Writing Information Security Policies--Appendix B (Resources)

Writing Information Security Policies
Appendix B: RESOURCES

These resources are a collection of links that point to web sites, documents, and other information that you may find helpful in developing information security policies and managing your organization's information security program. Security information can come from a variety of places. These links point to many different types of sources that include many commercial, non-profit, government, and "underground" resources. Use them to understand their unique perspectives on information security.

[Incident Response Teams]   [Other Incident Response Information]   [Virus Protection]
[Vendor-Specific Information] [Security Information Resources]   [Security Publications]
[Industry Consortia and Associations] [Hacker and "Underground" Organizations]   [Survivability]
[Health Insurance Portability and Accountability Act] [Cryptography Policies and Regulations]   [Security Policy References]

Need more security references? Check out Scott's Recommended Reading List for Security Managers
The commission from all books bought from this list will be donated to cancer research!

Incident Response Teams
The groups listed here provide information about security problems as they become known. In addition to reporting incidents, these groups work with various vendors and user organizations to keep them aware when problems occur. When fixes are available, each individual team reports them. They have their own level of services, which may include archiving of security software (source) and past incident reports.

`Incident Response Team`	`Web Site Link`
CERT Coordination Center (CERT/CC) (sponsored by Carnegie Mellon University's Software Engineering Institute)	http://www.cert.org
National Infrastructure Protection Center (sponsored by the Federal Bureau of Investigation)	http://www.nipc.gov
Computer Incident Advisory Capability (sponsored by the U.S. Department ofEnergy)	http://www.ciac.org/ciac
Federal Computer Incident Response Capability (FedCIRC) (sponsored by the U.S. General Services Administration)	http://www.fedcirc.gov
Australian Computer Emergency Response Team (AusCERT)	http://www.auscert.org.au
The German Research Network Computer Emergency Response Team (DFN-CERT) This site is also available in English.	http://www.cert.dfn.de
InternetStormCenter (from their website) is a virtual organization of advanced intrusion detection analysts, forensics experts and incident handlers from across the globe. (sponsored by The SANS Institute).	http://isc.incidents.org

Top...

Other Incident Response Information
Another place to look for incidents are the services that monitor and disclose bugs in system software. Since many security problems are the result of exploiting bugs, it may be worth monitoring these sites and participating in their mailing lists.

`Incident Response Team`	`Web Site Link`
Bugtraq -- A mailing list tracking bugs from all sources Now hosted by SecurityFocus.com	http://www.securityfocus.com
NT Bugtraq -- Similar to Bugtraq except specific to the Windows NT operating system	http://www.ntbugtraq.com
Common Vulnerabilities and Exposures (sponsored by The MITRE Corporation) CVE aspires to describe and name all publicly known facts about computersystems that could allow somebody to violate a reasonable security policy for that system.	http://cve.mitre.org

Top...

Virus Protection
The following are web site links for most of the major virus protection software vendors. If you are a user of the virus protection program of that vendor, it is highly advisable to bookmark their page and take advantage of their free update services. This will allow you to keep on top of the latest attacks and protect your network. Virus protection is not a trivial task! Keeping up to date on the latest information and having an active virus protection plan is the only way to keep your systems safe. Also, your security plan should include a program that will make everyone aware of the necessity for virus protection and how to be proactive.

`Vendor Lab or Other Resource`	`Web Site Link`
*Virus Bulletin* (online publication, not vendor affiliated)	http://www.virusbtn.com
Computer Associates Virus Information Center (InoculateIT)	http://www.cai.com/virusinfo/
Data Fellows F-Secure Virus Info Center	http://www.datafellows.com/vir-info/
FRISK Software International (F-PROT and F-Stop)	http://www.complex.is
McAfee Anti-Virus Emergency Response Team	http://www.avertlabs.com
Norman Virus Control	http://www.norman.no
ProLand Software Protector Plus	http://www.pspl.com
Sophos Virus Information Center	http://www.sophos.com/virusinfo
Symantec (Norton) AntiVirus Research Center	http://www.symantec.com/avcenter/index.html
TrendMicro Security Info - Virus Encylopedia	http://www.antivirus.com/vinfo/index.htm

Top...

