Network Architecture and Security Considerations in IISC - Term Paper Example

Security Administrator Handbook IDENTITY INTERNET SOLUTIONS COMPANY (IISC) Section 1 1. Network Architecture and Security Considerations Providing a secure architecture guarantees that the cost of system failure, recovery process, interruption of business operations, and reputation impacts are at minimal. The cost of designing network architecture and security consideration is normally done against the aforementioned factors that it aims to minimize. Identity Internet Solutions Company acknowledges that fact that its ability secure its IT from malicious networks is anchored on the strength of its network architecture and security considerations. Guidelines and Procedures IISC adopts: Enterprise Information Technology Architecture form the basic framework for all technology applied at IISC. Enterprise Information Systems Security Architecture (EISSA), a part of EITA, forms the general physical and logical components that add up the security architecture in the company. 2. Wireless Security All users of wireless network for IISC must take necessary protocols, including the use of strongest-possible encryption, passwords, and virus protection criteria, to combat risks to Identity Internet Solutions Company’s data and information systems linked with the application of wireless access technologies. The purpose of this policy is to offer protection to confidential information as well as integrity and availability of the wireless network infrastructure. It protects the aforementioned aspects from compromise that may be triggered by unauthorized access; and to prevent deployment of open and unsecured wireless access platforms. Guidelines and procedures that IISC adopts: All internet access points (AP) must have design considerations that are approved and deployed by the IT department of IISC. Users are strictly disallowed from using or rather installing their personal Access Points within the network. If any of such devises are discovered, IISC IT department reserves the right to unplug and render them dysfunctional at router level. However, persistent violation of this policy requirement will be regarded as violation of Acceptable Use Policy and can attract disciplinary action that may include, but not limited to, a legal action. All forms of data communication and operations within the wireless network shall be regarded as un-trusted. Therefore, all users will be subject to limitation provided to protect the security and integrity of data in the entire communication network. Accessibility to the Internet shall be offered with least possible limitations. However, users making use of the internet service shall be subject to terms and conditions stipulated in the Acceptable Use Policy. Authentication shall be fixed to Share Key Authentication instead of default Open Systems Authentication so as to compel prospective clients to authenticate themselves before getting permission to connect to the wireless network. 3. Remotes Access Security The purpose of this policy is to provide standards, procedures, and restrictions governing the access of IISC internal network from external hosts through remote access technology, and/or the utilization of internet for business engagements via a third party wireless Internet services providers. Some of the resources that have to be protected include, but not limited to, corporate information, computer systems, and databases. Guidelines and Procedures that IISC adopts It is the duty of any employee, client, or contractor of IISC with remote access privileges to ensure that utmost security measures are maintained within their remote access connection. This further covers the responsible, appropriate, and ethical usage of remote access connections. Consequently, the following are the rules to be applied to the latter to guarantee this security: Employees, clients, and other permitted users shall access this remote connections through key encrypted passwords in accordance to the password policy of IISC. Employees and other users must never disclose their passwords to thirds parties who may use it to jeopardize the operations of the company. All remote computer equipment and portable devices employed for business operations, whether personal of owned by IISC, must exhibit substantial security measures. Remote users making use of hotspots for wireless internet access must utilize IISC-approved firewall and other security measures considered indispensable by the IT department. Remote and hotspot users must unplug wireless cards whenever not in use to combat attacks by hackers and eavesdroppers. Users must apply for new passwords regularly especially in trips or business engagements that would entail use of hotspot wireless service, or personal web browsing. 4. Laptop and Removable Media Security Laptops, personal digital assistants (PDAs) and other portable communication devices are increasingly finding application in the day to day operations of IISC. The convenience of using these devices have made them very popular and their compact size make them quite attractive targets for theft. The purpose of this policy and procedure section is to offer basic guidelines on IISC administrators, employees, and users for protection of crucial data in these mobile computing environments. Guidelines and procedures that IISC adopts: All employees and users IISC services will take full responsibility of the security of any electronic mobile device, which include but not limited to laptops, PDA, and mobile phones, issued to them and for safeguarding all confidential data stored and/or transmitted using any of these portable electronic devices. All employees and users of IISC mobile electronic devices must provide immediate notification to IISC security department on the loss of any of IISC owned device or loss/compromise of any sensitive information stored therein. Relevant and expeditious action must be undertaken if critical and/or confidential data stored on the lost or stolen portable electronic device in line with the rules and procedures of IISC. All mobile computing devices as mentioned above must meet the following fundamental computing security and standards enumerated below: Systems should be configured in such a way to demand for passwords (strong) whenever one attempts to login. Regularly apply and update operating system and application security in case of laptops and PDAs. Install antivirus and regularly update them to prevent loss of data that may be triggered by virus. The