Company Security Policy
Security Polices have become a hazardous evil in today’s computerized world. Without a Security Policy, one becomes quite an open target for numerous attacks. Here we will try to find out and represent the possible means to be applied successfully for sake of defining a security policy.
What is a Security Policy?
For an organization, it addresses the limitations on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, limitations on access by external systems including programs and access to data by people. To make the idea clearer, here is an example example I first stated with the Porn Surfer… It doesn’t help ‘after’ the fact when your dealing with a court case, if you had a policy in place to keep people informed about what it is they can or cannot do (like surf the web during business hours hitting sites that are not business related) they may not do it in the first place, and if they do, you have a tool (the policy) to hold them accountable.
So, now that we understand the idea of what a security policy is. Asstates Silver et al,a security policy is a living document that allows an organization and its management team to draw very clear and understandable objectives, goals, rules and formal procedures that help to define the overall security posture and architecture for said organization.
Now let’s start planning your infrastructure project for securing it.Here much depends on your basic IT project team to help you begin defining the main project parameters and criteria. Since it is likely to have more success if you hear thr opinion and suggestions of your co-workers.. Actually a completely meaningful approach to security can’t be obtained , and all measures may be per the upcoming needs.. We are not confident of our level of security throughout the whole enterprise. The best solution to the issue is to secure your network structure by developing a security plan. Besides drafting a security project users should also apply the appropriate and effective tools that will be of help in the process of organizing and securing Computing process necessary for an individual or an organization.
In this aspect Nsauditor Network Security Auditor is worth mentioning which is a complete networking utilities package that includes a wide range of tools fornetwork auditing, scanning, monitoring and more. It can also audit password and security policies as well as make a variety of network attack probes.
The software includes Firewall and intrusion detection system based on a security events log analyzer, in addition software allows monitor security events and permissions changes. This software also provides you with the ability to manage and monitor all shares on your workstation, disable or enable default administrative shares, hide your workstation on the network, view the number of the users currently connected to each shared resource on your workstation. ShareAlarmPro also lets you easily browse your LAN and view all shared resources irrespective of whether they are hidden or not as well as view connections to shared resources on remote workstations.
ShareAlarmPro is an Advanced All-In-One Network Access Control And Folder Monitoring Software. It allows easily to perform network shares and folder monitoring, block unwanted users attempting to access secured shares and confidential files over network, detect and log accessed files and folders. With ShareAlarmPro you are protected and well-informed about files and folders access over network.
ShareAlarmPro includes folder watcher functions. You can perform folder monitoring and folder content change tracking. With ShareAlarmPro you can centralize all alarms, thus having the opportunity to monitor several shares on multiple servers from a single location workstations.
NetShareWatcher – Find shares which are violating to your company data access policy and Fix it! NetShareWatcher is network security improvement software. It allows network administrators to monitor network shares and identify shares which are violating data access policy of their organization.NetShareWatcher is very handy. Once you apply it a first time, you can forget about network sharing problems. You only need to select restricted groups or users and every time NetShareWatcher will automatically detect network shares with an access list containing those restricted groups and perform a configured action. NetShareWatcher allows you to easily monitor network shared folders and permissions and alerts anytime a user sets a share ACL to “Everyone” or some other global group that violates your data access policy as well as disables this shared folders automatically if you have selected the appropriate feature in the settings. NetShareWatcher has user friendly interface and is easy to use. Being configured once, it will regularly notify you on network sharing detection with restricted permissions assigned. The program logs all detected events ( access to shared folders, security events, folder watcher events ) in an HTML format.
To fulfil the arrangement of the project successfully, it requires lot of basic compulsory skills. If the project team doesn’t have all the skills mentioned in the assessment then the project is at risk because gaps in skills will bring about problems in quality. You will need a number of functional and technical requirements for your infrastructure security project. The functional and also technical ones may include:
– Physically secure premises
– Secure network infrastructure servers
– Secure network firewalls, routers, etc.
