Reading Room

Security Policy Issues

Featuring 57 Papers as of January 12, 2021

• Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra Analyst Paper (requires membership in SANS.org community)
  by Dave Shackleford - June 29, 2020 

  • Associated Webcasts: Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra
  • Sponsored By: Guardicore LTD

  Organizations are taking advantage of digital transformation in their quest to boost agility and shrink infrastructure costs. However, this transformation often comes at a cost: a larger, more complex security attack surface. Guardicore Centra aims to provide a simpler, faster way to reduce attack surfaces and prevent lateral movement in an IT environment via micro-segmentation security policies. In this product review, SANS analyst Dave Shackleford shares his experience of putting Centra through its paces.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Future SOC: SANS 2017 Security Operations Center Survey Analyst Paper (requires membership in SANS.org community)
  by Christopher Crowley - May 16, 2017 

  • Associated Webcasts: SOCs Grow Up to Protect, Defend, Respond: Results of the 2017 SANS Survey on Security Operations Centers, Part 1 Future SOCs: Results of the 2017 SANS Survey on Security Operations Centers, Part 2
  • Sponsored By: Tripwire, Inc. LogRhythm NETSCOUT Systems, Inc. Carbon Black ThreatConnect Endgame

  The primary strengths of security operations centers (SOCs) are flexibility and adaptability, while their biggest weakness is lack of visibility. Survey results indicate a need for more automation across the prevention, detection and response functions. There are opportunities to improve security operations, starting with coordination with IT operations. SOCs can improve their understanding how to serve the organization more effectively and their use of metrics.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Using COIN Doctrine to Improve Cyber Security Policies SANS.edu Graduate Student Research
  by Sebastien Godin - January 27, 2017 

  In today’s ever-evolving Cyber environment, the “bad guys” seem to prosper, and the “good guys” cannot seem to find a solution to create a proper defensive posture. As the Cyber environment becomes an integral part of society, it is imperative to find a way to increase the global defensive posture in the most efficient way possible. This paper will focus on possible security policies that are easy to implement, are proven, and have a significant impact on an enterprise's security practices and posture. The argument will use field data and firsthand combat experience. Working within the framework of the Cyber environment as an insurgency, applying proven Counterinsurgency policies, there can be a great increase in security and a more efficient Cyber defender. The application of this solution gives the potential for the Cyber defender to have a new set of tools for the Cyber domain that are proven to be useful in the physical domain of a counterinsurgency.

  •  Overview
  •  Download

• ---

• eAUDIT: Designing a generic tool to review entitlements SANS.edu Graduate Student Research
  by Francois Begin - June 22, 2015 

  In a perfect world, identity and access management would be handled in a fully automated way.

  •  Overview
  •  Download

• ---

• The Integration of Information Security to FDA and GAMP 5 Validation Processes by Jason Young - February 5, 2015 

  In reviewing the failures of information security (InfoSec) through the lifecycle management of information systems within the pharmaceutical industry, analysis starts with the governing validation process for the qualification of information systems.

  •  Overview
  •  Download

• ---

• Using the Department of Defense Architecture Framework to Develop Security Requirements by James E. A. Richards - February 10, 2014 

  Integrated architectures embody the discernable parts of a system and their relationships with each other in a single, normalized data repository.

  •  Overview
  •  Download

• ---

• Controlling Vendor Access for Small Businesses SANS.edu Graduate Student Research
  by Chris Cain - September 17, 2013 

  A vendor access policy is a great way to supplement any security policy.

  •  Overview
  •  Download

• ---

• Corporate vs. Product Security by Philip Watson - May 22, 2013 

  When people hear "I deal with security" from any employee, the typical thought is that they are defending the enterprise, the web servers, the corporate email, and corporate secrets.

  •  Overview
  •  Download

• ---

• Information Risks & Risk Management by John Wurzler - May 1, 2013 

  In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.

  •  Overview
  •  Download

• ---

• Recovering Security in Program Management by Howard Thomas - October 3, 2012 

  Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.

  •  Overview
  •  Download

• ---

• Net Neutrality, Rest in Peace by James Mosier - October 11, 2011 

  No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.