data contained on these devices should be backed up on a weekly basis and appropriate security measures should be undertaken to protect the backed up files. Sensitive data stored on these portable device platforms should be encrypted Physical security of these gadgets should be enhanced by the use of physical locking devices such as anti-theft cables as well as laptops should never be left unattended to even for a short time. 5. Vulnerability and Penetration Testing The policy covers all Identity Internet Solutions Company’s computing, networking, communication and information resources. The purpose of this policy is to provide authorization to only appropriate members of the IISC IT department to carry out audits which comprise of vulnerability and penetration assessments against the company’s key computing and IT infrastructure. Audits may be conducted to achieve any of the following: Investigate probable security incidents Ensure compliance to the IISC information and technology policies and corresponding rules and procedures. Verify that the security of information systems meet the minimum requirements. Make sure that the sensitive information of the company is safeguarded from unauthorized modifications. Guidelines and procedure that IISC adopts: For the purpose of carrying out an audit, permission to gain access to the specific system or IT resource will be granted to members of IISC Information and Technology department but only after dully filling up Vulnerability Assessment Authorization Form. A team member of IISC IT department having the dully filled and signed Vulnerability Assessment and Authorization Form is granted exclusive permission to access IISC computing, communication, networking and information resource devices to the level deemed necessary to carry out the scans authorized in this policy. This access may include: User level and/or system level accessibility to IISC computing, communication, networking, and information resource. Accessibility to both electronic and hardcopy information that may be generated, transmitted or stored in the IISC equipment or premises. Accessibility to workstations such as labs, offices, and storage areas. The IISC IT team will comprehensively communicate the details of the vulnerability assessment with the chair of the department before planning and deploying any tests. Aside from the vulnerability scanning and penetration testing offered by the IISC IT team, the IISC IT team shall also offer affiliate users accessibility to a vulnerability scanning portal that will permit them scan computer and IT resources in their particular departments. IISC acknowledges that network and server performance may be affected which, on extreme situations, may cause them to be totally unavailable. However, it is the duty of the IISC team to guarantee speedy scanning such that users are not inconvenienced for period exceeding 3 hours Vulnerability and penetration testing shall be conducted mostly at night, with the exception of unavoidable urgent circumstances. This is to ensure that minimum number of users are affected with the scanning process. 6. Physical Security The IISC IT team as well as other users of computing, networking, communication, and information resources shall ensure that all physical assets are adequately safeguarded from physical dangers that include, but not limited to, vandalism, accidental interference, and ease of access by thieves. The purpose of this policy is to ensure maximum physical security measures are established on key information and technological infrastructure belonging to Identity Internet Solutions Company. The dangers being safeguarded include vandalism, theft, and interference with key infrastructure that may eventually lead to the unavailability of the communicating, networking, and physical devices utilized in the company. Guidelines and Procedures: IISC IT department personnel shall ensure that the doors to critical rooms, offices, and workstations are properly locked at the end of the business. The keys to these areas shall be left in the office of the chairperson of IT department and shall only be retrieved at the beginning of official business the following day. Laptops computers and other portable devices shall be carried in their respective safety bags to protect them from physical damages that may arise from accidental falling. Also, this will conceal these gadgets to some reasonable degree from the eyes of thieves. When using the laptops in offices and other workstations, the user should ensure that they are safeguarded by the use of security cables that lock them against the place of usage. The company’s security team working in conjunction with the personnel from IISC IT department shall ensure that key infrastructure of the company are appropriately safeguarded from dangers such as vandalism, theft, or even interference of by physical objects. 7. Guidelines for Reviewing and Changing Policies The IISC will advocate for an open and proactive technique to the establishment of issues, review and changing of policies to minimize expenditure of energy and needless time in carrying out the amendments in a piecemeal manner. Guidelines and procedure that IISC adopts: The factors that may trigger policy review or the need to change a policy in its entirety include: The review date for the policy, Policy gaps arising from consultation with the member of the executive committee, human resource manager, clients, or other stakeholders, and/or alterations of environment within or external to IISC such as legislative change and factors established in the policy issues log. The policy issues log should handle matter that emerge via the implementation and the application of the policies of IISC. A submission on policy development and review should then be made well in advance to the executive management committee of IISC to seek their advice and assistance. Developments at this particular stage are essential in determining the level of urgency of policy issues on aspects thus giving an inkling for immediate or later review, or development of a totally new policy. Another important procedure at this stage is the identification of policy contact, who is the person who has line management responsibility on matters pertaining to policy formulations. A policy custodian from the executive team is also identified and is responsible for offering strategic direction to the proposed policy review or development. A policy development team comprising of the above persons and other stakeholders such as