More Information: The encryption of DVD movies, which uses a weak algorithm called Content Scrambling System (CSS), is an example of bad assumptions made about the scope of system use. The original assumption was that DVD discs would be played only on hardware players, where the decryption keys could be stored in a tamper-resistant chip inside the player, making it extremely hard for even skilled attackers to compromise the DVD discs. However, when software DVD players appeared, the DVD discs were quickly reverse engineered, because making software tamper resistant is next to impossible against a determined attacker. The keys were recovered from one of the well-known players, and an algorithm was published on the Internet, together with the keys. The response strategy of the DVD industry was to try to ban the publishing of the CSS algorithm and keys, but the decision of the court that the CSS algorithm source code was essentially free speech stopped much of their efforts. Another example of a wrong or poor assumption was the lack of encryption of US cellular traffic. When cellular phones were first introduced, the assumption was that scanners, which could intercept cellular traffic, were too expensive to mount any large-scale attacks against call confidentiality in cellular networks. In a couple of years, the price of these scanners dropped to the point that the scanners were available to virtually anyone. Thus, bad assumptions compromised the protection policy of the cellular network. The next-generation U.S. cellular service uses digital transmission, but the same assumption was made, that digital scanners used to intercept traffic are too expensive. As technology advances, the same story has unfolded for the digital transmissions.
General Policies AUP : Defines the acceptable use of equipment and computing services, such as email, and the appropriate security measures that employees should take to protect the corporate resources and proprietary information. Account access request policy : Formalizes the account and access request process within the organization. Users and system administrators who bypass the standard processes for account and access requests can cause legal action against the organization. Acquisition assessment policy : Defines the responsibilities regarding corporate acquisitions and defines the minimum requirements that the information security group must complete for an acquisition assessment. Audit policy : Conducts audits and risk assessments to ensure integrity of information and resources, investigates incidents, ensures conformance to security policies, and monitors user and system activity where appropriate. Information sensitivity policy : Defines the requirements for classifying and securing information in a manner appropriate to its sensitivity level. Password policy : Defines the standards for creating, protecting, and changing strong passwords. Risk assessment policy : Defines the requirements and provides the authority for the information security team to identify, assess, and mitigate risks to the information infrastructure that is associated with conducting business. Global web server policy : Defines the standards that are required by all web hosts. Email Policies Automatically forwarded email policy : Defines the rules for enabling automatic forwarding of emails to another account. Generally, this policy restricts automatic e-mail forwarding to an external destination without prior approval from the appropriate manager or director. Email policy : Defines the standards for use of email. Creation, distribution and receipt of SPAM may be covered here as well as in the AUP. Remote Access Policies Dial-in access policy : Defines the appropriate dial-in access and its use by authorized personnel. Remote-access policy : Defines the standards for connecting to the organization network from any host or network external to the organization. Virtual private network (VPN) security policy : Defines the requirements for remote-access IP Security (IPsec) or other VPN connections to the organization network. Telephony Policy Analog and ISDN line policy : Defines the standards to use analog and ISDN lines for sending and receiving faxes and for connection to computers. Application Policies Acceptable encryption policy : Defines the requirements for encryption algorithms that are used within the organization. Application service provider (ASP) policy : Defines the minimum security criteria that an ASP must execute before the organization uses them on a project. Database credentials coding policy : Defines the requirements for securely storing and retrieving database usernames and passwords. Interprocess communications policy : Defines the security requirements that any two or more processes must meet when they communicate with each other using a network socket or operating system socket. For example, requiring the use of HTTPS. Project security policy : Defines requirements for project managers to review all projects for possible security requirements. Source code protection policy : Establishes minimum information security requirements for managing product source code. Network Policies Extranet policy : Defines the requirements of a third-party organization when that organization must access the network. This often includes signing a third-party connection agreement. Minimum requirements for network access policy : Defines the standards and requirements for any device that requires connectivity to the internal network. Network access standards: Defines the standards for secure physical port access for all wired and wireless network data ports. Router and switch security policy : Defines the minimal security configuration standards for routers and switches inside the network or used in a production capacity. Server security policy : Defines the minimal security configuration standards for servers inside the network or used in a production capacity. Wireless Communication Policy Use policy : Defines standards for wireless systems that are used to connect to the network.