Successful Implementation of Network Security Policies - Assignment Example

Configuring Files, NTFS, and Backups of the of Configuring Files, NTFS, and Backups Introduction We are living in an era where information is now an expensive and an essential commodity, the need to protect the integrity of data that are being transmitted becomes compulsory. As information becomes precious number of Security threats and attacks to it are growing. Network security is the ability to preserve the integrity of a system or network, its information processing environment. It demands controlling access, adaptable use and implementing emergency plans. It also involves monitoring and protection of data infrastructure services from unauthorized access. Security breaches possibly caused by human actions, which could be malicious, accidental, or through improper installation, operation or configuration. This paper presents guidelines that should be adopted to ensure efficient management and security of any information and communication technology network. These guidelines are written with keeping in mind of a less experienced IT network managers, to assist them in understanding and dealing with the risks they face. Upon implementation, these guidelines will go a long way in easing with problems of network insecurity. Network security Policy Network security policy guidelines are the practices and rules followed by an institution to protect its information resources. These polices must be documented, developed, reviewed, implemented and evaluated to ensure the integrity of the network. Hence, the need for these policies by an institution is never overemphasized (Avolio & Fallin, 2007). Developing Security Policies Developing security policies means developing the following: Program policies. System-specific policies. Issue-specific policies. Program policies. It tackles overall Network security goals and it should be applied to all IT resources inside an institution. The institution’s management must instruct policy development to guarantee that the policies address the Network security requirements of all systems operating within the institution. System-specific policies. It addresses the Network security matters and requirements of a particular system. Corporate facilities may have several sets of system-specific policies that address security from the very common (access control) to the particular (system authorizations that reflect the isolation of duties among a team of employees). Issue-specific polices. They address Network security issues related to Internet access, installation of unofficial software or devices, and sending/receiving e-mail attachments. The guidelines for the development of security policies are: Obtain an assurance from higher management to enforce security policies. Maintain good working relationships among departments, such as facilities management, internal audit, human resource, analysis of policy and budget. Create an approval procedure to include legal and human resources specialists, regulatory specialists and procedure and policy experts. Allow maximum time for the review and respond to every comment whether you accept it or not. Documenting Security Policies Institution once developed its network security policy; next step is to document these policies. Each department is responsible to protect its networks, vital information systems, and sensitive information from illegal disclosure, destruction or modification. Network security policies and procedures must be documented to ensure that accountability, availability, integrity, and confidentiality of information are not breached. Implementing Security Policies Successful implementation of network security policies requires awareness at all levels of the organization. You can create awareness through widely circulated documentation, e-mail, newsletters, a web site, training programs, and other announcements about security issues. Reviewing and Evaluating Policies Institutions/organizations and their respective departments should review their security policies periodically to ensure they persist to fulfill the institutions security needs. Policy Review within the Institution A plan should be developed by the institution/organization to review and evaluate their Network security policies once they are in place. Table A. Documentation guidelines for security policy Guideline Description Describe policies Describe policies by documenting the subsequent information: Identify common areas of threat. Generally state how to address the threat. Supply a basis for verifying agreement through audits. Outline implementation and enforcement plans. Balance protection with productivity. Describe standards Define network security standards by documenting the following: Define least requirements designed to address certain threat. Define exact requirements that guarantee compliance with policies. Verify policy compliance through audits. Summarize implementation and enforcements plans. Balance security with productivity. Describe guidelines Describe network security guidelines by documenting: Classify best practices to ease compliance Provide complete background and required information. Describe Enforcement Describe how policies will be imposed by documenting the following information: Identify team who are authorized to identify investigate and review breaches of policy. Means to enforce policies are to be identified. Table B: Guidelines for implementing network security policies Guideline Description Awareness Apply user awareness using the following methods: Inform employees about the latest security policies. Publish policy documents on paper and electronically. Develop explanatory security documentation for users. Conduct user training sessions. Signature acknowledgement from users. Retain awareness Update user awareness of current and upcoming security issues using the following methods: Web site Posters Newsletters E-mail for comments, questions, and suggestions Designate responsibility for reviewing policies and procedures. Implement