Security Policy: US Gov / DoD Examples. By Lance Spitzner. About the Speaker. 8 years experience security consulting and research, focus on gathering information about threats. Authored Honeypot: Tracking Hackers , co-authored Know Your Enemy and published numerous security articles.
A security policy defines the rules that regulate how your organization manages and protects its information and computing resources to achieve security objectives (CERT).
OMB Circular A-130, Appendix III mandates:
Establish a set of rules of behavior concerning use of, security in, and the acceptable level of risk for, the system. The rules shall be based on the needs of the various users of the system. The security required by the rules shall be only as stringent as necessary to provide adequate security for information in the system. Such rules shall clearly delineate responsibilities and expected behavior of all individuals with access to the system. They shall also include appropriate limits on interconnections to other systems and shall define service provision and restoration priorities. Finally, they shall be clear about the consequences of behavior not consistent with the rules.
Keep in mind, policies are a living document, they do not do any good if they do not change as your organization does.
The following notice and consent banner, approved by the DoD General Counsel, may be used on all DoD Web sites with security and access controls. This banner may be tailored by an organization but such modifications shall be approved by the Component’s General Counsel before use.
“This is a Department of Defense Computer System. This computer system, including all related equipment, networks, and network devices (specifically including Internet access) are provided only for authorized U.S. Government use. DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes active attacks by authorized DoD entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed or sent over this system may be monitored.
Use of this DoD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for criminal, administrative, or other adverse action. Use of this system constitutes consent to monitoring for these purposes.”
DoD policy stipulates that all passwords shall:
DoD Web servers that are externally accessed shall be isolated from the internal network of the sponsoring organization. The isolation may be physical, or it may be implemented by technical means such as an approved firewall. The server software will be FIPS 140-2 compliant with all security patches properly installed. Approved DoD security protocols will be used for all Web servers. Additional security measures shall also be employed consistent with the risk management approach and security policy of the individual DoD Web site. Examples of additional measures to be considered include:
To manage various risk levels of vulnerabilities DISA created three different types of vulnerability alerts
The contractor will provide 24 x 7 intrusion detection monitoring using intrusion detection tools and system audit logs for the system servers, software, database, networks, and firewalls under its control. Daily intrusion detection reports will be submitted to the ISSM for assessment and possible corrective action. In turn, the contractor will take immediate corrective action requested by the ISSM to eliminate system vulnerability or to prevent future intrusion attempts.
Once detected, the failure must be mitigated as soon as possible.
A serious incident report (SIR) will be generated and reported under the following conditions