2. Administrative Network Security_aa444591632f8167fa63fe5ba7433c06.pdf

Full Transcript

Administrative Network Security Regulatory Frameworks Compliance It is often required for organizations to comply with security regulations. Complying with regulatory frameworks is a collaborative effort between governments and private bodies to improve cybersecurity IT secu...

Administrative Network Security Regulatory Frameworks Compliance It is often required for organizations to comply with security regulations. Complying with regulatory frameworks is a collaborative effort between governments and private bodies to improve cybersecurity IT security regulatory frameworks contain a set of guidelines and best practices. Why do Organizations Need Compliance? Improves Security Minimize Losses Increased Control Maintain Trust Identifying Which Regulatory Framework to Comply? An organization needs to assess which regulatory framework applies to it best. Based on the regulatory requirements, an organization needs to establish proper policies, procedures, and security controls to organize its information security. Various Regulatory Frameworks, Laws, and Acts Payment Card Industry Data Security Standard (PCI–DSS) A proprietary information security standard for organizations that handle cardholder information. This applies to all entities involved in payment card processing, including merchants, processors, issuers, and service providers. PCI Data Security Standard: High-Level Overview Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks General Data Protection Regulation (GDPR) The GDPR is a regulation in European Union law on data protection and privacy for all individuals within the European Union and the European Economic Area; It also addresses the export of personal data outside these areas. The GDPR is designed to: Harmonize data privacy laws across Europe Protect and empower all European Union citizen’s data privacy Reshape the way organizations across the region approach data privacy. Design and Develop Security Policies A security policy defines a set of plans, processes, procedures, and standards required to establish an ideal information security status for an organization. Need for a Security Policy Ensure information security standards compliance Limit the organization’s exposure to external information threats Outline senior management’s commitment to maintaining a secure environment Quickly respond to security incidents and reduce their impacts Characteristics of a Good Security Policy Concise and Clear Consistent Usable Procedurally Tolerable Realistic Legal Compliance Steps to Create and Implement Security Policies Perform risk assessment to identify risks to an organization’s assets Learn from standard guidelines and other organizations Include senior management and other staff in policy development Set clear penalties and enforce them Publish the final version to everyone in an organization Ensure every member of your staff reads, signs, and understands the policy Deploy tools to enforce policies Train employees and educate them about the policy Regularly review and update Types of Information Security Policies Enterprise Information Security Policy (EISP) EISP drives an organization’s scope and provides direction to its security policies Examples: Network security policy, backup and restore policy, and policies for servers. Issue Specific Security Policy (ISSP) ISSP directs the audience on the usage of technology-based systems with the help of guidelines Examples: Remote access and wireless policies, incident response plans, password policies. System Specific Security Policy (SSSP) SSSP directs users while configuring or maintaining a system Examples: DMZ policy, Encryption policy, Policies for Intrusion detection and access control policy Internet Access Policies User Account Policy The user account policy defines the creation process of user accounts and includes user rights and responsibilities. Design Considerations Who has the authority to approve account requests? Who (employees, spouses, children, or company visitors) can use the computing resources? Can users have multiple accounts on a single system? Can users share accounts? What are the rights and responsibilities of the user? When should an account be disabled and archived? Firewall Management Policy Firewall management policy defines access, management, and monitoring of firewalls in the organization Design Considerations Who has access to the firewall systems? Who can receive requests to make changes to the firewall configuration? Who can approve requests to change the firewall configuration? Who can see the firewall configuration rules and access lists? How often should the firewall configuration be reviewed? Bring Your Own Devices (BYOD) Policy A BYOD policy provides a set of guidelines to maximize business benefits. Policy minimizes risks while using an employee’s personal device on an organization’s network. Design Considerations: What personal devices are allowed for use under BYOD? Which resources can be accessed through BYOD devices? What features need to be disabled in BYOD devices? What are the data storage considerations for BYOD devices? What security measures are required for data and BYOD devices? Other Policies An acceptable use policy defines properly using an organization’s information, user accounts, and network resources. The remote access policy defines who can have remote access, access mediums, and remote access security controls. Information protection policy defines guidelines for processing, storing, and transmitting sensitive information. Network connection policy defines the standards for connecting computers, servers, or other devices to the network. An email security policy defines the proper usage of corporate email. Password policy provides guidelines for using strong passwords for an organization’s resources. Conduct security awareness training An organization needs to provide formal security awareness training for its employees when they join and periodically thereafter. Know how to defend themselves and the organization against threats Follow security policies and procedures for working with IT Know whom to contact if they discover a security threat Different methods to train employees Classroom style training Online training Round table discussions Security awareness website Making short films Staff Hiring and Leaving Process Consider and implement personnel security measures, starting from the selection and hiring of staff or contractors to relieve them of their duties. Provide orientation about their roles and responsibilities, and security policies. Insert clauses in the contract to enforce personnel security for contractors and audit their compliance. Remove access rights and collect all company assets from employees and contractors when they leave the organization. Hire employees after a thorough identity verification and background check. Employee Monitoring The organization should conduct indiscriminate monitoring of employees' activities to detect any act related to the policy violation Use employee monitoring tools such as Spytech SpyAgent to monitor employee behavior. Thank You!

Use Quizgecko on...
Browser
Browser