Internet Security Policy: A Technical Guide - Contents
1. Introduction
1.1. Purpose
1.2. Intended Audience
1.3. Internet Background
1.4. Why create Security Policy for Internet-Related Issues?
1.5. Major Types of Policy
2. General Policy
2.1. What to Include
2.2. Obtaining Approval
2.3. Getting Policy Implemented
2.4. Sample High Level Policy Statements
3. Risk Profiling
3.1. Threats/Visibility
3.2. Sensitivities/Consequences
3.3. Profile Matrix
3.4. Information Asset Inventory
3.5. General Support Systems
3.6. Critical/Major Applications
3.7. Data Categorization
4. Business Requirements
4.1. Remote Access
4.2. Dial-in
4.3. Telnet/X Windows
4.4. Mobile Computing
4.5. Electronic Mail
4.6. Information Publishing
4.7. Research
4.8. Electronic Commerce
4.9. Electronic Data Interchange
4.10. Information Transactions
4.11. Financial Transactions
4.12. High Availability
4.13. Ease of Use
4.14. Single Sign-on
4.15. User Interface Design
5. Sample Policy Areas
5.1. Identification and Authentication
5.1.1. General Internet I&A Policies
5.1.2. Password Management Policies
5.1.3. Robust Authentication Policy
5.1.4. Digital Signatures and Certificates
5.2. Software Import Control
5.2.1. Virus Prevention, Detection, and Removal
5.2.2. Controlling Interactive Software
5.2.3. Software Licensing
5.3. Encryption
5.3.1. General Encryption Policy
5.3.2. Remote Access
5.3.3. Virtual Private Networks
5.4. System/Architecture Level
5.4.1. Virtual Private Networks
5.4.2. Remote System Access
5.4.3. Access to Internal Databases
5.4.4. Use of Multiple Firewalls
5.5. Incident Handling
5.5.1. Intrusion Detection Overview
5.5.2. Methods
5.5.3. Incident Response
5.6. Administrative
5.6.1. Assigning Security Responsibility
5.6.2. Appropriate Use
5.6.3. Privacy
5.7. Awareness and Education
6. Internet Firewall Policy
6.1. Background and Purpose
6.2. Authentication
6.3. Routing Versus Forwarding
6.3.1. Source Routing
6.3.2. IP Spoofing
6.4. Types of Firewalls
6.4.1. Packet Filtering Gateways
6.4.2. Application Gateways
6.4.3. Hybrid or Complex Gateways
6.4.4. Rating
6.5. Firewall Architectures
6.5.1. Multi-homed host
6.5.2. Screened host
6.5.3. Screened subnet
6.6. Intranet
6.7. Firewall Administration
6.7.1. Qualification of the Firewall Administrator
6.7.2. Remote Firewall Administration
6.7.3. User Accounts
6.7.3.1. Firewall Backup
6.8. Network Trust Relationships
6.9. Virtual Private Networks (VPN)
6.10. DNS and Mail Resolution
6.11. System Integrity
6.12. Documentation
6.13. Physical Firewall Security
6.14. Firewall Incident Handling
6.15. Restoration of Services
6.16. Upgrading the firewall
6.17. Revision/Update of Firewall Policy
6.18. Logs and Audit Trails (Audit/Event Reporting and Summaries)
6.19. Example Policies
6.20. Example Service-Specific Policies
6.21. Manager
6.22. Technical
7. World Wide Web (WWW)
7.1. Browsing the Internet
7.2. Example Browsing Policies
7.3. Web Servers
7.4. Example Web Server Policies
8. Electronic Mail
8.1. Email Usage
8.2. Email Primer
8.2.1. SMTP
8.2.2. POP
8.2.3. IMAP
8.2.4. MIME
8.3. Potential Email Problems
8.3.1. Accidents
8.3.2. Personal Use
8.3.3. Marketing
8.4. Email Threats
8.4.1. Impersonation
8.4.2. Eavesdropping
8.4.3. Mailbombing
8.4.4. Junk and Harassing Mail
8.5. Email Safeguards
8.5.1. Impersonation
8.5.2. Eavesdropping
8.6. Acceptable Use Of Electronic Mail
8.7. Protection of Electronic Mail Messages and Systems
8.8. Example Email Policy
8.9. Retention of Electronic Mail Messages
8.9.1. Retention Policy for Federal Agencies
8.9.2. Commercial Retention Policy
Appendix 1 Resources for Internet Security Information
8.10. Web Sites
8.11. Ftp Sites
8.12. Usenet News Groups
8.13. Mailing Lists
8.14. Books
Appendix 2 Glossary
