sales@mokumsolutions.com
Copyright 2014 Mokum Solutions, Inc. All rights reserved.
Distribution of the Oracle Cloud Cookbook or derivative of the work in any form
is prohibited unless prior permission is obtained from the Copyright holder.
About Mokum Solutions, Inc.
Founded in March 2011, Mokum Solutions, Inc. specializes in the implementation,
delivery and support of Oracle technologies in private and public clouds. Mokum
corporate headquarters are located in San Francisco, CA http://mokumsolutions.com
or call 1 415 252 9164
About the Author
The author of the Oracle Cloud Cookbook is none other than the owner of
Mokum Solutions, Inc., Roddy Rodstein. Roddy is one of the most respected
Oracle Cloud Computing experts, having designed and managed many of the
worlds largest and most complex Oracle private clouds. Before establishing
Mokum in March 2011, Roddy spent three years at Oracle on the Oracle VM
and Oracle Linux team designing and supporting Oracle's largest and most
complex customer environments. Before Oracle, Roddy spent six years at Citrix,
designing and supporting Citrix's largest and most complex customer environments,
Including Oracle's. With Mr. Rodsteins rich background and knowledge, there
can be no better resource for revealing the Oracle Cloud recipe.
Audience
The Oracle Cloud Cookbook is a comprehensive, field tested reference design that
guides you through each step to move to your Oracle software portfolio to an elastic
Oracle cloud using the Oracle VM product line, Oracle Linux, Oracle Engineered
Systems managed by Oracle Enterprise Manager 12c, with total control over Oracle
processor licensing.
http://mokumsolutions.com
Table of Contents
The Oracle Private Cloud Security Policy Project Introduction
Enterprise Architecture Introduction
Platform Architecture Domain
Platform Architecture Policy
Server Virtualization Policy
Hardware and Software Sunset Policy
Network Architecture Domain
Network Architecture Policy
Data/ Information Architecture Domain
Data/Information Classication and Categorization Standard
Software Architecture Domain
Security Architecture Domain
Change Management Policy
Enterprise Security Architecture
Risk Management & Risk Assessments
Risk Assessment Policy
Enterprise Security Policy
Defense in Depth
Principle of Least Privilege
Compartmentalization of Information
Security Domains
Physical and Environmental Security
IT Server Room Security Policy
Log Management Introduction
Log Generation, Analysis, Transmission, Storage, Retention & Disposal
Log Management Policy
Incident Response
Incident Response Policy
Audit Vulnerability Assessments
Audit Vulnerability Scan Policy
4 of 55
http://mokumsolutions.com
Change Log
Revision
Change Description
Updated By
Date
1.0
Documenent Creation
Roddy Rodstein
01/03/2014
5 of 55
http://mokumsolutions.com
6 of 55
http://mokumsolutions.com
7 of 55
http://mokumsolutions.com
Applications
Platform
Software
Network
Data/Information
Security
8 of 55
http://mokumsolutions.com
9 of 55
http://mokumsolutions.com
layer policies.
List 1 shows a partial list of the layered policies within the platform architecture
domain.
Platform Architecture Policy
Platform Infrastructure Standard
Server Standards
Server Virtualization Policy
Oracle VM Server Standards
Oracle VM Security Policy
Hardware and Software Sunset Policy
Note: An organizations policy infrastructure directly reects its unique mission
and business objectives. The above list is for educational purposes only.
At the top of the platform architecture domain policy infrastructure sits the
Platform Architecture Policy. The Platform Architecture Policy is a big picture
tier 2, non vendor specic document, which establishes high level platform
architecture requirements that dene the acquisition and deployment of
servers, end-user devices, and storage technologies. Lower level tier
3 policies dene vendor specic technologies, outlining system-specic or
procedural-specic standards and requirements.
Many of the lower level tier 3 policies dene the controls that govern the
acquisition and deployment of the hardware and operating system upon which
Oracle VM and hosted workloads will run. They also dene data storage and
personal computing devices requirements. During the development and periodic
review of platform architecture policies, virtualization platforms and supporting
technologies must be carefully considered to ensure interoperability,
integration, and security.