  •  Overview
  •  Download

• ---

• Reducing the Risks of Social Media to Your Organization by Maxwell Chi - September 1, 2011 

  Social media is "the internet and mobile technology based channels of communication in which people share content with each other. Examples are social networking sites such as Facebook and Twitter." (Financial Times Lexicon, 2011).

  •  Overview
  •  Download

• ---

• Scoping Security Assessments - A Project Management Approach by Ahmed Abdel-Aziz - June 7, 2011 

  Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.

  •  Overview
  •  Download

• ---

• Which Disney© Princess are YOU? by Joshua Brower - March 18, 2010 

  Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

  •  Overview
  •  Download

• ---

• Understanding the Importance of and Implementing Internal Security Measures by Michael Durgin - September 27, 2007 

  Many Information Technology professionals concentrate on securing the perimeter of their network, ignoring the possibility of internal attacks. Internal security incidents can be much more costly than an attack from external incidents, and are more likely to succeed due to internal knowledge of the corporation. This paper will focus on the importance of internal security, types of incidents, motives, potential loss, and how to defend against them. It will show how many external incidents are successful due to inside knowledge of the organization, inside help, or are performed by insiders using the anonymity of the Internet.

  •  Overview
  •  Download

• ---

• Risks and Rewards of Instant Messaging in the Banking Sector by Nicholas Rose - June 13, 2005 

  This paper seeks to explain these risks and to recommend current best practice for addressing them. This is to block all of these services at the proxy servers using a blocking product and then to selectively allow properly controlled and authorized IM and P2P services to take place through an IM enabling gateway.

  •  Overview
  •  Download

• ---

• Security In An Open Environment Such As A University? by Carol Templeton - May 5, 2005 

  This paper will discuss a definition, the needs, and the goals of an open environment like a university; examine a process of developing an authorized framework and team for university information security; present some of the attitudes and perspectives that can help or hinder security implementation, as revealed through personal experience; and identify security resources that can be used for effective information security development and improved security perspectives.

  •  Overview
  •  Download

• ---

• Information Security Policy - A Development Guide for Large and Small Companies by Sorcha Diver - March 2, 2004 

  Elements that need to be considered when developing and maintaining information security policy. This SANS whitepaper goes into the design for a suite of information security policy documents and the accompanying development process.

  •  Overview
  •  Download

• ---

• Protecting Your Corporate Network from Your Employee's Home Systems by Todd Rosenberry - February 9, 2004 

  In addition to the protection provided by a strong perimeter firewall, implemented by security conscious corporations, the challenge of security becomes much greater when employee home systems are allowed to access the corporate network via a Virtual Private Network (VPN).

  •  Overview
  •  Download

• ---

• Security Process for the implementation of a Companys extranet network by Kirk Steinklauber - July 14, 2003 

  This paper explores the development of the security process required to build an effective standard policy to cover a company's network perimeter.

  •  Overview
  •  Download

• ---

• The social approaches to enforcing information security by Roger Gilhooly - June 27, 2003 

  This paper focuses on enforcing information security using social approaches in the business environment.

  •  Overview
  •  Download

• ---

• Security considerations with Squid proxy server by Eric Galarneau - May 23, 2003 

  This paper will cover various security aspects and recommendations to improve Squid's overall security during its installation time.

  •  Overview
  •  Download

• ---

• Creating an IT Security Awareness Program for Senior Management by Robert Nellis - May 8, 2003 

  This paper will present an approach to creating and deploying a security awareness program with senior management as the intended audience.

  •  Overview
  •  Download

• ---

• Guidelines for an Information Sharing Policy by Chris Gilbert - March 20, 2003 

  This paper presents a set of guidelines which may be used in the creation of an Information Sharing Policy for small organizational units.

  •  Overview
  •  Download

• ---

• Security Policies: Where to Begin by Laura Wills - February 8, 2003 

  The intent of this paper is to guide you through the process and considerations when developing security policies within an organization; however it will not attempt to write the initial policies.