Vendor-Specific Security Information
The following are web site links for each major operating and network systems vendor or user group for security issues about these systems. These are good sites to find vendor-specific fixes for various security problems. Note that Web site addresses prefaced with an asterisk (*) are links directly to corporate home or support pages because that vendor does not provide a specific area for security or provides it on a subscription basis only.

`Vendor`	`Security Web Link or Home Page`
Cisco	*``** http://www.cisco.com/public/Support_root.shtml
Compaq (still available)	*``** http://www.compaq.com/support/default.html
Debian GNU/Linux	http://www.debian.org/security/
FreeBSD	http://www.freebsd.org/security/
Hewlett Packard (US/Canada) (Europe)	*`` http://us-support.external.hp.com/index.html/ ``* http://europe-support.external.hp.com/index.html/
IBM (all products and general info)	http://www.ibm.com/security/
Microsoft	http://www.microsoft.com/security/
Netscape	http://home.netscape.com/security/index.html
NetBSD	http://www.netbsd.org/Security/index.html
Novell	http://www.novell.com/corp/security/
OpenBSD	http://www.openbsd.com/security.html
Red Hat Linux	*``** http://www.redhat.com/support/
The SCO Group's OpenLinux and UnixWare	http://www.sco.com/support/security
Silicon Graphics, Inc.	http://www.sgi.com/support/security/index.html
Slackware Linux	*``** http://www.slackware.com
Sun Microsystems ... and Java	http://sunsolve.Sun.COM/pub-cgi/show.pl?target=security/sec http://java.sun.com/security
S.u.S.E., Inc. (Linux)	http://www.suse.de/de/support/security/index.html
Wind River Systems (including BSDI)	*``** http://www.windriver.com

Top...

Security Information Resources
Following is a list of groups that provide significant Information Security resources. These resources consist of commercial, educational, and government supported programs. The information is free and, for the most part, kept very current.

`Resource`	`Web Site Link`
@Stake Research Laboratories (the former L0pht Heavy Industries )	http://www.atstake.com/research
About.com Network/Internet SecurityForum	http://netsecurity.about.com
CERIAS (Purdue University) for a good list of resorces, visit the CERIAS HotList	http://www.cerias.purdue.edu
CERT Coordination Center (Carnegie Mellon University)	http://www.cert.org
Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the U.S. Department of Justice	http://www.cybercrime.gov
C4I.org - Computer Security and Intelligence	http://www.c4i.org
Computer Security Institute	http://www.gocsi.com
Computer Security Resource Center (sponsored by NIST)	http://csrc.nist.gov
Help Net Security <New>	http://www.net-security.org
Packet Storm	http://www.packetstormsecurity.org
SANS Institute	http://www.sans.org
searchSecurity.com sponsored by the TechTarget Network	http://searchsecurity.techtarget.com/
Security Industry Association	http://www.securitygateway.com
Security Portal	http://www.securityportal.com

Top...

Security Publications
These are printed magazines whose content is geared toward the information security professional. See their sites for subscription information.

`Publication`	`Web Site Link`
*Information Security*	http://www.infosecuritymag.com
*SC: Information Security Magazine*	http://www.scmagazine.com

Top...

Industry Consortia and Associations
There have been many attempts to bring people and organizations togetherin order to promote information security amongst the masses. This is alist of some of those organizations that have been particularly activearound the time this section was last edited.

`Organization`	`Web Site Link`
Chief Information Officers (CIO) Council	http://www.cio.gov
CIO Institute	http://www.cio.org
Forum of Incident Response Teams	http://www.first.org
Information Security Forum	http://www.securityforum.org
Internet Security Alliance	http://www.isalliance.org

Top...

