Managerial and Technical

Draft Outline

1.0 Threats

1.1 Current and projected threats

1.2 Need for on-going threat analysis

2.0 Technical Guidelines for Security Policy

2.1 Identification and authentication

2.1.1 registration
2.1.2 maintenance, including revocations, renewals and updates
2.1.3 authentication technology alternatives biometrics PKI and digital certificates directories passwords and secrets Too many passwords - the problem and possible solutions two and three factor authentication, including physical tokens (physical possession)

2.2 authorization and access control

2.2.1 employee authorization, access controls and policy
2.2.2 consumer authorization, access controls and policy

2.3 relationship between authentication and authorizations

2.4 confidentiality

2.4.1 encryption in transit needs
2.4.2 encryption of stored data needs
2.4.3 technology considerations
2.4.4 encryption policy

2.5 integrity

2.6 non-repudiation

2.7 Fraud detection and containment

2.7.1 anomaly detection
2.7.2 use of agent technology to monitor and enforce

2.8 System security issues

2.8.1 Component selection
2.8.2 Operating system selection OS Version Patch level
2.8.3 OS lockdown Primary services (i.e. the work that the system is supposed to perform) Secondary services (i.e. services required within the context of the hosting agency) Maintenance services (i.e. how maintenance login, backups, etc. are performed)
2.8.4 Service software Software selection Software installation standards
2.8.5 Custom software (i.e. specific CGI scripts or Java, or whatever) Language selection Security code review
2.8.6 Change management Regular maintenance System upgrades Emergency maintenance Third-party maintenance access
2.8.7 System security auditing standards Self-audits Third-party audits
2.8.8 Anti virus software and firewalls Selection Installation Maintenance

2.9 Trade-offs and compromises between stronger security and privacy

2.9.1 ease of use
2.9.2 cost/affordability
2.9.3 portability
2.9.4 vulnerability and risk exposure

3.0 Managerial Guidelines for Security Policy

3.1 policy and best practices

3.2 organization

3.3 personnel, including selection and background investigation

3.4 asset classification and control

3.5 physical security

3.6 system access controls

3.7 network and computer management

3.8 application development and maintenance

3.9 business continuity (back-up and recovery, disaster planning)

3.10 compliance

3.11 Audit and monitoring

3.11.1 Keep records and tracking security violations
3.11.2 reporting procedures and information sharing
3.11.3 incident analysis and feedback

3.12 Containment

3.12.1 challenges and restrictions
3.12.2 special alerts
3.12.3 revocation
3.12.4 chokepoints
3.12.5 misinformation and entrapment

3.13 Building Awareness

3.13.1 Consumer awareness needs
3.13.2 Service provider awareness needs
3.13.3 Education and training programs