  •  Overview
  •  Download

• ---

• Developing a Security Policy - Overcoming Those Hurdles by Chris Wan - January 16, 2003 

  This paper describes the real -life experiences involved in developing a security policy and gaining its endorsement in a medium sized company.

  •  Overview
  •  Download

• ---

• Peer-to-Peer File-Sharing Networks: Security Risks by William Couch - September 8, 2002 

  The rise and evolution of the peer-to-peer (P2P) file-sharing networks and some of the reasons for their popularity are introduced in this paper, along with the security implications to users' computers, networks, and information.

  •  Overview
  •  Download

• ---

• Building and Implementing an Information Security Policy by Martyn Elmy-Liddiard - April 30, 2002 

  This paper describe a process of building and, implementing an Information Security Policy.

  •  Overview
  •  Download

• ---

• Developing Security Policies: Charting an Obstacle Course by Rosemary Sumajit - April 4, 2002 

  This paper discusses the issues faced by those at my educational institution in trying to develop security policies.

  •  Overview
  •  Download

• ---

• Sensitive But Unclassified by Andrew Helyer - April 3, 2002 

  In this report, one will learn about the differences between classified and unclassified information and about the many names by which sensitive information may be labeled.

  •  Overview
  •  Download

• ---

• Deception: A Healthy Part of Any Defense in-depth Strategy by Paul Anderson - March 25, 2002 

  This paper will define and discuss the major components of a multi-layered defense with special emphasis on security policies and their framework, how it can be used by the defender, deception tools used in a defensive strategy, and it's role in a multi-layered defense.

  •  Overview
  •  Download

• ---

• One Approach to Enterprise Security Architecture by Nick Arconati - March 14, 2002 

  This paper discusses an approach to Enterprise Security Architecture, including a security policy, security domains, trust levels, tiered networks, and most importantly the relationships among them.

  •  Overview
  •  Download

• ---

• Defining Policies Using Meta Rules by Dan McGinn-Combs - March 14, 2002 

  This paper seeks to initiate a discussion on how to design and implement security policies within a company.

  •  Overview
  •  Download

• ---

• A Preparation Guide to Information Security Policies by David Jarmon - March 12, 2002 

  This paper introduces basic concepts, common security threats, and key components necessary to facilitate the process of developing a Security Policy.

  •  Overview
  •  Download

• ---

• The Use of Case Law in Negotiating the Acceptance of Post Secondary Computer Policies by George Koszegi - March 10, 2002 

  This author provides a compelling argument to facilitate cooperation and compliance of adopting a policy scheme that will act as the first line of defense for organizations and provides a framework for the development of Acceptable Use Computer Policies.

  •  Overview
  •  Download

• ---

• Security Policies in a Global Organization by Gerald Long - February 25, 2002 

  This paper addresses the concept of creating a tiered structure Information Security Policy and a tiered approval structure, whereby some policies apply globally throughout the organization, and other policies apply to specific geographical, or regional entities.

  •  Overview
  •  Download

• ---

• Formulating a National Cryptography Policy: Relevant Issues, Considerations and Implications for Sin by Francis Goh - February 11, 2002 

  This paper provides insight into the relevant issues, considerations and implications necessary for formulating an effective National Cryptography Policy, taking into account the protection of privacy, intellectual property, business and financial information, as well as the needs for law enforcement and national security.

  •  Overview
  •  Download

• ---

• Security, It's Not Just Technical by Kevin Dulany - January 15, 2002 

  The goal of this paper is to introduce the need for an adequate information security policy within your respective workplace or organization.

  •  Overview
  •  Download

• ---

• Systems Maintenance Programs - The Forgotten Foundation and Support of the CIA Triad by Farley Howard - January 10, 2002 

  A well engineered maintenance program that takes advantage of correlations between maintenance procedures and the CIA Triad will not only assist in operational readiness, but can also provide an invaluable supplement and enhancement to any existing security program.

  •  Overview
  •  Download

• ---

• An Overview of Corporate Computer User Policy by Philip Kaleewoun - December 27, 2001 

  This paper will discuss what should be covered in a corporate computer user policy that sets the overall tone of an organization's security approach. The intended audience is primarily information technology professionals.