The next example is a platform architecture policy. The goal with this example is
to illustrate the relationship between a high level tier 2 platform architecture
policy and Oracle VM. This policy is intended for informational purposes only.
10 of 55
http://mokumsolutions.com
making computing platform related decisions. The scope of the platforms in this
policy includes servers, personal computing devices and storage systems.
Platform Architecture policies, standards and guidelines will be used to acquire,
design and implement servers, personal computing devices, and
storage systems.
Responsibilities
The CEO and CIO ensure that policies are followed in order to establish
contracts, review procurement requests and to develop and manage services.
Platform Architecture Goals
The goals to employ computing platform controls are to:
Ensure that platform devices support industry-wide open-standards and
seamlessly interoperate with other platform devices, operating systems,
storage technologies and embedded security.
Meet business objectives through greater eciencies in the acquisition
and use of computing platforms.
Ensure the availability of tools in order to meet business objectives,
security, management and productivity requirements.
Platform Architecture Categories
Platform Architecture categories address servers, personal computing devices
and storage technologies, including their hardware and operating systems.
Platform Architecture categories include Servers, Personal Computing Devices,
and Storage.
Servers
A server is a computer that provides services for other computers. Types of
servers include:
High-end x86 servers
Mid-range to small x86 servers
Personal Computing Devices
Personal computing devices are desktop computers, laptops and
handheld devices, including the operating systems and their hardware. Types of
personal computing devices include:
Desktop personal computers
Handheld devices
11 of 55
http://mokumsolutions.com
Storage
Storage technologies address short term, long term and permanent storage of
information and data. Types of storage technologies include:
Direct Attached Storage
Network Attached Storage
Storage Area Network
Tape
Assumptions and Expectations
Platform Architecture evaluates platform technologies in terms of exibility,
scalability, and interoperability with other platform technologies and operating
systems. Each platform architecture category should have the following
characteristics: Servers, Personal Computing Devices and Storage.
Servers
Have embedded security
Support industry-wide open-standards
Support centralized management
Support common management tools
Interoperate with other platform technologies
Personal Computing Devices
Have embedded security
Support industry-wide open-standards
Support centralized management
Support common management tools
Interoperate with other platform technologies
Storage
Have security
Support industry-wide open-standards
Support centralized storage
Support common management tools
Interoperate with other platform technologies
Compliance
All information technology investments will comply withexisting policies to
ensure the integrity and interoperability of computing platforms.
12 of 55
http://mokumsolutions.com
Related Policies
Platform Infrastructure Standard
The example Platform Architecture Policy illustrates how a policy is used to
dene high level computing platform requirements, roles and responsibilities.
The policy denes servers, personal computing devices and
data storage computing platform requirements. Each individual computing
platform must have seamless interoperability and integration with Oracle VM.
During the development or review of platform architecture policy, Oracle
VM and other computing platforms must be carefully considered to ensure
interoperability, integration and security.
The following example Server Virtualization Policy denes an organizations
virtualization requirements. This policy is intended for informational purposes
only.
13 of 55
http://mokumsolutions.com
workloads onto high capacity x86 servers. Consolidating workloads onto high
capacity x86 servers allows <Company Name> to reduce the x86 server
inventory, which in turn decreases the data center footprint and data center
power consumption.
<Company Name> will migrate all new and existing workloads from physical
servers to virtual machines. All workloads that cannot be migrated to a virtual
machine will be subject to <Company Name> Hardware and Software Sunset
Policy.
Server Virtualization Software Requirements:
Support industry-wide open-standards
Embedded security
Single centralized management console
Support industry standard management tools
Support industry standard backup and recovery tools
Interoperate with other platform technologies
Support industry standard x86 hardware
Support industry standard storage
Support unmodied guest operating systems
Migrate running guests without interruption
Add disks to a running guest
Snapshot running guests
Revert to a previous snapshots on a running guest
Automatically detect a hardware failure and restart guests on another
physical server
Functionality to congure role based access for the administrative console
Support LDAP for authentication and authorization for administrative
console
Encrypt all intra host and administrative console trac
Integrated graphical CPU, memory, disk and network performance
monitoring, alerting, and historical reporting for hosts and guests.
