Download Network Security Policy: In the Work Place

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
Document related concepts

Airport security wikipedia , lookup

Information security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Unix security wikipedia , lookup

Wireless security wikipedia , lookup

Mobile security wikipedia , lookup

Network tap wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Distributed firewall wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Joshua Cormas
COSC 356 – Net. Security
Final Presentation Essay
Network Security Policy: In the Work Place
I will begin by providing a roadmap of what I will be discussing in this essay, in relation
to network security policy in the work place. I will first explain how companies can control
network security risks in the work place. I will also provide the different types of security
policies companies most frequently utilize, as well as give some examples. After, I will provide
descriptions of training and awareness programs which provide increased security for companies
and organizations. Network security policies are very important in businesses and organizations
to maintain daily functioning.
The most important concept in information security and networks is of course the risk
factor. There can be many different types of risk that are encountered in an organization. Some
risks are small and easily managed, while other risks can threaten the existence of a business.
These risks were once taken lightly, but today they are viewed as avenues through which an
attacker can potentially cripple a targeted business. Many of these approaches can be applied to
information security in general; however I will be focusing on the network security aspects.
Most organizations utilize a multifaceted approach. First, they work to control risk
through management techniques. Second, they develop a policy that reflects the organization’s
needs and operation. The network security policy defines what the organization needs to protect
and how they will do so. The third approach is awareness and training on the policies. Similar to
how users must be instructed on how to use specific software or hardware, they also must be told
network policies to maintain a secure network and business.
Controlling the risk factor is the most important part of managing network security
policies. It is important to know some commonly used definitions in network security. A threat is
a type of action that has the potential to cause harm to a computer network. A threat agent is a
person or element that has the power to carry out a threat. Vulnerability is defined as a flaw or
weakness in a company’s network security. One example of this is authentication methods
companies utilize. Finally, risk is the likelihood that the threat agent will exploit the
vulnerability.
Some classifications of network security risks are listed and described as follows.
Compliance is a considered following a regulation or standard on a network. Strategic is an
action that affects long-term goals of an organization, such as unauthorized access to intellectual
property on a company database. Technical classifications are events that affect network
systems, such as a DDoS or SQL injection attack. There are three important strategies for
controlling risks in an organization. Privilege management is the process of assigning and
revoking privileges to users on a network. Change management is a methodology for making
modifications and keeping track of changes, such as new servers or routers being introduced to a
network. Incident management is a framework and functions required to enable incident
response. Another way of reducing risks is through a network security policy. A policy is a
document that outlines the protections that should be enacted to ensure that the organization’s
network stability and assets face minimal risks. This defines how an organization plans to protect
the company’s network.
The primary purpose of a network security policy is to inform users and staff the
requirements for protecting various assets. These assets take many forms, including passwords,
documents, or even servers. These policies also lay guidelines for acquiring, configuring, and
auditing computer systems and networks. Things companies should consider when creating a
network security policy include; what do you have on the network that others want? What
processes, data, or information systems are critical to your organization? What would stop your
company from functioning? The answers to these questions identify network assets in a wide
range. These include critical databases, vital applications, personal data, shared network storage,
e-mail servers, and web servers. Network security policies must consider all entities that deal
with your network. Not only employees, but end users and anyone who has confidential data on
your networks. Employees are considered potential threats in security policies. However, these
policies must be implemented so that employees are still able to complete their jobs without
being overly burdened by security measures.
In network security policies, users can be organized into two audiences. One, internal
audiences, which are managers, executives, departments, technical staff, and end users.
Secondly, external audience, which are partners, customers, suppliers, and consultants. There are
several main security policy components. Governing policy is a high-level treatment of security
concepts that are important to the company. Managers and technical staff are the intended
audience. This policy section controls all security-related interaction among business units and
supporting departments in the company. An end user policy is a document that covers all security
topics important to end users. This policy answers the “what”, “who”, and “when” and “where”