– Safe local communication – Secure remote communication and user,
Types of servers, operating systems, communication methods, authentication methods, etc. All this valuable ifo provided is to give you with plenty of ideas for creating your technical requirements for the project..You might describe your technical requirement in this manner:
– Upgrade all external entry doors to card-swipe system. Card-swipe system should be compatible with the existing employee card system, XYZ. (You might include the technical specs of this system here as well.)
– Install security monitoring system (with cameras) focused on parking lot and all external doorways. System should be able to record continuously for 24 hours, cameras should be able to record in slow motion and high resolution, the system should be able to “respond” to potential incidents, and the system should record events and have at least three methods of administrator alert. These are just some of the ways you can capture technical requirements. Clearly, if you’re talking about a server, you would include processor speed, memory specifications, disk drive specifications, operating system, and so on.
– Legal/Compliance Requirements
Create a list of the functional, technical, and administrative requirements for your infrastructure security project based on the legal, regulatory, and compliance requirements. Taking time to translate these requirements into project requirements at this juncture will help ensure that you build compliance requirements into your project. In standard project management, it’s always easier to build something in at the front end than to add it at the back end (it reduces errors, omissions, time, and cost), so now’s the time to add these requirements to the greatest extent possible. Also, be sure to add milestones and documentation requirements to your project plan based on compliance needs. Policy Requirements Policy requirements may fall under functional requirements, but there’s no rule that you can’t include policy requirements as a distinct category of requirements if doing so helps you cover all the bases.We’ll look at policies in more detail in a later article, but for now, let’s walk through a few ideas for policies related to securing the infrastructure:
– User policies
– Network access policies
– Remote access policies
– Wireless policies
– Network administration/network management policies
– Server policies
– Firewall, IDS/IPS, DMZ policies
– Regulatory/compliance policies
– Corporate policies
– Legal policies
At this point, you should have an idea of the scope of your project.You could choose to address your complete infrastructure security needs during this project, or you might choose to parse it out into smaller subprojects and time them in stages or phases to meet organizational needs. Making changes to the infrastructure comes with risk, and you’ll need to be careful to take this fact into consideration as you plan your project.This starts with determining the proper scope for your project. For example, you might have recently implemented an IDS that you’re satisfied with, so you could choose to include IDS in your project only to the extent that it ties in with other infrastructure security measures. However, you might feel that your biggest exposure is on network servers such as DHCP, DNS, and directory servers, so your primary focus will be to harden these servers and related network traffic.Your assessment should tell you where you need to focus and what must be included in the plan and perhaps what can safely be omitted from your plan.Then clearly define what is and what is not part of your project so that you leave nothing open to interpretation. Whatever the case, if you already know about these scheduling issues, you might as well begin addressing them here. You might have a rough idea of how long this project will take, given what you’ve looked at thus far, and you may be able to see where it will fit in your overall IT schedule.You’ll have to balance the demands for your IT resources with the need to secure the infrastructure, so this is a good point to try to get a handle on some of those schedule constraints. You could define quality as the level of protection you’re willing to accept, though it might be difficult to quantify. As we’ve stated, quality is a mindset, and you should instill this mindset in your IT project team. As you define your project plan, you’ll have the opportunity to create specific quality metrics related to your infrastructure and include them into your task details. Remember that security comes from depth of defense, so you want each layer you build to be as strong as it can be, within the defined constraints (time, cost, criticality and so on) and understanding that no system is 100-percent secure.
1. A successful security policy needs to be flexible and it WILL experience change, only in case your business changes (nowadays we are prone to changing them more often.
2. A successful security policy must be reviewedand correspondingly and a regular review process implemented to them.
If so, you may find yourself quite alert in the review of your policy. Making sure you are aware of what you are reviewing whether you are doing a proper review will deter a huge number of instabilities!!!!
Originally posted at Network Security Magazine