Retain performance data for up to one (1) year
Functionality to manage host CPU, memory, storage and network resource
allocation
Functionality to manage guest CPU, memory, disk and network resource
allocation
Functionality to create, stop, start, pause, migrate, clone and provision
guests
Functionality to automatically load balance guests across multiple hosts
Consolidated logging for hosts and guests that log date and time of all
administrative user actions
Functionality to convert x86 physical servers to virtual machines
Encrypted remote administrative console access
14 of 55
http://mokumsolutions.com
Review Cycle
This policy is subject to annual review.
Compliance
All information technology investments shall conform to existing policies in
order to ensure the integrity and interoperability of computing platforms.
Any employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
Related Policies
Platform Infrastructure Standard
Server Virtualization Standard
Server Virtualization Guidelines
Hardware and Software Sunset Policy
The following example Hardware and Software Sunset Policy denes an organizations hardware
and software sunset policy. This policy is intended for informational purposes only.
15 of 55
http://mokumsolutions.com
product is scheduled to be removed from production. The sunset date will be set
far enough in advance to give <Company Name> at least a budget cycle to fund
and plan for the replacement. When a particular version of hardware or
software is scheduled to be sunsetted, <Company Name> will provide the
aected users with advance notice via email.
A Sunset list will be used to track all hardware and software sunset dates. In
order to keep the sunset list up to date, <Company Name> will update the
sunset list quarterly with hardware and software for review. Department
managers with sta that use products on the sunset list will be notied
quarterly via email regarding the sunset review process and sunset dates.
If you are currently using application software that has been designated sunset
and would like to extent support, you will need to acquire a version that meets
the current minimum standards as dened in <Company Name> Software
Standards. If you are currently using hardware that has been designated
sunset, any technical issues with the unit will trigger a replacement process
with a unit that meets the current minimum standards as dened in <Company
Name> Hardware Standards.
List 1 shows the sunset categories:
Hardware four years or older.
Operating systems that have reached their sunset date or are no longer
supported by the vendor.
Proprietary application software that is no longer supported by the vendor.
Open Source application software that is no longer supported by the
community.
Application software that does not support <Company Name> centralized
authentication and authorization system.
Review Cycle
This policy is subject to annual review.
Compliance
All information technology investments shall conform to existing policies in
order to ensure the integrity and interoperability of computing platforms. Any
employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
Related Policies
Platform Infrastructure Standard
Summary
The platform architecture domain denes the roles, policies, standards and
16 of 55
http://mokumsolutions.com
17 of 55
http://mokumsolutions.com
18 of 55
http://mokumsolutions.com
19 of 55
http://mokumsolutions.com
20 of 55
http://mokumsolutions.com
throughout its entire life cycle, from its origination to its destruction.
Data Classication Standards Goals
The goals of this standard is to establish how data/information is classied
according to its criticality and sensitivity and to ensure that <Company Name>
data/information preserves its security classication as it traverses information
systems or non-electronic boundaries.
Data Classications
All <Company Name> information will be categorized into three main
classications:
Public
Internal
Condential
Table 1 provides examples of each classication and required security measure.
Security
Objective
Data Classication
Public
Internal
Condential
Criteria
Unauthorized
disclosure would not
considerably impact
organization.
Unauthorized
disclosure would
result in considerable
adverse impact,
embarrassment or
legal actions.
Examples
Examples include
employee records,
department nancial
data, purchasing
Examples include inter- information, new
oce memoranda,
product designs,
internal correspondstrategic plans,
dence,
marketing studies,
employee newsletters,
vendor and customer
internal directories, and contracts,
internal policies.
condential
information of
organizations
customers, partners,
and suppliers.
Examples
include public
web site,
press
releases,
marketing
brochures,
annual
reports, and
public
nancial
lings.
21 of 55
http://mokumsolutions.com
Available to
the general
public, can be
Accessibility
distributed
outside the
organization.
Access is limited to a
need to know basis
within the
organization.