network security policy questions for end users. Technical policies are used to carry out security
responsibilities for the network or system by security staff members. These policies are more
detailed than the others, and are system or issue specific.
Network security staff members use the technical policies in the conduct of their daily
responsibilities. An acceptable use policy defines the acceptable use of computing services and
networks, and security measures employees should take. An audit policy is used to conduct
audits and risk assessments, investigate incidents, ensure adherence to security policies, and
monitor user and system activity when needed. Global web server policy defines the standards
that are required by all web hosts on the network. E-mail policy defines standards to prevent
tarnishing the public image of the organization, restrict automatic e-mail forwarding to external
destinations without prior approval, and spam policies. Remote access policies define the
standards for connecting to the network from any host or network external to the organization. A
VPN security policy defines the requirements for remote-access IP security or Layer 2 tunneling
protocol VPN connections to the organization network. Application service provider policy
defines the minimum security criteria that an ASP must execute before the organization uses
their services on a project. Database credential policy defines the minimum requirements for
securely storing and retrieving database usernames and passwords.
Inter-process communications policy defines the security requirements that any two or
more processes must meet when they communicate with each other using a network socket or
operating system socket. Source code protection policy establishes minimum security
requirements for managing product source code. Extranet policy defines requirements that thirdparty organizations that need access to the organization networks must sign a third-party
connection agreement.
Policies are important, but are useless if staff doesn’t understand and implement them.
Technical and administrative controls can all be defeated without participation of the end-user
community. To get end users (accountants, administration, etc.) to think about security policies,
the company must train and regularly remind them about security. Another important aspect of
network security is the physical security that protects hardware, such as servers and other
computer equipment. One method of protecting the physical assets of a network is to centralize
network servers in one area. Access to the area would require authentication of some sort, such
as an ID badge. Another key component to the physical security of a network is surveillance.
Outside of a physical network asset, there should be cameras monitoring to see who enters and
attempts to access the location. This will enable a company or organization to detect when
someone enters a sensitive location, as well as evidence in the result of an attack.
Network encryption is another key factor. Sometimes called “network level encryption”
is a network security process that applies crypto services at the network transfer layer. Using
existing network services and application software, network encryption is invisible to the end
users and operates independently of any other encryption processes used. Businesses can utilize
network encryption methods to ensure communications between local networks are confidential.
One popular form of network encryption is Ipsec, otherwise known as Internet protocol security.
It includes a set of cryptographic tools to protect communications, encrypting each IP packet
going between network systems.
Overall, network security is a very broad topic. When applied to businesses and work
places, it becomes slightly more specific. Common methods and techniques of applying network
security concepts can be seen in today’s companies. It is important for a business to critically
analyze their assets to decide on a network security policy that best fits their company. Next they
must be sure to practice these policies and apply them to all affected parties. These policies are
pointless if the end-user community does not use them, so it’s important to regularly remind
employees of their existence. Poor network security in a business can ultimately lead to the
downfall of their organization.
Related documents
Database - Shelby County Schools
Database - Shelby County Schools
Network Security Policy in the Work Place
Network Security Policy in the Work Place
Chapter 1 A Beginning Library of Elementary Functions
Chapter 1 A Beginning Library of Elementary Functions
Precalculus Mrs. Spatola Name______________________
Precalculus Mrs. Spatola Name______________________
FUNCTIONS Section 3.1 to 3.3
FUNCTIONS Section 3.1 to 3.3
Definition Web 2.0
Definition Web 2.0
This chapter is organized as follows: Section 2 briefly defines the
This chapter is organized as follows: Section 2 briefly defines the
Lecture 6: Worksheets 1 3 6 10 15 21 36 45 1 4 10 20 35 56 84 120
Lecture 6: Worksheets 1 3 6 10 15 21 36 45 1 4 10 20 35 56 84 120
Database Confidentiality
Database Confidentiality
Components of an operating system
Components of an operating system
Section 3.1 Functions
Section 3.1 Functions
Document
Document
PRINCIPLES OF TOURISM MARKETING
PRINCIPLES OF TOURISM MARKETING
view program correlation document
view program correlation document
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
User_Interface_Design_for_Wordnet_Website
User_Interface_Design_for_Wordnet_Website
secure operating system
secure operating system
pptx - Cornell Computer Science
pptx - Cornell Computer Science
server
server
William Stallings Data and Computer Communications
William Stallings Data and Computer Communications
Categories of I/O Devices - NYU Stern School of Business
Categories of I/O Devices - NYU Stern School of Business
CSc-340 08a
CSc-340 08a