Hacker and "Underground" Organizations
Not every hacker is a bad person. Not every "underground" organization is looking to take over the cyber world. However, I have found that the information on many of these sites are posted quicker than on so-called legitimate sites and many times they describe the exploit better. Security professionals can learn a lot by reading the information these groups provide. I am not passing judgment on what these may groups do with the information or how they obtain it. The sites here are a sample of those I read on a regular basis.

`Organization`	`Web Site Link`
2600: The Hacker Quarterly	http://www.2600.com
ATTRITION	http://www.attrition.org
Cult of the Dead Cow	http://www.cultdeadcow.com
DefCon (Hacker's Conference)	http://www.defcon.org
Digital Information Society	http://www.phreak.org
Hacker's Home Page	http://www.hackershomepage.com
Security Bugware	http://oliver.efri.hr/~crv/security/bugs/list.html
unix / net / hack page	http://www.unix.geek.org.uk/~arny/

Top...

Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) authorized the Secretary of Health and Human Services (HHS) to develop security and privacy standards to protect electronic healthcare information. The security and privacy standard were to cover processed, stored, and transmission of this data to prevent inadvertent or unauthorized use or disclosure of an individual's health information. The security and transaction standards were release in August 2000 and the privacy standards in April 2001. The healthcare industry has two years to bring their systems into compliance with HIPAA's regulations. Some HIPAA resources are as follows:

`Resource`	`Web Site Link`
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Page from the U.S. Department of Health and Human Services Health Care Financing Administration	http://www.hcfa.gov/hipaa/hipaahm.htm
Phoenix Health Systems, a consulting firm specializing in heathcare information systems, sponsor this web site with comprehensive resources on HIPAA and HIPAA compliance.	http://www.hipaadvisory.com
HIPAA Security Policy Development: A Collaborative Approach, by Miles M. Sato from the SANS Institute Reading Room, April 30, 2001	http://www.sans.org/infosecFAQ/policy/HIPAA_policy.htm

Top...

Survivability
"Survivability is the ability of a network computing system to provide essential services in the presence of attacks and failures, and recover full services in a timely manner," according to the research at Carnegie Mellon University, the center of survivability research. The research into survivable systems is interesting because it attempts to move security past the accepted paradigm of building walls and creating passages through those barriers by concentrating on the business functions the system is supposed to support. The following links provide more information:

Although there are others working on survivability research, the primary work is being initiated by the Software Engineering Institute, at Carnegie Mellon University. You can read about their research and details of their survivability program at http://www.cert.org/nav/index_purple.html.

The Univeristy of Virginia Department of Computer Science also has performed a lot of resarch into survivability through its Center for Survivable Information Systems. Their web site (found at http://www.cs.virginia.edu/~survive/) gives the reader another insight into how surviviability fits into critical infrastructure protection.

Security By Itself May Not Be Enough - An Overview of the Discipline of System Survivability, by John Price (May 10, 2001) clearly explains survivability and its role in information security clearly and in a manner that could be understood by a less-than technical manager. The article is published in the SANS Information Security Reading Room and can be found at http://www.sans.org/infosecFAQ/securitybasics/not_enough.htm.

Top...

Cryptography Policies and Regulations
Encryption is the only area of computing that is regulated through laws, policies, and treaties. Historically, all cryptography tools have been governed under the same rules as armaments. Under these rules, there is no difference between an anti-ballistic missile and the encryption that goes into protecting e-commerce transactions. In the United States, there are few rules regarding the import of encryption products and US users can use cryptography as they see fit. The problem comes when organizations require encryption to secure transmission with overseas offices. Even with the relaxing of regulations, exporting cryptography can still present a problem.

In the United States, Export controls on commercial encryption products are administered by the US Department of Commerce, Bureau of Export Administration, Office of Strategic Trade and Foreign Policy Controls, Information Technology Controls Division. Rules governing exports of encryption are found in the Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774. More information can be found at http://www.bxa.doc.gov/Encryption/Default.htm.