Document
Label
Internal
Condential
None
22 of 55
http://mokumsolutions.com
MODERATE
HIGH
Condentiality
Preserving
authorized
restrictions on
information access
and disclosure,
including means for
protecting personal
privacy and
proprietary
information.
[44 U.S.C., SEC.
3542]
The
unauthorized
disclosure of
information
could be
expected to have
a limited adverse
eect on
organizational
operations,
organizational
assets or
individuals.
The
unauthorized
disclosure of
information
could be
expected to have
a serious adverse
eect on
organizational
operations,
organizational
assets or
individuals.
The unauthorized
disclosure of
information could be
expected to have
asevere or
catastrophic adverse
eect on
organizational
operations,
organizational
assets or
individuals.
Integrity
Guarding against
improper
information
modication or
destruction;
includes ensuring
information
non-repudiation
and authenticity.
[44 U.S.C., SEC.
3542]
The
unauthorized
modication or
destruction of
information
could be
expected to have
a limited adverse
eect on
organizational
operations,
organizational
assets or
individuals.
The
unauthorized
modication or
destruction of
information
could be
expected to have
a serious adverse
eect on
organizational
operations,
organizational
assets or
individuals.
The unauthorized
modication or
destruction of
information could be
expected to have
a severe or
catastrophic adverse
eect on
organizational
operations,
organizational
assets or
individuals.
Availability
Ensuring timely
and reliable access
to and use of
information.
[44 U.S.C., SEC.
3542]
The disruption of
access to or use
of information or
an information
system could be
expected to have
a limited adverse
eect on
organizational
operations,
organizational
assets or
individuals.
The disruption of
access to or use
of information or
an information
system could be
expected to have
a serious adverse
eect on
organizational
operations,
organizational
assets or
individuals.
The disruption of
access to or use of
information or an
information system
could be expected to
have a severe or
catastrophic adverse
eect on
organizational
operations,
organizational
assets or
individuals.
23 of 55
http://mokumsolutions.com
24 of 55
http://mokumsolutions.com
25 of 55
http://mokumsolutions.com
26 of 55
http://mokumsolutions.com
There are many policies within the security architecture domain that govern an
Oracle VM environment. Security controls, such as physical and
environmental policies, encryption standards, authentication, authorization,
server hardening, and so forth, are applied to Oracle VM via the security
architecture domain policy infrastructure.
The next examples introduce a tier 2 Change Management Policy.
The example illustrate the relationship between the security architecture
domains layered policy infrastructure and Oracle VM. This policy is intended for
informational purposes only.
27 of 55
http://mokumsolutions.com
Date of change
Responsible parties contact information
Nature of the change
Indication of success or failure
28 of 55
http://mokumsolutions.com
29 of 55
http://mokumsolutions.com
30 of 55
http://mokumsolutions.com
communication system.
The followingexample is an Enterprise security policy intended for employees
and business partners. It illustrates how a security policy can communicate
acceptable system usage while promoting information security. This security
policy is intended for informational purposes only.
31 of 55
http://mokumsolutions.com
InfoSec
InfoSec develops and maintains security policies, identies and deploys
automated security controls and audits for policy compliance.
Employee
An employee should review this policy and all referenced policies herewith to
maintain compliance.
Related Policies
Acceptable Use Policy
Password Policy
Scheduled Review
Annually
Security Policy Table of Contents
Physical Security
Internet Usage
Messaging Systems and Email Access
Anti-virus
Unauthorized Networks (Wireless, Modems)
Remote Access
System Access Passwords
Enforcement
Employee Acknowledgement
Physical Security
Physical security is an essential part of <Company Name> information security
program. Physical security forms the basis for all other security eorts,
including data security. <Company Name> employs physical security controls
for its employees and assets. These controls must be followed by all <Company
Name> employees:
Wear your badge at all times while on company property.
Lock your oce door or cubicle storage when you leave your area.
Lock your computer when stepping away from your work area.
Log o your workstation at the end of the working day.
Escort, observe and supervise guests for their entire visit.
Watch out for "tailgaters." Tailgaters wait for an authorized person to enter a
controlled area (such as with a locked door) and then follow him or her through
the door.