a reporting procedures in which departments report security incidents to nominated security personnel Implement regular periodic reviews to evaluate the following: Impact, number and nature of recorded security incidents. Impact and cost of controls and impacts on business efficiency, along third-party vendor agreement. Reviews the effects of changes to technology or organizations. Organizational Security Organization should consider these security measures particularly when granting access to someone outside into its network. Internal security infrastructure should also be developed by each department in an organization that develops, uses, or maintains information systems. Network security infrastructure protects an institution’s IT assets by defining assets and the necessary means to protect them, and delegating responsibility for assets. This infrastructure must consist of procedures that ensure the accountability, confidentiality, availability, and integrity of IT assets. Institution must able to distinguish the following for a feasible security infrastructure. Dealing Risks from Third-Party Access Any institution should analyze the risk in granting access to the third party to its IT resources. Proper risk assessment should be conducted in the organizations that allow multiple users/systems from outside. In other words to mitigate risk from outside, security awareness and access control should be implemented. Undertaking with Third-Party Entities Organization and its departments that allow third-party access to its information should address the security threats of that access and require the third-party to stick on to all established security policies. Some of the guidelines that should be processed when contracting with a third party are. (1) Control access (2) Protect asset (3) Manage service (4) Manage liabilities (5) Ensure compliance (6) Secure equipments (7) Manage personnel Identifying Security Requirement for Outsourcing Contract Outsourcing contracts should address all IT security threats identified for the exacting resources included in the agreements. Asset Classification and Control Assets should be classified in order to understand which are crucial or mission critical assets. Organization should. Classify assets Develop and maintain an asset record. Analyze and assess risk. Personnel Security Network managers should address the security issues with respect to personnel. The following areas must be considered to ensure a complete Personnel Security as regards Network Security. New Entries in IT When hiring someone, IT departments should enforce security procedures to reduce the risks of human error, misuse of resources, and fraud. The steps that should be enforced when screening employee are. Screening possible employee. Sketch employee responsibilities. Evaluate the duties of newly appoint. Assuring appropriate use of technology Organization should provide IT resources to authorized personnel to facilitate the efficient performance to their duties. Authorization enforces certain obligations and responsibilities on users and is subject to organization policies. Users at every level should be educated in the appropriate use of IT resources. The steps for ensuring proper use of technology are. Creating of appropriate user policies. Enforcement of policies. Training users Users should be trained to make them to be aware of potential threats and to understand their duties to report any security breach. The steps for training users are: Create information access. Apply acceptable use of software. Maintain accepted use of system. Reporting of security breach Personnel should be educated to report any violation in accordance with security policy. The steps for this are as follows: Report incidence. Manage violation. Collection and sharing network information. Develop user knowledge. Define user duties. Developing a disciplinary policy A disciplinary policy ensures fair treatment of users who breach security and may also prevent users from ignoring security procedures. Steps for the implementation of developing disciplinary policy are: Development of disciplinary policy for internals. Development of disciplinary policy for third parties. Operation Management Creating network controls. Dividing operational and developing facilities. Creating network controls Network controls guarantees the security of information and connected resources. To maintain security on computer networks a series of controls must be applied. The guidelines for creating network controls include: Divide operational duties for networks and system operations where required. Establish remote resource management Establish particular controls to protect data crossing public networks and connected systems. Apply network management tools and procedures to guarantee controls are systematically applied and services are optimized. Dividing Operation and Development Facilities Dividing of operation, development, and test systems reduces the risk of illegal alteration or access. To operate properly, each type of computing network requires a known and secure environment. Guidelines for dividing facilities are: Operate operational and development software on different areas, or in different directories. Separate production activities from development and testing activities Avoid using the same logon activities, passwords and display menus for both test and operational systems to reduce the risk of accidental logon and other errors. Describe and document the process for shifting software from development to operational status. Such transfers should involve management approval (Singapore IT Security Techno Portal, 2002). References Avolio, F. M., & Fallin, S. (2007). Producing Your Network Security Policy. Watch Guard. Retrieved from http://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf Singapore IT Security Techno Portal. (2002). How to develop a Network Security Policy. Windowsecurity.com. Retrieved from http://www.windowsecurity.com/whitepapers/How_to_develop_a_Network_Security_Policy_.html Read More