The Wassenaar Arrangement (WA) is an agreements amongst 33 countries to controlexports for general arms and dual-use goods and technologies. One of those technologies are cryptography products. The web site for this agreement provides the basic rules and regulations of agreeing nations and contact information. You can find more information at http://www.wassenaar.org.

Other good sources of information can be found at:

`Resource`	`Web Site Link`
US Department of Justice FAQ on Encryption Policy	http://www.cybercrime.gov/cryptfaq.htm
Crypto Law Survey by Bert-Jaap Koops	http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
Security and cryptography expert Matt Blaze of AT&T Laboraties "Cryptography Resources on the Web"	http://www.crypto.com
Counterpane Labs, run by security and cryptography expert Bruce Schneier	http://www.counterpane.com/labs.html

Top...

Security Policy References
The following are references to various online resources that can be used to further assist in the writing of Information Security Policies.

Internet Engineering Task Force relevant Request for Comments (RFC) are avaiable from the RFC Editor at http://www.rfceditor.org

`RFC Number`	`Document Description`	`Link to Document`
RFC 2196	Site Security Handbook B. Fraser, Editor, SEI/CMU September 1997	ftp://ftp.isi.edu/in-notes/rfc2196.txt
RFC 2504	Users' Security Handbook E. Guttman (Sun Microsystems), L. Leong (COLT Internet), G. Malkin (Bay Networks) February 1999	ftp://ftp.isi.edu/in-notes/rfc2504.txt
RFC 2828	Internet Security Glossary R. Shirey GTE/BBN Technologies May 2000	ftp://ftp.isi.edu/in-notes/rfc2828.txt
RFC 3013	Recommended Internet Service Provider Security Services and Procedures T. Killalea neart.org November 2000	ftp://ftp.isi.edu/in-notes/rfc3013.txt

The SANS Institute Reading Room has a lot of individual articles that focus on several areas of Information Security Policy Development. The articles range from helpingthe reader defining policy to working through implementation and validation details. These documents can be found at http://www.sans.org/infosecFAQ/policy/policy_list.htm.

AusCERT Site Security PolicyDevelopment, Rob McMillan, ftp://ftp.auscert.org.au/pub/auscert/papers/Site.Security.Policy.Development.txt

A good example of a policy written for a university can be found at the University of California at Davis. Read their policy at http://security.ucdavis.edu/policies.

National Institute of Standards and Technolgy (NIST) maintains the security standards used by civilian agencies. The Guide for Developing Security Plans for Information Technology Systems, Special Publication 800-18 (SP 800-18), provides guidance to U.S. government agencies for developing security plans. SP 800-18 helps agencies comply with the regulations set forth by the Office of Management and Budget (OMB) Circular A-130 (Management of Federal Information Resources) Appendix III (Security of Federal Automated Information Resources). Those working with the US government on information security should read these documents to understand the agency's regulatory requirements. A copy of these documents can be found at:

`Document`	`Link to Document`
NIST SP 800-18	http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF
OMB Circular A-130 Appendix III	http://www.whitehouse.gov/omb/circulars/a130/a130appendix_iii.html

Although the National Aeronautics and Space Administration (NASA) is not a civilian agency, there is a good example of a security plan for one of their projects. You can read the NASA Integrated Services Network (NISN) Project Security Plan (July 1998) at http://www.nisn.nasa.gov/Doc_Repos/secplan.html.

Security policies and baseline standards are useless unless they are widely implemented. How you achieve this will determine the success of your policies. This site from Security Risk Associates (of the UK) has a number of articles that discusses these issues. You can find them at http://www.security.kirion.net/securitypolicy.

Top...

Writing Information Security Policy's Home Page...

Scott's Home Page...

All questions, comments, and corrections may be mailed to the author at wisp@barman.ws

Last update: August 17, 2003