Shred or otherwise destroy all sensitive information and media when it isno
32 of 55
http://mokumsolutions.com
longer necessary.
Do not allow anyone to add hardware or software to your computer without
proper authorization.
Do notallow the removal of any corporate assets without ensuring that the
person removing it has proper authorization.
Report suspicious activities to your manager.
Internet Usage
Internet usage is provided as a business service for the purpose of supporting
<Company Name> business activities and occasional personal use as dened in
the Acceptable Use Policy. Information found on the Internet may not be safe
and should be considered suspect until conrmed by a reliable source. All
Internet access is monitored and logged.
Messaging systems and Email Access
Corporate email access is provided as a business service for the purpose of
supporting <Company Name> business activities as dened in the Acceptable
Use Policy. Email is not a secure medium and care should be taken with regard
to the information sent in email. Accessing personal email systems like Hotmail,
Yahoo, or Gmail is prohibited.
Employees may have access to condential information about the Company, our
employees or clients. With approval of management, employees may use email
to communicate condential information to those with a need to know. Such
email must be labeled "Condential." When in doubt, do not use email to
communicate condential material. All email activity is monitored and logged.
Anti-virus
Viruses, worms and Trojan horses are examples of malware programs that can
cause signicant damage to <Company Name> data and resources. They can
destroy, alter or disclose condential information in a variety of ways and
damage the reputation of <Company Name> as well as the reputation and
credibility of <Company Name> employees. <Company Name> employs
anti-virus controls for its computers and employees as dened in the Acceptable
Use Policy.
These controls must be followed by all <Company Name> employees:
Ensure that the corporate standard anti-virus software is installed on
desktop and laptop computers.
Employees will not use a computer without anti-virus software on
<Company Names> network, nor will they disable the software.
Do not open any email attachments from an unknown, suspicious or
untrustworthy source. Delete these attachments immediately. Then "double
delete" them by emptying your Trash.
33 of 55
http://mokumsolutions.com
To avoid spreading a virus, do not create network le shares that allow the
everyone group to write to it, unless there is a business reason.
In the event of a virus, disconnect from the network and contact the Help
Desk, InfoSec or your manager immediately.
Do not download les from questionable sources.
Unauthorized Networks
Wireless technology allows mobile access to <Company Names> internal
network. Only wireless access points and modem connections installed and
supported by <Company Name> IT personnel are permitted to connect to
<Company Name> network. All other wireless access points and modems that
connect to <Company Name> network are prohibited. Employees are
prohibited from connecting modems or wireless access points on company
property.
Remote Access
Remote Access is provided as a business service for the purpose of supporting
<Company Name> business activities as dened in the Acceptable Use Policy.
Access for remote users to the corporate network will be from an approved
encrypted connection exclusively from corporate managed devices as described
in the Acceptable Use Policy. <Company Name> will oer handheld devices for
remote access to email.
System Access Passwords
Passwords are an important part of information security and are the primary
control used to protect user accounts and sensitive corporate data. Intruders
often gain access to a company's systems by stealing or cracking a password
and account name and then posing as that user. Intruders often gain access by
trying password combinations related to a persons family, address or hobbies.
As such, all employees and business partners with access to <Company Name>
systems are responsible for selecting a strong password as dened in
<Company Name> Password Policy.
Enforcement
Any employee found to have violated any part of this policy may be subject to
disciplinary action, up to and including termination of employment.
Employee Acknowledgment
If you have questions or concerns about this policy, contact the Human
Resources Department before signing this agreement.
I have read <Company Names> security policy and agree to abide by it. I
understand violation of any of the above terms may result in discipline, up to
and including my termination.
34 of 55
http://mokumsolutions.com
Defense in Depth
Defense in Depth (DiD) was originally a military strategy used to delay rather
than prevent an attack by using multiple layers of protection. The defense in
depth strategy has been widely adopted in non-military applications, such as
Enterprise security, by implementing multiple layers of techniques and
technologies to secure assets. An example of using defense in depth in IT
security is to use administrative and technical security controls, each of which
utilizes layers of techniques and technologies to provide security.