client’s representatives and staff may then be instituted. Adequate research on the policy review or development should then be made to determine the impact of the new policies dimension to be pursued. The new policy review or development is then drafted and further consultations with other stakeholders carried out. The new policy review is then reviewed, communicated to all relevant stakeholders, and its implementation. Section 2: Policies A. Acceptable Use Policy Policy Statement: All users are responsible for practicing good judgment in respect to appropriate use of IISC resources in line with IISC policies, set standards, and procedures. IISC resources may not be used for unauthorized or unlawful functions or places. For the case of security, compliance, and maintenance functionalities, authorized staff may inspect and audit equipment, system, and network policies in accordance to the Audit standards and procedures. Devices that instigate interference with other devices or users of IISC system network may be disconnected by the authorized personnel. Purpose: The purpose of this policy is to institute acceptable and unacceptable utilization of network resources as well as electronic devices of Identity Internet Solutions Company in line with its’ laid down culture of utmost integrity, quality and secure services, as well as ethical and lawful practices. Objectives: i. To maintain high degree of confidentiality, information integrity, and availability of critical assets of IISC. ii. To ensure that the users of information assets acts in accordance and meet the company policies and procedures that are meant to shield IISC from damaging legal issues. Guidelines and Procedures: As a user, you must take full responsibility of accounts and security data under your control. This has an implication that all passwords must be kept secure and at no moment should you share account username or password with third second party, including families, friends, or other personnel. Leaking this access information to second parties, either deliberately or through negligence, is a violation of this policy. You have the responsibility of maintaining system-level and user-level passwords in line with the policies and procedures outlines in the Password Policy. You must see to it, either through legal or technical procedures, that the critical and confidential information remain within control of IISC at all times. Carrying IISC business that may require the storage of critical/confidential information on non-IISC regulated environments, including third parties with whom IISC does not hold contractual agreement, is disallowed. This also prohibits the use of personal e-mails to carry out businesses on behalf of IISC. It is your responsibility to ensure maximum protection against IISC assets that may include, but not limited to, computer cables, laptops, and other security devices. Laptops left at IISC premises overnight must be effectively secured and positioned in a locked cabinet. In the event of a theft of any of these assets, such information should be reported immediately to the security department for expeditious actions to be undertaken. All personal computers and laptops must be kept safe from authorized access by the use of pass-word protected screensaver that automatically locks the computer within 10 or less minutes of inactivity. Devices that link up with IISC network must be compliant with the Minimum Access Policy Review and change management: The policy shall be reviewed on regular basis and where necessary changed in accordance to the laid down procedures for policy review and changing as explained in section one above. B. Password Policy Policy Statement: All passwords applied to gain access to individual accounts of IISC must adhere to the particular minimum password prerequisites outlined below and must be traceable to specific users. Any suspicious or unaccounted use of password must be reported ASAP to the Security Administrator of Identity Internet Solutions Company. Purpose: Increasing cases of information security threats emanate from unauthorized entry to data stored on computers. In most cases, access to these data is regulated by the utilization of password authentication. The failure or inability to use or provide strong passwords can result in incidences where sensitive Company’s information is exposed, and which may in one way or the other have negative impact on critical services. Observing this policy is essential in preserving the security of information of the company, including databases containing highly sensitive information of the clients. Objectives: i. Prevent unauthorized access to the company’s database containing highly sensitive information relating to customers. ii. Protect customers from fraudulent activities, especially those involving money swindling via the use of credit cards. Standards: All passwords must be treated as confidential Sensitive information and must adhere to the following standards: Users are only allowed to use account credentials for which they have been permitted. Any attempt to sign in into an account other than those permitted are a violation of this policy. The use of standard user accounts to operate system services is disallowed. Users are prohibited from any attempt to decrypt encrypted passwords without the explicit written consent of the information security office. Procedures and Guidelines: A password must never be included into plain text mails or stored unencrypted in personal computer files. A password must not have been used for a period within a period of up to 1 year of the new application. It is gross violation of this policy to quickly go around passwords in order to get around this provision. A password must have at least eight characters that should comprise of at least two numerical digits in addition to the alphabets. A password must not be built or designed from personal information such as name, death of birth, or national identity number. A password should not use exact English words or those of a foreign language without any modification. Responsibilities: All users are required to take personal responsibility by maintaining the security of their passwords. In the event of suspicious login or use of unauthorized entry to the account, the user should immediately report to IISC IT desk of the activity. Alternatively, the user may expeditiously change the password to minimize the extent of the damage. Also, it is the responsibility of the user to changer their passwords at least ones for every six