Network Security FAQ: Security Policies
Q1. What is the difference between a closed network and an open network?
Q2. Define a security policy.
Q3. Name three reasons why a company should have a security policy.
Answer: A company should have a security policy for the following reasons:
- To create a baseline of your current security posture
- To set the framework for security implementation
- To define allowed and not allowed behavior
- To help determine necessary tools and procedures
- To communicate consensus on behavior and define roles
Q4. Name at least four key components that a good security policy should contain.
Answer: A good security policy should contain the following key components:
- Statement of authority and scope Identifies the sponsors of the security policy and the topics to be covered.
- Acceptable use policy Spells out what the company allows and does not allow regarding its information infrastructure.
- Identification and authentication policy Specifies what technologies and equipment are used to ensure that only authorized individuals have access to the organization’s data.
- Internet access policy Defines the ethical and proper use of the organization’s Internet access capabilities.
- Campus access policy Defines how on-campus users should use the data infrastructure.
- Remote access policy Describes how remote users should access the company’s data infrastructure.
- Incident handling procedure Specifies how the organization creates an incident response team and the procedures the team uses during and after an accident occurs. A security policy has no use if no appropriate actions take place after an incident has happened.
Q5. Name the two philosophies that can be adopted when defining a security plan.
Q6. Which individuals should be involved when creating a security policy?
Answer: The following individuals should be involved when creating a security policy:
- Site security administrator
- Information technology technical staff
- Administrators of large user groups
- Security incident response team
- Representatives of the user groups affected by the policy
- Responsible management
- Human resources
Q7. Give the four stages of the security wheel.
Q8. Which security solutions can be implemented to stop or prevent unauthorized access and to protect information?
Answer:
- Authentication The recognition and the mapping to the policy of each individual user’s identity, location, and the exact time logged on to the system.
- Encryption A method for ensuring the confidentiality, integrity, and authenticity of data communications across a network.
- Firewalls A set of related services, located at a network gateway, that protects the resources of a private network from users from other networks. Firewalls can also be standalone devices or can be configured on most routers.
- Vulnerability patching The identification and patching of possible security holes that could compromise a network and the information available on that network.
Q9. Explain the monitoring phase of the security wheel.
Q10. Write a security policy (similar to the VPN policy) for password protection.
Answer:
Security Policy for Password Protection
Overview
Passwords are an important aspect of security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of XYZ’s entire corporate network.
Purpose
The purpose of this policy is to establish a standard for creating strong passwords, the protection of those passwords, and the frequency of change.
Scope
The scope of this policy includes all personnel who have or are responsible for an account on any system that belongs to XYZ.
Policy
- All system-level passwords (for example, root, enable, and Windows admin) must be changed at least quarterly.
- All production system-level passwords must be part of the InfoSec-administered global password management database.
- All user-level passwords should be changed at least every six months.
- Passwords must not be inserted into e-mail messages or other forms of unencrypted electronic communication.
- All user-level and system-level passwords must conform to the guidelines described in the section that follows.
Guidelines
Because few systems have support for one-time tokens (that is, dynamic passwords that are used only once), everyone should be aware of how to select strong passwords.
Weak passwords have the following characteristics:
- Contain fewer than eight characters
- Are words you can find in a dictionary
- Are words that are commonly used, such as:
– Names of family, pets, friends
– Computer terms
– Birthdays and other personal information
– Word or number patterns such as aaabbb, 123456, qwerty
Strong passwords have the following characteristics:
- Contain both uppercase and lowercase characters
- Have digits and special characters as well as letters
- Are at least eight alphanumeric characters long
- Are not a word in any language or dialect
- Are not based on personal information
- Are not written down or stored online unencrypted