One important aspect of defense in depth is a balanced focus on three primary
elements:
35 of 55
http://mokumsolutions.com
People
Technology
Operations
The people element of Defense in Depth focuses on the endorsement and
understanding of the importance of information security by executive
management and the value of an information security program. The technology
element of Defense in Depth focuses on the technologies used to meet corporate
security requirements. The operations element of Defense in Depth focuses on
the processes used to ensure the security of information assets of the
organization.Previous chapters have explained how Enterprise security starts
with the commitment of executive management and is followed by the
development of policies that dene roles, responsibilities and personal
accountability. Enterprise Architecture and Enterprise Security Architecture
used with a control framework encompass the people, technology and
operations element of the defense in depth strategy by providing multiple layers
of security techniques and technologies.
36 of 55
http://mokumsolutions.com
Compartmentalization of Information
Compartmentalization of information is actually a subset of the principle of least
privilege that focuses on information. Compartmentalization of information
limits access to information to people with the need to know in order to
perform certain tasks. With regard to infrastructure design with Oracle private
clouds, compartmentalization of information is used to compartmentalize users,
applications, data and information based on its sensitivity and criticality.
The principle of least privilege and compartmentalization of information are
security controls that are used together with infrastructure design and Oracle
VM to control access to applications, data and information based on its
sensitivity, criticality and value.
Security Domains
Security domains allow organizations to segment their Enterprise network into
discrete units. Each security domain will have its own policies that apply
security controls based on the sensitivity, criticality and value of the information
and systems in a security domain. Policies within the data/information
architecture domain, specically the Data/information Classication and
Categorization Policy, can provide guidance to determine the placement of
systems, information and data into their respected security domain.
Tip: FIPS PUB 199, which is the Standards for Security Categorization of
Federal Information and Information Systems, provides a formula to determine
the security category of systems and can be used to determine within which
security domain systems should reside.
Security Domain Classications:
The classication of security domains is very similar to data classications.
Each infrastructure component will be classied and placed in its respective
security domain. The majority of Enterprise networks can be separated into the
following four security domains:
Controlled: A controlled security domain is used to restrict access
between security domains. A controlled security domain could contain
groups of users with their network equipment or a demilitarized zone
(DMZ) with a VPN, proxy and web servers.
Uncontrolled: An uncontrolled security domain refers to any network not
in control of an organization, such as the Internet.
37 of 55
http://mokumsolutions.com
38 of 55
http://mokumsolutions.com
Environmental Protection
Guards
Fences
HVAC
Barriers
Water Protection
Lighting
Fire Detection
Fire Suppression
Badges
Evacuation
Escorts
Environmental Monitoring
Environmental Detection
Organizations that must comply with regulatory mandates, such as SarbanesOxley, Health Insurance Portability, and so forth, must undergo regular audits to
ensure compliance. There are a number of widely adopted control frameworks
and guidelines that can be used to help implement and audit physical and
environmental security.
Table 4 lists additional resources.
Name
Explanation
Section
FIPS PUB 31
Entire document is
dedicated to physical
and environmental
security.
39 of 55
http://mokumsolutions.com
NIST Special
Publication
800-12
An Introduction to Computer
Security: The NIST Handbook
Chapter 15.
CobIT 4.0
PO4.8
Responsibility for Risk,
Security and
Compliance.
DS12 Manage
the Physical
Environment.
DS12.2 Physical
Security Measures.
After physical and environmental security has been compromised, even the
most hardened server is at risk to a wide range of threats, such as theft,
tampering, accidental interference, lose of power, surges or spikes, ood, re,
earthquake, overheating, and so forth. From a server perspective, as soon as
physical security is compromised, theft or tampering is a serious concern. Many
popular tools are available on the Internet that can be used to reset the local or
domain administrators password by booting a server from a oppy or CDROM.
Once an intruder has the administrators password, it is possible to install root
kits or roam the network with immunity. An example of environmental risks
includes power irregularities or failure, heat, oods, re, earthquake, and so
forth.
The following example is an IT server Room Security Policy which highlights the
security controls employed to protect a server room against unauthorized
access, environmental threats and manmade disasters. This policy is intended
for informational purposes only.
