obtain feedback from the reading audience or intended users. Feedback could be someone stating that there is a step missing or could event be the document was not written in enough detail or to detailed.

Approvals: Most organizations require that policies, standards and sometimes procedures be approved. Approval is also very important, because it will help in enforcement from the top down. If an employee writes up a new procedure on how to do something and just sends it to the team, it is very unlikely that it will be implemented across all members. However if the procedure is approved by management its more likely to be implemented and used by all members of the team.

Communication: This step is where a lot of organizations struggle. How in the world can an organization expect someone to follow policies if they don’t notify the user base when one is created, modified or retired? You must communicate to the users in order to ensure that they are aware of the documents.

Storage: Last but also very important to the integrity of the documentation is how we store these documents securely, but also allow availability to the appropriate user communities. When storing company policy documents you should have a source file (normally a word document) and then a published version (normally a pdf document). The source files should be stored in a secure location restricted so that only the author and document owner have access and then the pdf should be made public to the user community that needs to read the documents.

Now that you have the process, I will share some products that will help your implementation for a sound document management program. Storing the source files can be as simple as file shares on your network with proper security controls restricting access to the shares. Microsoft’s SharePoint is also a very good solution for documentation management with a lot of features that may or may not be used. With SharePoint you can perform the entire process from reviews, approvals, communication and storing both source files and public files. Microsoft has different version of SharePoint including a free version called WSS. With WSS you loose some features, but the entire document management process can still be performed with WSS. Another solution depending on your organization, could be utilizing your development team to develop an online document repository with a database back-end with a web front end.

There are many many systems for document management, so just do your research on the system to ensure that it supports your processes. So many times organizations buy a solution before they understand their own processes. That’s a whole other topic to blog about , but “Solutions are not always resolved with Technology”.

Please comment with other solutions that have worked in your environment and or suggestions or questions regarding document management.

Security Polls: Which Internet browser is better?

InfoSec-Policy Based Management System

In an early post I gave some Tips for Writing Information Security Policies. I’d like to continue with this topic and provide a frame work that will hopefully make it easier for you to develop all policies, standards & procedures needed for an Information Security Program.

There are many different ways to approach policy documentation. What I have found to be the most effective for users, auditors & management to read and understand is to create a separate policy, standard and procedure for each topic. Let me explain by using the example “Password Policy“.

So at the top of the pyramid there is Policy. This is the overall policy that gives the “marching orders” to your users, policies should not change that often. Using our example the password policy a policy statement might be:

Passwords must be complex.

Next there is Standards. This document will list out the technical details to support the policy. Using our example, the standards may be:

Passwords must be 8 characters long & contain upper case, lower case, number, symbol.

Following standards is Procedures. Your procedures are basically “How To’s“, creating these documents could be beneficial in cutting down support calls on how to do certain tasks. Again using our example of the password policy, one procedure document could be:

Changing Passwords

Finally there is what I call Supporting Documentation. Basically what these documents are forms or checklists. Supporting documentation may not be needed for each topic covered, but could be helpful for users that are required to follow these documents.

Okay, your probably thinking WOW this guy just quadrupled my documentation! Well it does, however once this project is underway it really does make sense and enables you to manage documentation more effectively.

If you document everything in one big document that document will probably include policies, standards, and maybe some procedures. As I said earlier policies shouldn’t change that often, however standards can change fairly regularly. So if you change one item in your large document that contains all IT Policies & Standards, you now have to get that entire document approved again (could take awhile, depending who all first approved the document). However, if you had one standards document for that specific topic, the approver would only need to review and approve that one item, not the policy or other policies and standards that doesn’t even apply to what was modified.

Using our example you might have the following for Passwords.

Password Policy – CIO or Sr. Management approval depending on the organization
Password Standards - Sr. Management approval, depending on organization
Password Procedures - Department Manager, or Team Lead approval, depending on organization

I have used this framework many times to help develop IT Policies, Standards and Procedures for Corporate IT department with great success. In my next post on regarding IT Documentation (Policies) I will talk about Document Management. If you have comments or questions please post a comment.

Sun Tzu quotes from The Art of War compared to Information Security

I just finished up this great book The Art of War, by Sun Tzu. There are many different versions the one I read was “The Art of War for Managers; 50 Strategic Rules”. I wanted to share some quotes from Sun Tzu and how I think they tie to Information Security.

