Network Security Policy - Case Study Example

Summary The CMS have procured the services of the in order to recommend an information security policy and procedure that would ensure that the confidentiality, integrity and availability of its information assets are not only assured but guaranteed to comply with the requirements of the law and its fiduciary responsibilities (Blackley, Peltier and Peltier). The information security policy will provide a potent shield against threats, mitigation of vulnerabilities and resolution of the weaknesses while providing the framework for the build-up of its information technology infrastructure (Andress). The information security policy will also provide the strategic parameters and guiding principles of the operation of CMS that is geared towards securing information assets (Whitman and Mattord). The proposed network security policy as stated below specifically addresses access rights the minimum requirements for hardware buildup and the parameters and basis for audit and review. The Network Security Policy shall guide the access rights policy and set the parameters for the information security audit and review policy. The login policy including the password policy shall also be guided by the Network Security Policy (Whitman and Mattord). This paper shall also draft a procedure that will be responsive to the requirement of the Network Security Policy. The procedure will not only provide a detailed implementation of a specific intent of the policy it will also guide the operation and mechanism of the policy when implemented (Whitman and Mattord). Please note that the policies and procedures detailed in this paper is only recommendatory for the consideration and approval of the management of CMS. 2. Table of Contents 1.Summary 2 2.Table of Contents 3 3.Network Security Policy 4 I.Policy Declaration 4 II.Objective 4 III.Scope 4 IV.Definition and Abbreviations 5 V.Responsibilities 5 VI.General Requirements 7 V. Related Procedures 10 VI. Enforcement 10 4.Router Configuration Procedure 11 I.Purpose 11 II.Standard 12 III.Procedure 13 IV.Records Generated 14 5.Switch Configuration Procedure 14 I.Purpose 14 II.Procedure 14 A.Create and Administrative User 15 B.Storm Control 15 C.Protection against STP attacks 15 D.Port Security/Disabling unused ports 15 III.Useful Resources 15 3. Network Security Policy I. Policy Declaration CMS is in the business of providing health care services in line with its fiduciary and legal obligation this policy shall protect the privacy of its clients and employees by protecting the confidentiality, integrity and availability of all records, data, information entrusted to it. II. Objective The purpose of this policy is to outline the Network Security at CMS to be followed to ensure the confidentiality, availability and integrity for the purpose of protecting CMS, its client and employees. Inappropriate implementation exposes CMS to risks including virus attacks, compromise of network systems and services, and legal issues. III. Scope This policy applies to the whole CMS-Systems related Infrastructure and Equipments employees and customers. To achieve this goal, the following are required for implementation: Establish company-wide policies to protect the CMS networks and computer systems from abuse and inappropriate use. Establish mechanisms that will aid in the identification and prevention of abuse of networks and computer systems. Establish mechanisms that will limit the access and authorization of CMS personnel to information assets that balances role and job requirements and information security requirements. Establish mechanisms that will protect the reputation of the Company and will allow it to satisfy its legal and ethical responsibilities with regard to its networks and computer systems’ connectivity to the worldwide Internet. Establish mechanisms that will support the goals of other existing policies. IV. Definition and Abbreviations Network resources - includes any networks connected to the CMS backbone, any devices attached to these networks and any services made available over these networks. Devices and services include network servers, peripheral equipment, workstations and personal computers (PCs) Computer Systems - computers which provide some service for other computers connected to it via a network. The most common example is a file server which has a local disk and services requests from remote clients to read and write files on that disk. V. Responsibilities Chief Executive Officer – Responsible for the overall day-to-day operation of the organization. Human Resource Director – Responsible for recruitment and staffing, staff development and training, health and safety (non-medical), staff orientation, employee relations and other duties. Medical Director – Responsible for all clinical matters including health and safety, medical specific training and development, compliance with medical specific regulation, and other medical specific matters. General Manager – Responsible for administrative and general operating matters such as ordering, debtors and creditors, compliance (non-medical), line manager for administrative staff. Network Manager – Responsible for overall operation of the CMS information systems including network operation and system administration, computer and network security, IT staff supervision, regulatory compliance for IT systems. It is also his responsibility to plan, design, implement, maintain, upgrade and improve the CMS Wide Area Network. It is also the responsibility of Network Manager that the service level or uptime is met. It is the responsibility of the Network Manager to ensure that the CMS network is protected by following the parameters defined in this policy and implemented according to the Standard Operating Procedure It is the responsibility of the Network Manager to respond to service request, maintenance request, service provisioning request as indicated but not limited to the user request defined under the Standard Operating Procedure It is the responsibility of the Users – to ensure that all CMS network facilities are used appropriately. VI. General Requirements While CMS network administration desires to provide a reasonable level of privacy and security, users should be aware that the data they create on the corporate systems remains the property of CMS. Employees are responsible for exercising good judgment regarding the reasonableness of personal use of computer resources. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. Information Security mandates that any information that users consider sensitive or vulnerable be encrypted. CMS reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Auditing For the purpose of performing an audit, any access needed will be provided to members of the Information Security Audit team. This access may include: User level and/or system level access to any computing or communications device Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on CMS equipment or premises Access to work areas (labs, offices, cubicles, storage areas, etc.) Access to interactively monitor and log traffic on CMS networks. Password Security Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of CMS's entire corporate network. As such, all CMS employees (including contractors and subsidiaries with access to CMS systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. Servers / Data Center General All internal servers deployed at CMS are owned by the Network group that is responsible for system administration. Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact: Server contact(s) and location, and a backup contact Hardware and Operating System/Version Main functions and applications, if applicable Configuration changes for production servers must follow the appropriate change management procedures. Configuration Guidelines Operating System configuration should be in accordance with approved CMS Infrastructure design. Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible. The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do. Always use standard security principles of least required access to perform a function. Do not use root or admin permissions when a non-privileged account will do. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Servers should be physically located in an access-controlled environment. Servers are specifically prohibited from operating from uncontrolled cubicle areas. Virus Protection CMS is implementing a four (4) levels of virus protection scheme: Internet Gateway, Email Gateway, Server protection, and Workstation. All CMS PC-based computers are installed with CMS's standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files are kept up-to-date using the anti-virus auto-update feature. Virus-infected computers must be removed from the network until they are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into CMS's networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited. V. Related Procedures Router Configuration Procedure Switch Configuration Procedure VI. Enforcement Monitoring All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: All security related logs will be kept online for a minimum of 1 week. Security-related events will be reported to Network Manager, who will review logs and report incidents. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: Port-scan attacks Evidence of unauthorized access to privileged accounts Anomalous occurrences that are not related to specific applications on the host. Compliance Audits will be performed on a regular basis by CMS networks department. Audits will be managed by the Systems department, in accordance with the Network Security policy. Systems will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification. Every effort will be made to prevent audits from causing operational failures or disruptions. Penalties Penalties shall be in accordance with the penalties provided for and define under the HR rules and regulations. Due Process shall likewise be adhered to protect the innocent and punish the guilty. 4. Router Configuration Procedure I. Purpose This Router Configuration Procedure will be used when creating additional network to expand the current network of CMS. II. Standard The following standards will be used to create the baseline for the routers it shall be the foundation where the exceptions rules will be built on. However, the exception rules should be in symmetry with the Network Security Policy. The general servers required are on a single network. Other than to this network, and then only in specific circumstances, no incoming communication should be initiated outside of CMS’s network. All computers on CMS’s networks should be able to access the servers that are on this network using appropriate protocols. Where possible the devices should be configured to allow secure remote administration but this should be from a defined terminal or to the network managers’ terminal. For ease of management CMS would like to utilize some central authentication mechanism. However, CMS cannot afford to have extended down time on our infrastructure so some backup to the central mechanism should be in place. Unneeded services and interfaces should be disabled. Feature Description Default CMS Standard CDP-Cisco Discovery Protocol Proprietary layer 3 Protocol between Cisco Devices Enabled Disable TCP small servers Standard TCP network services: echo chargen, etc Enabled Disable UDP small servers Standard TCP network services: echo chargen, etc Enabled Disable Finger Unix user lookup service, allows remote user listing Enabled Disable HTTP server Cisco IOS devices web based configuration Enabled Disable Bootp server Service to allow other routers to boot Enabled Disable Configuration auto loading load its configuration via TFTP Disable Disable IP source routing IP feature allows packets to specify their own route Enabled Disable Proxy ARP Router as proxy for layer 2 address resolution Enabled Disable IP directed broadcast Packets can identify a target LAN for broadcasts Enabled Disable Classless routing behavior Router will forward packets no concrete route Enabled Disable IP subnet zero support Router will support the illegal zero bit mask Disabled Disable IP unreachable notifications Router will notify senders of wrong IP Enabled Disable IP mask reply Send an IP address mask for ICMP request Disabled Disable IP redirects Send an ICMP redirect message to IP packets Enabled Disable NTP Service Routers act as a time server for other devices Enabled Disable SNMP Routers can support SNMP remote Enabled Disable DNS DNS name resolution Enable Disable Table adopted from: Antoine, Vanesa, et al. Router Security Guidance Activity of the System and Network Attack Center. Journal. Washington DC: National Security Agency, 2001. ebook. Http traffic to the web server should be allowed Switches should be configured to resist common network level threats FTP traffic should be allowed from the Web Administrators terminal to the web server. The TCP and UDP DNS traffic should be allowed to the DNS server SMTP traffic should be allowed to the mail server III. Procedure IV. Records Generated None 5. Switch Configuration Procedure I. Purpose This Switch Configuration Procedure will be used when creating additional network to expand the current network of CMS. This should include adding an administrative user, storm control, protection against STP attacks, port security and disabling unused ports. II. Procedure The following commands will be used in doing the following tasks. A. Create and Administrative User R8(config)#username name level password string B. Storm Control R8(config-if)#no ip directed-broadcast C. Protection against STP attacks To protect against spanning tree protocol attacks it is best to create a virtual Local Area Network whenever applicable. D. Port Security/Disabling unused ports R8(config-if)#no cdp enable RS(config)#no service tcp-small-servers RS(config)# service udp-small-servers R8(config)#no ip finger R8(config-if)#ntp disable R8(config)#no ip bootp server RS(config)#no boot network R8(config)#no service config R8(config-if)#no ip proxy-arp III. Useful Resources Andress, Jason. The Basics of Information Security: Understanding the Fundementals of InfoSec in Theory and Practice. New YOrk: Elsevier, 2011. Blackley, John A., Justin Peltier and Thomas R. Peltier. Information Security Fundamentals. Boca Raton, FLorida: CRC PRess, 2003. Peltier, Thomas. Information Security Polices, Procedures and Standards: Guidelines for Effective Information Security Management. United States: CRC Press LLC, 2001. Whitman, Michael and Herbert Mattord. Management of Information Security. Boston MA: Cengage Learning, 2010. Whitman, Michael E. and Herbert J. Mattord. Principles of Information Security. Boston: Cengage Learning Products, 2011. Read More