40 of 55
http://mokumsolutions.com
41 of 55
http://mokumsolutions.com
42 of 55
http://mokumsolutions.com
43 of 55
http://mokumsolutions.com
44 of 55
http://mokumsolutions.com
Scope
This policy applies to all <Company Name>s Application Logs, System Logs,
Network Logs, Change Management Logs, Physical Access Logs and
Surveillance Logs.
Policy
<Company Name>s log management practice encompasses the following:
Denes log generation requirements.
Denes log format requirements.
Denes log transport requirements.
Denes log storage requirements.
Denes log access requirements.
Denes log analysis tool requirements.
Denes log retention requirements.
Denes log disposal requirements.
Log Generation Requirements
Application Logs
Applications should have the capability to record their activity to support
business processes and regulatory mandates.
System Logs
System logs are generated from a wide variety of sources. Example
sources of system logs are operating systems, authentication servers,
database servers, web servers, print servers, le servers, DHCP servers,
DNS and email servers. System logs should be capable of recording the
following:
Record requested operations.
Record whether the request was accepted or denied.
Record the time and date the operation was performed.
Record who and/or what system initiated the operation.
Record system and network resources used.
Network Logs
Network logs are generated from a wide variety of sources. Example
sources of network logs are routers, switches, intrusion detection and
prevention systems, wireless access points, network based rewalls, host
based rewalls and telephone switches. Network logs should record the
following:
Record the IP addresses or telephone numbers of the end points.
Record the port numbers for each of the end points.
Record whether connections where accepted or denied.
Mokum Solutions, Inc. +1 415 252-9164
45 of 55
http://mokumsolutions.com
46 of 55
http://mokumsolutions.com
Policy Review
This policy will be reviewed annually.
Compliance
Any employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
Related Policies
Change Management Policy
Environmental Controls Policy
Record Retention Policy
Media Sanitization Policy
Incident Response
This section reviews incident response capabilities and introduces an example
Incident Response Policy. The section begins with a brief overview of incident
response capabilities and an introduction to NIST Special Publication 800-61
and concludes with an example Incident Response Policy. Incident Response is a
eld unto itself and a detailed review of its principles, processes, and approach
is beyond the scope of this book. This section shows the importance of incident
response capabilities, introduces additional references and shows how Incident
Response relates to an ORacle private cloud.
Even with the most sophisticated, state of the art security systems and eective
policies, security incidents will occur. The most common security incidents are
viruses, malware, laptop theft and employee network abuse. Less common
security events are denial of service attacks, sabotage, intellectual proprietary
theft, fraud and system penetration from external sources. Sooner or later,
every organization will need to respond to a security incident. A quick, well
orchestrated response will minimize loss and damage; in contrast, a poor
response could result in nancial, legal, and public relations problems.
An Incident Response Policy is used to dene how an organization responds to
security incidents. It is an action oriented policy that isused to provide guidance
to quickly detect security incidents, minimize loss, mitigate exploited
weaknesses and rapidly restore services. The majority of the Enterprise
Architecture policies reviewed in this book have been passive policies that
provide guidance with appropriate systems usage, technology standards,
system design, system congurations and auditing. An Incident Response Policy
is an action oriented policy that requires quick and ecient execution in order
to protect an organizations assets.
47 of 55
http://mokumsolutions.com
In regards to Oracle VM, security incidents can occur at the hypervisor and
virtual machine layers. An example of some of the incidents that originate from
the hypervisor and virtual machine layers are malware infection, network
abuse, sabotage, intellectual proprietary theft and fraud. These types of security
incidents are typically discovered by technical or administrative security
controls, an audit or an employee. When one of these security incidents is
detected, an Incident Response Policy is the primary administrative control
used to mitigate the damage.
Organizations that must comply with regulatory mandates must undergo
regular audits to validate incident response capabilities. A number of widely
adopted guidelines can be used to assist organizations in understanding how to
implement incident response capabilities. Two examples ofguidelines are
ISO/IEC 17799 section 13 and NIST Special Publication 800-61.
