Network Security FAQ: Security Policies

Network Security FAQ: Security Policies

Q1. What is the difference between a closed network and an open network?

Answer: A closed network is typically designed and implemented in a corporate environment. A closed network provides connectivity only to known parties and sites without connection to public networks. In contrast, an open network is designed with availability to the Internet and public networks.

Q2. Define a security policy.

Answer: A security policy is a formal statement of rules that must be obeyed by people who are given access to an organization’s technology and information assets.

Q3. Name three reasons why a company should have a security policy.

Answer: A company should have a security policy for the following reasons:

  • To create a baseline of your current security posture
  • To set the framework for security implementation
  • To define allowed and not allowed behavior
  • To help determine necessary tools and procedures
  • To communicate consensus on behavior and define roles

Q4. Name at least four key components that a good security policy should contain.

Answer: A good security policy should contain the following key components:

  • Statement of authority and scope Identifies the sponsors of the security policy and the topics to be covered.
  • Acceptable use policy Spells out what the company allows and does not allow regarding its information infrastructure.
  • Identification and authentication policy Specifies what technologies and equipment are used to ensure that only authorized individuals have access to the organization’s data.
  • Internet access policy Defines the ethical and proper use of the organization’s Internet access capabilities.
  • Campus access policy Defines how on-campus users should use the data infrastructure.
  • Remote access policy Describes how remote users should access the company’s data infrastructure.
  • Incident handling procedure Specifies how the organization creates an incident response team and the procedures the team uses during and after an accident occurs. A security policy has no use if no appropriate actions take place after an incident has happened.

Q5. Name the two philosophies that can be adopted when defining a security plan.

Answer: The first model, which is called the deny all model, is generally more secure than the allow all model. It is, however, more work intensive to successfully implement than the allow all model. The allow all model is much easier to implement, but it is generally less secure that the deny all model.

Q6. Which individuals should be involved when creating a security policy?

Answer: The following individuals should be involved when creating a security policy:

  • Site security administrator
  • Information technology technical staff
  • Administrators of large user groups
  • Security incident response team
  • Representatives of the user groups affected by the policy
  • Responsible management
  • Human resources

Q7. Give the four stages of the security wheel.

Answer: The four stages of the security wheel are Secure, Monitor, Test, and Improve.

Q8. Which security solutions can be implemented to stop or prevent unauthorized access and to protect information?

Answer:

  • Authentication The recognition and the mapping to the policy of each individual user’s identity, location, and the exact time logged on to the system.
  • Encryption A method for ensuring the confidentiality, integrity, and authenticity of data communications across a network.
  • Firewalls A set of related services, located at a network gateway, that protects the resources of a private network from users from other networks. Firewalls can also be standalone devices or can be configured on most routers.
  • Vulnerability patching The identification and patching of possible security holes that could compromise a network and the information available on that network.

Q9. Explain the monitoring phase of the security wheel.

Answer: After a network is secure, it has to be monitored to ensure that it stays secure. Network vulnerability scanners can proactively identify areas of weakness, and IDSs can monitor and respond to security incidents as they occur. Using these security monitoring solutions, organizations can obtain unprecedented visibility into the network data stream and the security posture of the network.

Q10. Write a security policy (similar to the VPN policy) for password protection.
Answer:
Security Policy for Password Protection

Overview

Passwords are an important aspect of security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of XYZ’s entire corporate network.

Purpose

The purpose of this policy is to establish a standard for creating strong passwords, the protection of those passwords, and the frequency of change.

Scope

The scope of this policy includes all personnel who have or are responsible for an account on any system that belongs to XYZ.

Policy

  • All system-level passwords (for example, root, enable, and Windows admin) must be changed at least quarterly.
  • All production system-level passwords must be part of the InfoSec-administered global password management database.
  • All user-level passwords should be changed at least every six months.
  • Passwords must not be inserted into e-mail messages or other forms of unencrypted electronic communication.
  • All user-level and system-level passwords must conform to the guidelines described in the section that follows.

Guidelines

Because few systems have support for one-time tokens (that is, dynamic passwords that are used only once), everyone should be aware of how to select strong passwords.

Weak passwords have the following characteristics:

  • Contain fewer than eight characters
  • Are words you can find in a dictionary
  • Are words that are commonly used, such as:
    – Names of family, pets, friends
    – Computer terms
    – Birthdays and other personal information
    – Word or number patterns such as aaabbb, 123456, qwerty

Strong passwords have the following characteristics:

  • Contain both uppercase and lowercase characters
  • Have digits and special characters as well as letters
  • Are at least eight alphanumeric characters long
  • Are not a word in any language or dialect
  • Are not based on personal information
  • Are not written down or stored online unencrypted

About the author

Scott

Leave a Comment