  •  Overview
  •  Download

• ---

• When Policies that have 'Always Worked', Don't or "The Mask of the Code by Rich Parker - November 25, 2001 

  This paper outlines a failure of our 'human systems' due to a limitation in our thinking about our procedures that could easily have had catastrophic results.

  •  Overview
  •  Download

• ---

• No Budget, No Policy: Leading the Bull by the Nose or Thank God for the Cisco IOS Firewall Feature S by Richard Haynal - November 17, 2001 

  This paper describes how I converted our perimeter router into a stateful firewall.

  •  Overview
  •  Download

• ---

• Creating an Information Systems Security Policy by Walter Patrick - October 29, 2001 

  This paper addresses the steps necessary for creating an Information Systems (IS) Security Policy.

  •  Overview
  •  Download

• ---

• Impact of HIPAA Security Rules on Healthcare Organizations by Tim Ferrell - October 4, 2001 

  This paper focuses on the impact of the Security rules as mandated by HIPAA regulations for healthcare organizations that transmit or posses protected health information.

  •  Overview
  •  Download

• ---

• Security Policy Roadmap - Process for Creating Security Policies by Chaiw Kee - October 2, 2001 

  This paper presents a systematic approach in developing computer security policies and procedures, along with a discussion on Policy Life Cycle.

  •  Overview
  •  Download

• ---

• Congratulations to the New Security Manager by Nancy Carpenter - September 24, 2001 

  The job of a Computer Security Manager is very complex, a role that is evolving as our technology advances and this paper outlines some general requirements, information resources and examples to help you get started.

  •  Overview
  •  Download

• ---

• Technical Writing for IT Security Policies in Five Easy Steps by Patrick Lindley - September 20, 2001 

  This paper points new policy technical writers in the right direction and provides a solid foundation from which to start.

  •  Overview
  •  Download

• ---

• Developing Effective Information Systems Security Policies by Daniel Lee - September 10, 2001 

  This paper takes a top-down approach and provides a high-level overview for developing effective information systems policies.

  •  Overview
  •  Download

• ---

• Developing Security Policies For Protecting Corporate Assets by Jasu Mistry - August 31, 2001 

  The paper focuses on some aspects of a security policy with an aim to protect assets from risk.

  •  Overview
  •  Download

• ---

• Danger Within by Dennis Spalding - August 28, 2001 

  This paper addresses some technologies and procedures that can minimize the potential damage from internal and external malicious attacks, misconfiguration (vendor or administrator), and user ignorance.

  •  Overview
  •  Download

• ---

• Federal Systems Level Guidance for Securing Information Systems by James Corrie - August 16, 2001 

  This paper describes federal systems level guidance for securing information systems.

  •  Overview
  •  Download

• ---

• Security Policy: What it is and Why - The Basics by Joel Bowden - August 14, 2001 

  This paper gives you a better understanding of what a Security Policy is and how important it can be.

  •  Overview
  •  Download

• ---

• Managing Internet Use: Big Brother or Due Diligence? by Steve Greenham - July 18, 2001 

  This paper describes the major risks of granting widespread Internet access along with suggestions to mitigate them.

  •  Overview
  •  Download

• ---

• Social Engineering - For the Good Guys by James Keeling - July 16, 2001 

  This paper focuses on the importance of a good security policy, management buy-in, the security team and ways to promote compliance by the practical application of social engineering.

  •  Overview
  •  Download

• ---

• Leveraging a Securing Awareness Program from a Security Policy by Howard Uhr - July 11, 2001 

  This paper addresses the benefits of leveraging both a Security Awareness program and a Security Policy.

  •  Overview
  •  Download

• ---

• Development of an Effective Communications Use Policy by Tim Neil - July 2, 2001 

  This paper identifies the most common elements of an effective Communications Use Policy, discusses why these elements are necessary and offer guidance in the furtherance of having a successful policy.

  •  Overview
  •  Download

• ---

• Acceptable Use Policy Document by Raymond Landolo - June 12, 2001 

  This paper provides an example of an acceptable use policy for information resources.

  •  Overview
  •  Download

• ---

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.