The NIST Special Publication 800-61 is a free, 148-paged Computer Security
Incident Handling Guide which containseight chapters and ten appendixes. The
goal of NIST Special Publication 800-61 is to assist organizations to establish
computer security incident response capabilities. It is an in-depth document
that is widely adopted and used in both the public and private sectors to
implement incident response capabilities.
List 7 shows NIST Special Publication 800-61 areas of focus:
Organizing a computer security incident response capability.
Establishing incident response policies and procedures.
Structuring an incident response team.
Handling incidents from initial preparation through the post-incident
lessons learned phase.
Handling specic types of incidents.
The following Incident Response Policy denes how an organization responds to
security incidents. The example policy starts with a Purpose and Scope
statement and then proceeds with the policy. This policy is intended for
informational purposes only.
48 of 55
http://mokumsolutions.com
49 of 55
http://mokumsolutions.com
InfoSec Contacts:
<Names and Phone Numbers>
Response
InfoSec sta will rst determine if the Security Incident justies a formal
incident response. In cases where a Security Incident does not require an
incident response, the situation will be forwarded to the appropriate area of
operations to ensure that all technology support services required are rendered.
An incident response may range from getting a critical system back online,
gathering evidence, taking appropriate legal action against individual(s), or in
some cases notifying appropriate ISP's or other third parties of inappropriate
activity originating from their network.
Any contacts or attempted contacts from the media regarding an incident
should be redirected to the marketing/communication department.
Policy Review
This policy will be reviewed annually.
Compliance
Any employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
The example Incident Response Policy shows how a policy is used to dene how
an organization responds to security incidents.
50 of 55
http://mokumsolutions.com
an Enterprise or network using passive and active analysis of the target systems
for known weaknesses, technical aws, or vulnerabilities. Vulnerability
Assessments provides a level of assurance that script kiddies, skilled intruders
and malicious users cannot compromise an organizations systems. Vulnerability
Assessments should be performed on all supporting computers and networking
gear that touch the Terminal Server environment. It is not uncommon for
organizations to perform a Vulnerability Assessment monthly or immediately
after vulnerabilities are discovered or become publicized on the Internet. For
example, if there is a mis-congured Oracle VM environment, it could be
compromised by a well known vulnerability and used as a hacking vector to
other systems behind therewall.
The Vulnerability Assessment process involves passive and active analysis of the
target systems for known weaknesses, technical aws or vulnerabilities. All of
the discovered security issues will be presented to the system owners, together
with a detailed assessment of the impact and a proposal for mitigation.
Vulnerability Assessments follows the typical pattern that an intruder or
malicious user would use to gain information about a target host or network.
This rst step starts with reconnaissance. Reconnaissance can be a quick ping
sweep to see what IP addresses on the network respond; searching newsgroups
on the Internet looking for ill-advised employees divulging useful information;
or it can be dumpster diving to nd useful information like passwords, employee
names and contacts.
Basic reconnaissance can be performed by visiting a vendor' website looking for
customer references (targets), an organizations website and gathering as much
information as possible about the company. Public websites generally yield a
wide variety of information that could be used to exploit systems and trick
employees. For example, many organizations list the names of their
management team on their public website. This information can be used for a
social engineering attack, allowing an attacker to call or email employees using
the names of the management sta to trick an employee into giving the attacker
valuable information.
Many public websites provide hints as to the type of systems an organization
uses, which can be used to craft an attack against known vulnerabilities. Other
reconnaissance techniques include using publicly available tools, such as
InterNIC (http://www.internic.net/) and ARIN (http://www.arin.net/), to collect
additional information about the domain registrations. Reconnaissance can also
include theft, deception, tapping phones and networks, impersonations, or even
leveraging falsied relationships to gather data about a target. The search for
information is only limited by the extremes an attacker is willing to go.
Note: Social engineering is a method used to obtain condential information by
Mokum Solutions, Inc. +1 415 252-9164
51 of 55
http://mokumsolutions.com
52 of 55
http://mokumsolutions.com
53 of 55
http://mokumsolutions.com
54 of 55
http://mokumsolutions.com
55 of 55