RE: Mass Distribution of Security Policies

["Robert Hines" <b.hines () comcast net>]

Steve,


It could start with a Network usage agreement, (Advisory Policy) to all
network users (old or new), as the users will have to agree to the Policy or
be denied access. Now you have, (Accountability). 

Short and sweet to the point recommended usage and penalties for
non-compliance that must be enforced.  

How you present this; in the environment described, I would divide the
community into manageable pieces, presenting to politicians as they would
expect (I would expect individually or by party head), Unions (Union
Foreman?) as they would expect, and help Department heads, with a program
for their groups, merge the appropriate lip service to the hard fact that
compliance is mandatory.  

Then the usual:
Login Banner, informational email, Informational training etc  

Sorry you had a bad experience with the content filtering rule, but as with
any control that affects the daily pattern of an individual, backlash is
immanent with out prior understanding of appropriate allowable behavior by
system users.

Its quite the challenge to assure security and make the users happy about
it. 

Bob


-----Original Message-----
From: Ramirez, Steven [mailto:Steven.Ramirez () loukymetro org] 
Sent: Thursday, May 12, 2005 10:17 AM
To: 'b.hines () comcast net'; security-basics () securityfocus com
Subject: RE: Mass Distribution of Security Policies

Bob

< Are these new users, new employees?  As, for policies and holding user's
accountable, now that's another issue and should be coming from the corner
office.>

This is all employees who access the network (new and old). Like I
mentioned, this is Government. We have Politics, politicians, Union, Dept
policies and a mindset that needs to be changed. I am at the level which
stands above all those and have the support I need to implement these
policies. 

To give you an example of what I deal with. When I started here there was NO
content filtering for web access. We implemented Websense (and fairly
loosely at that) and the backlash was overwhelming. It is very hard to take
away what was there for so long. People just don't understand, hence the
impending Awareness Training.

< Security awareness is always an ongoing activity, much more, then click
yes, now you have been told, and are accountable.  I find that being
creative, and making security fun embed the concepts to the masses, and the
masses will comply.>

I agree....but, in the event of an incident that warrants a response having
that piece of the pie that shows they have signed off on the policy helps
the enforcement and accountability.

< As for the asking and logging of last four, by the IT department, UM,
sounds like an organizational wide Personnel issue to me.>

There are many things that surprise me about working for a Government
Agency....I'll leave it at that.

I appreciate your response.

Steve


-----Original Message-----
From: Robert Hines [mailto:b.hines () comcast net] 
Sent: Thursday, May 12, 2005 8:44 AM
To: 'Ramirez, Steven'; security-basics () securityfocus com
Subject: RE: Mass Distribution of Security Policies

Steve,

Are these new users, new employees?  As, for policies and holding user's
accountable, now that's another issue and should be coming from the corner
office.

Security awareness is always an ongoing activity, much more, then click yes,
now you have been told, and are accountable.  I find that being creative,
and making security fun embed the concepts to the masses, and the masses
will comply. 

As for the asking and logging of last four, by the IT department, UM, sounds
like an organizational wide Personnel issue to me.
 
The controls implemented, the administration applied, and awareness of your
community, and penalties imposed for non-compliance does indeed impact the
bottom line dollar.

Bob

-----Original Message-----
From: Ramirez, Steven [mailto:Steven.Ramirez () loukymetro org] 
Sent: Wednesday, May 11, 2005 4:05 PM
To: 'security-basics () securityfocus com'
Subject: FW: Mass Distribution of Security Policies

I am currently looking at a way to mass distribute new security policies to
the entire workforce. Bear in mind this is a government entity with multiple
Dept's. In the past this had been done by visiting each Dept and
distributing manually or upon new user orientation. It was not efficient or
accurate.

Our environment consists of this;
AD 2003
SMS 2003
Exchange 2003
W2K Desktops
Approx 4500 users/100 locations/1 Metropolitan Area

This is what I was thinking;

Initial mass deployment to all users logging in to the network must be
directed to the new policies and forced to ACCEPT or DECLINE. Prior to
clicking ACCEPT or DECLINE I would want the user to have to enter their name
and last 4 of SSN. 
        * By clicking ACCEPT it would be logged to a database where it could
always be know when they accepted. The last 4 would be a means for our Help
Desk to verify the individual if they ever called requesting a password
reset (Optional, but would really help). 
        * By clicking DECLINE, their account would be unable to access
network resources or shut the machine down. Basically forcing them to click
ACCEPT.
        * After initial deployment I would like this to occur in a frequency
set forth by the automated password reset of 90 days. This way any revisions
to the policies would be shown and also remind them of the policy.

Some initial discussion here has been (without being too specific);
* Tie into the login script
* Make use of GPO's
* Make use of MS Sharepoint
* 3rd party solutions (Adobe, Digital Signatures, etc.)

The policies will always be available via our Intranet. This distribution
will also coincide with a mass Security Awareness Training. We just felt
that forcing the policies at login will be the best and possibly only way to
really have "everyone" who uses our network view them.


What I ask of the people on this list;
* How do you handle Security Policy Distribution? Frequency? Sign-off?
Tracking?
* Does anyone implement something like above?
* Any suggestion of 3rd Party vendors?

Any/all ideas are welcome.

Steve