Security Policies and Plans

Just as homeowners would protect themselves against home invasion by buying home security protection, there are security policies and plans that protect networks. However, network security policies and security plans are not the same. Security policies and security plans differ in purpose and content as follows:

1. A security policy defines the configuration, procedures, and technology necessary for effecting the level of security an organization requires.
2. A security plan is the implementation of a security policy.

In a nutshell, the security policy demonstrates what you are going to do; the plan demonstrates how you are going to do it.
A good security policy addresses:

1. Data confidentiality
2. System integrity
3. User authentication
4. System access control
5. User behavior

A good security policy sets organization-wide strategic directions for security issues and assigns resources for its implementation. It is intended to address the computer security from a general perspective by broadly identifying areas and levels of desired protection from external and internal threats. (Such as worker privacy, intellectual assets, and real or intangible property). The security plan is an outcome of the policy and defines the scope, resources, and specific duties and responsibilities for all members of the organization. When properly developed, the plan also provides clear procedures for routine behavior along with procedures for non-routine events (such as missing files, data theft, or hacker attack).
You will learn more about the major sections of a security policy in the Slideshow below.

• U5: Authentication and Remote Access
  1. You will be required to change your password when you first log on to the Asteron network and every 90 days thereafter.
  2. Passwords must be at least eight characters and contain at least one numeral, one punctuation mark, and one upper-case character.
  3. Passwords must be memorized and must not be recorded in any way. Ask your network administrator for suggestions about how to create a memorable, yet secure, password.
  4. You will need to memorize three passwords, because when you change your password after 90 days, the system will not accept the previously assigned password.
  5. Do not tell anyone your password under any circumstances. Direct all requests for access to your account to network administration.
  
  Concrete regulations and recommendations regarding user passwords are dispensed in the User Authentication section of a security policy.
• U6: Access Control
  You will automatically have access to files in the department to which your user account is assigned. Access to other files will only be granted on a "need-to-know" basis.
  1. To view your group membership and the directories to which you have been assigned access
  2. Do not attempt to access files to which you have not been granted access. Repeated attempts will be considered to have malicious intent and may result in loss of network privileges.
  3. Apply to your network administrator for access to protected files, using the online request form provided at the following URL
  
  Explicit and clear instructions on system access privileges granted to users are carefully documented in the Access Control section of an effective security policy
• 1. Your request will be forwarded by e-mail for approval to the department manager with authority over the information. If you are in a hurry, coordinate the request with your department manager. The request will take up to 24 hours to fulfill after it is completed and authorized, but can be given rush authorization under special circumstances.
  2. Do not share your private directories or files over the network. If you need to provide access to files to other network users, use the directories assigned on the network file server for this purpose.
  3. Acceptable and unacceptable User behavior in the confines of a corporate property and with its electronic resources are clearly defined within any good security policy.

Web applications are critical to the enterprise infrastructure. Companies rely on them to communicate with partners, clients, and shareholders, as well as

1. store corporate information,
2. share files, and
3. conduct a host of asynchronous operations.

These applications are convenient, as their functionality is dependent upon online browsers. Web applications may have security weaknesses that can expose a single user or an entire organization to multiple threats. Cyber criminals have been focusing on the web in recent years and the trend continues to grow. Cyber attacks are becoming high-profile and more sophisticated. In addition, they are increasing in frequency as vulnerabilities are exposed. 75 percent of cyber attacks and web security violations occur through Internet applications. Regardless of the development of the application being outsourced, adversaries examine the infrastructure of an application to identify potential vulnerabilities that can be exploited.

At a meeting of the SANS99 and Federal Computer Security Conferences in 1999, 1,850 computer security experts and managers named the following as the seven leading causes of computer vulnerability:

1. Assigning untrained people to maintain security and providing neither the training nor the time to help them do the job properly.
2. Failing to understand the relationship between information security and the business need; also, understanding physical security, but failing to see the consequences of poor information security.
3. Failing to deal with the operational aspects of security, making a few fixes, but not following through to ensure that the problems are fixed.
4. Relying on a firewall.
5. Failing to realize how much money an organization's information and reputation are worth.
6. Authorizing reactive, short-term fixes, with the consequence that new problems emerge rapidly.
7. Pretending the problem will go away if it is ignored.

In the next lesson, you will learn about the purpose of access control.