months period. Review and change management: The policy shall be reviewed on regular basis and where necessary changed in accordance to the laid down procedures for policy review and changing as explained in section one above. C. Incident Response Policy Policy Statement An expeditious response to incidents that jeopardize the confidentiality, security, and availability of IISC assets, networks, and information system is indispensable in safeguarding the activities of the business activities of the company. In absence of such a rapid response, the system may be compromised and the company may end up breaching the confidentiality of client’s sensitive data as stipulated by the United States laws on customer confidentiality. This could go a long way to breach the trust of our esteemed customers and users. Purpose To guide incident management team in the coordination and response to incidents in line with the requirements of United States legislation and IISC policy Objectives i. To minimize the probable negative impact of the incident to the IISC, clients, as well as third parties. ii. To provide speedy communication, where appropriate, to customers or thirds parties regarding the actions that they should also undertake to mitigate the incident. iii. To restore the services to normalcy and secure stable state of operation within the shortest time possible. iv. To provide clear and timely communication to all stakeholders and interested parties regarding the incidents. This serves to eliminate anxiety. Procedures and Guidelines In the event of an incident threatening the confidentiality, security, and availability of IISC assets, networks, and information system, the following will the procedure and guidelines for the response action: The IRT will begin by assessing the incident to determine the category and severity of the incident and carryout discussions and activities to establish the next course of action i.e. determine if the protocol execution has to be conducted. The incident response team, through a designated personnel, will undertake to communicate or notify the interested parties about the incident and probable course of action. This communication shall take place in three cadres. First, the internal management team of IISC must be briefed about the incidents. Secondly, depending on the magnitude and severity of the incident, the IRT chair will determine if it is absolute necessary to notify the government (i.e. through information commissioner) of the incident. The customers should then be informed that the incident has been detected, necessary authorities have been informed, and appropriate action is underway to combat the issues as soon as possible. The customers shall also be kept abreast of the investigations and status of the security issues in a timely manner. The results and closure of the investigations shall also be relied to the customers to that level that may be deemed necessary for their knowledge as determined by the IRT chair. Responsibility The Incident Response team (IRT), under the stewardship of IRT chair, will be responsible for rolling out timely and appropriate execution of this protocol. Review and change management: The policy shall be reviewed on regular basis and where necessary changed in accordance to the laid down procedures for policy review and changing as explained in section one above. D. User Awareness and Training Policy Policy Statement: The user awareness and training policy is mandatory for all employees of IISC, Clients, and contractors. Purpose: The security awareness and training policy establishes the steps required to provide information technology system managers, employees, and administrators with knowledge of security and their responsibilities that appertains to protecting the IT systems and data for IISC as well as users. Responsibility: The IISC department of technology and human resources shall: Implement, maintain, and offer progressive User awareness training by utilizing diverse training delivery methods in awareness seminars, use emails to disseminate communications on security awareness, design and publish a security website to enhance and promote proper security activities, IISC policies and procedures, and employee responsibilities. Roll out a formal evaluation and feedback platform to address matters pertaining to quality, deployment technique, and the level of difficulty or use of the various IT procedures. Procedures and Guidelines Administrators, employees, and contractors using the services of IISC would be required to: Complete a yearly online Security Awareness Training course at least once in every 12 months. All new recruits will are required to undergo a thorough induction into IISC system usage through Security Awareness and Training. This should be done in the first 30 days from the date they are officially confirmed as employees of IISC. Sign “Acceptable and User Acknowledgement Agreement” which confirms that they are totally aware of security recommended practices, their duties in protecting the IISC’s Confidential, information and security. Accessibility to the technologies, assets, and networks of IISC would only be permitted after acknowledgment of this agreement. Clients (both newly registered and old) are required to: Complete the online Security Awareness and Training course before they get the consent to access IISC systems, assets and networks. Sign “Acceptable and User Acknowledgement Agreement” which confirms that they are totally aware of security recommended practices, their duties in protecting the IISC’s Confidential, information and security. Supervisors and managers shall ensure: Employee/client under their supervision have fully completed and adhered to the requirements of Security Awareness and Training procedure and should include training as part of the client’s/employees annual evaluation procedures. Review and change management: The policy shall be reviewed on regular basis and where necessary changed in accordance to the laid down procedures for policy review and changing as explained in section one above. References Crothers, T. (2002). Internet lockdown: Internet security administrator's handbook. New York: Hungry Minds. Bosworth, S., Kabay, M. E., & Whyne, E. (2009). Computer security handbook. Hoboken, N.J: John Wiley & Sons. Wun-Young, L., & Hirao, J. (2009). SAP security configuration and deployment: The IT administrator's guide to best practices. Burlington, MA: Syngress Pub. Vacca, J. R. (2012). Computer and information security handbook. Newnes. Read More