Desktop systems often have the most lax security because individual employees often administer their own machines or have special privilege and access to their respective system. It is often infeasible for the Information Technology staff to administer all desktop workstations, therefore the development of a security policy that governs their creation and use is very important. The site and infrastructure security policy for desktop systems establishes the standards used to create them, including operating systems, applications, and utilities. The security constraints generally consist of configuration information by which administrators can replicate the desktop system at a known level of security. The policies also present the guidelines for the desktop system's interaction with servers and the network.

Given the understanding that desktop systems are likely to be uncontrolled by the IT staff, effective infrastructure policies attempt to minimize the amount of data, applications, and other information that remains on the desktop system. This enhances both the security and availability of information within the organization. Many companies centralize storage of user data and applications to a single server or set of servers. In the event of a failure of a desktop, the effort required to make it functional again is minimized—all of the essential and important data is on the server and does not become lost or require significant time and effort to restore.

Server systems become a focal point as they have the responsibility to reliably store and provide access to shared data, private user information, applications, and services for the organization.

A server security policy should encompass the following components:

· Service configuration

· Shared data permissions and access control

· User private data permissions and access control

· Backup and restoration procedures

· Incident response

The service configuration entails the initial method used to secure the server. Most operating systems provide a vast array of potential services and capabilities, not all of which are needed or desired by the organization. Each of these services has its own security ramifications, which should be considered when enabling or disabling it. The decision to allow a service is often an issue of cost versus risk analysis. If the service provides a required function that has inherent security risks, the administrators should determine if there are suitable replacements for the service. If any substitutes are available, the cost and effort required to implement them should be weighed against the security risks and cost of the original. It is important to document within the security policy the foundation for decisions and to identify the known security risks accepted by the organization. Also related is the maintenance of the software and operating systems running on the servers—security measures should be updated frequently, as new vulnerabilities are discovered. Updates should be applied and monitored. The people writing the security policy probably will not always be employed at the organization, therefore knowing the background of a decision is important to the future maintainers of the security policy.

Company Z's Server Security Policy is as follows:

· Servers should be configured to support only the required services and to disable unnecessary software and services in order to minimize security risks.

· Server systems should be physically secured, allowing only administrative access.

· Server operating systems and software should be updated when new vulnerabilities and subsequent patches are released.

· In the event of incidents such as hardware failure, system compromise, or other attacks, the server should be removed from the network and left in its current state in order to allow effective forensics work.

· A contingency plan should be created and followed to recover from disasters.

To focus on security policies instead of system configuration, the Company Z Server Security Policy leaves out most of the technical details related to the secure lockdown of servers and operating systems. The standards of configuration, access, and maintenance are important components that should be incorporated into the policy. Incident response for servers is reasonably complex; in order to avoid damaging potential evidence after an attack is discovered, the system should be left intact for security analysis and forensics work.

Shared data is often the primary purpose of a server, allowing employees to access common files, applications, and other data. Server operating systems generally support multiple methods to provide multiuser access to data. When establishing the infrastructure security policy, the technical details surrounding shared data should be clearly outlined.

The Site and Infrastructure Security Policy for Company Z establishes the following criteria for shared data on servers:

· No data sharing should be initialized via the "Everyone" group on Windows servers or "World" read/write access on UNIX systems.

· Access by the "Everyone" group and "World" read/write permissions should be removed or disabled from the shared data.

· Global or common access to all employees should be controlled via membership in the specially created "Employees" group on the servers.

· When needed, smaller privilege groups should be created and shared data coordinated with those groups to meet the access control requirements for a user.

Company Z's policy emphasizes a strict level of security for shared data. It identifies and distinguishes between unconditionally shared data and the true need for shared data. Data is shared only between employees, and security control is exercised to ensure that only authorized individuals have access to it. In this model, access control is achieved via membership in various user groups, and permission is adjusted accordingly.

User private data includes a user's respective "home" directories or the areas in which his personal files are stored. Because these files are also often kept on the server, it is important to outline the level of security the user can expect, as well as the method by which it is provided.

Company Z details this security policy for user home directories and private storage areas:

· Server-based user home directories are provided for the storage of private and personal data.

· On Windows servers, the permissions should be set to allow the respective user full read and write permissions for a directory, and also to allow the system backup process to access the data when backing up the storage system.

· No other users should have access to any home directory aside from their own.

· Users are encouraged to use their server-based directories for data storage in order to provide security and to facilitate the simple recovery of data in the event of an incident.

Employees often store personal and sensitive information on their systems as work and personal life cannot be completely segregated. In order to provide data security and to avoid data loss in the event of a desktop system, users at Company Z are encouraged to store their data on the servers and are provided a high degree of protection from prying eyes.

Backup and restoration procedures serve many functions in an organization. These include protection of data in the event of a catastrophic incident, restoration of accidentally removed files, and provision of general infrastructure reliability. Backup data is often used in the forensics of security incidents to assess the reliability of data—data altered by an attacker can often be detected by a comparison between it and the version that is on the backup media. The physical storage of the media on which the backups are done is also important to security. Many organizations use special offsite storage organizations to assure that the backups are securely stored.

Company Z's security considerations for system backups include

· All backups are to be stored in a locked storage area prior to offsite storage.

· Weekly backups are moved into offsite storage via a storage company representative at a scheduled pickup time.

· Backups consist of one full system backup, per system, per week with nightly incremental backups of all modified data.

· Use of backup and restoration applications should be restricted to authorized administrators only.

· In the event of a disaster, hardware failure, or other event that results in the loss of data, the employee should notify the IT staff.

· Information will be restored from the last full archive with the incremental changes layered over, up to the time of the event.

Backups provide a level of reliability and security to the information stored and used within the organization. The security policy specifies the method for backups, recovery during incidents, and privileges required to access the information. The physical security of the backup data is also emphasized in order to create a comprehensive policy that effectively protects the organization.

Incident response takes on several meanings, but can be summarized as the best course of action in the event of anomalous circumstances. For the purposes of this discussion, the actual circumstances are not as important as the reaction to them. Security policies provide key benefits in the area of incident response by identifying and organizing information vital to a safe reaction. Security policies should include the suggested methods to react to incidents and pertinent contact information. The primary goal of incident-response guidelines is to avoid the knee-jerk, emotionally motivated responses that often happen quickly and without careful analysis. By having a step-by-step approach to handling incidents already in hand—including the proper steps to identify, control, and resolve issues—those involved can react safely