Quote: The skilful General does not raise a second levy, neither are his supply wagons loaded more than twice. Once war is declared he will not waste precious time in waiting for reinforcements, nor will be turn his army back for fresh supplies, but crosses the enemies’ frontier without delay.

My Thoughts: Assuming that organizations have their planning right, they will be prepared for a wide range of attack vectors. However, the attacks will be distributed, unannounced &rapid. So its important that organizations balance the amount of effort that is put into repelling attacks consistent with the outcome the organization needs.

Some of the attacks will be unexpected, so organizations must assume that some of their security standards, may fail as a result. If the whole premise of survival is only defense and the organization therefore relies on the cyber equivalent of holding the proverbial City walls, there is really only two probable outcomes:

the walls hold and are their position is sustained or; the walls collapse and they are overrun.

Most of the advice I have read on approaches to cyber-security commonly says that, when attacked, organizations should not break the law themselves in responding to the attack. This advice could be construed as only allowing the holding of the City wall. So maybe it is time that organizations actively discuss responses to cyber-attack that are not just defense but are active or offensive.

Quote: The experienced soldier, once in motion, is never bewildered; once he has broken camp, he is never at a loss. Hence the saying; If you know your enemy and you know yourself, your victory will not stand in doubt; if you know heaven and know earth, you make your victory complete.

My Thoughts: Security attacks are executed across a very broad range of terrain including hardware platforms, operating systems, networks, communications protocols and applications. If organizations are not aware of all aspects of their organizations critical systems they may be disorientated when responding to security incidents.

Many organizations use outsourcing to effectively manage and run much of the organizations “terrain”. The nature of their contractual agreements and service level agreements may not cover their roles and responsibilities in dealing with security attacks. For example, some organizations have experienced a situation in which their outsourcing partner agreed to a set of availability targets and, during a security attack, had to continually delete firewall logs to keep the firewalls online and to meet the organizations availability target.

The impact of this action was to destroy a critical piece of evidence needed to identify the attacker and secondly prosecute them. In an increasingly outsourced world, organizations must make special efforts to ensure that they know the full extent of their terrain.

Quote: Knowledge of the enemy’s disposition can only be obtained from other men. Knowledge of the spirit world is to be obtained by the divination; information in natural science may be sought by inductive reasoning; the laws of the universe can be verified by mathematical calculations; but the dispositions of the enemy are ascertainable through spies and spies alone.

My Thoughts: The cyber equivalent of spies is covert malware like Trojans and rootkits. The popularity of this type of code in spam attachments and on infected websiSun Tzu quotes from The Art of War.

US-CERT Warns About Free Blackberry App

The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.

The PhoneSnoop application must be installed on the phone by someone who has physical access to it or by tricking the user into downloading it, the CERT advisory said.

The U.S. Computer Emergency Readiness Team is warning BlackBerry users about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.

The PhoneSnoop application must be installed on the phone by someone who has physical access to it or by tricking the user into downloading it, the CERT advisory said.

Beware..Malicious Facebook Password Spam

Be on the look out for a large-scale spam attack that uses fake Facebook password-reset messages to trick users into downloading dangerous malware. The malicious executable is linked to the Bredolab botnet, which has been linked to massive spam runs and identity-theft related attacks.

Below is a sample of the Facebook password-reset message being seen in e-mail inbox’s today.

According to Websense, the address of the sender is spoofed to display “support@facebook.com,” a trick commonly used to trick targets into believing it’s a legitimate e-mail from the popular social network.

The messages contain a .zip file attachment with an .exe file that connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan.

Book Review-Sun Tzu's – The Art of War

I have finished reading “The Art of War” by Sun Tzu and below is the last quote and how I see it in an Information Security point of view.

The Use of Spies

Knowledge of the enemy’s disposition can only be obtained from other men. Knowledge of the spirit world is to be obtained by the divination; information in natural science may be sought by inductive reasoning; the laws of the universe can be verified by mathematical calculations; but the dispositions of the enemy are ascertainable through spies and spies alone.

The cyber equivalent of spies is covert malware like Trojans and rootkits. The popularity of this type of code in spam attachments and on infected websites is increasing dramatically. If our enterprises become the subject of specifically targeted attacks (that are less likely to be detected by generic detection tools) we cannot be assured of the trustworthiness of our critical systems. The impact of this uncertainty is clearly critical.

The Security Pub

Random Thoughts About Security

Monthly Archives: October 2009