2. Administrative Network Security_aa444591632f8167fa63fe5ba7433c06.pdf

Full Transcript

Administrative Network Security
 Regulatory Frameworks Compliance
It is often required for organizations to comply with security regulations.

Complying with regulatory frameworks is a collaborative effort between
governments and private bodies to improve cybersecurity

IT security regulatory frameworks contain a set of guidelines and best practices.

Why do Organizations Need Compliance?
Improves Security
Minimize Losses
Increased Control
Maintain Trust
 Identifying Which Regulatory Framework to
Comply?
An organization needs to assess which regulatory framework applies to it best.
Based on the regulatory requirements, an organization needs to establish proper
policies, procedures, and security controls to organize its information security.
 Various Regulatory Frameworks, Laws, and Acts
Payment Card Industry Data Security Standard (PCI–DSS)
A proprietary information security standard for organizations that handle cardholder
information.
This applies to all entities involved in payment card processing, including merchants,
processors, issuers, and service providers.
PCI Data Security Standard: High-Level Overview
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
 General Data Protection Regulation (GDPR)
The GDPR is a regulation in European Union law on data protection and privacy
for all individuals within the European Union and the European Economic Area;

It also addresses the export of personal data outside these areas.

The GDPR is designed to:
Harmonize data privacy laws across Europe
Protect and empower all European Union citizen’s data privacy
Reshape the way organizations across the region approach data privacy.
 Design and Develop Security Policies
A security policy defines a set of plans, processes, procedures, and standards
required to establish an ideal information security status for an organization.
Need for a Security Policy
Ensure information security standards compliance
Limit the organization’s exposure to external information threats
Outline senior management’s commitment to maintaining a secure environment
Quickly respond to security incidents and reduce their impacts
Characteristics of a Good Security Policy
Concise and Clear Consistent
Usable Procedurally Tolerable
Realistic Legal Compliance
 Steps to Create and Implement Security Policies
Perform risk assessment to identify risks to an organization’s assets
Learn from standard guidelines and other organizations
Include senior management and other staff in policy development
Set clear penalties and enforce them
Publish the final version to everyone in an organization
Ensure every member of your staff reads, signs, and understands the policy
Deploy tools to enforce policies
Train employees and educate them about the policy
Regularly review and update
 Types of Information Security Policies
Enterprise Information Security Policy (EISP)
EISP drives an organization’s scope and provides direction to its security policies
Examples: Network security policy, backup and restore policy, and policies for servers.
Issue Specific Security Policy (ISSP)
ISSP directs the audience on the usage of technology-based systems with the help of
guidelines
Examples: Remote access and wireless policies, incident response plans, password policies.
System Specific Security Policy (SSSP)
SSSP directs users while configuring or maintaining a system
Examples: DMZ policy, Encryption policy, Policies for Intrusion detection and access control
policy
Internet Access Policies
 User Account Policy
The user account policy defines the creation process of user accounts and includes
user rights and responsibilities.

Design Considerations
Who has the authority to approve account requests?
Who (employees, spouses, children, or company visitors) can use the computing resources?
Can users have multiple accounts on a single system?
Can users share accounts?
What are the rights and responsibilities of the user?
When should an account be disabled and archived?
 Firewall Management Policy
Firewall management policy defines access, management, and monitoring of
firewalls in the organization

Design Considerations
Who has access to the firewall systems?
Who can receive requests to make changes to the firewall configuration?
Who can approve requests to change the firewall configuration?
Who can see the firewall configuration rules and access lists?
How often should the firewall configuration be reviewed?
 Bring Your Own Devices (BYOD) Policy
A BYOD policy provides a set of guidelines to maximize business benefits.
Policy minimizes risks while using an employee’s personal device on an
organization’s network.
Design Considerations:
What personal devices are allowed for use under BYOD?
Which resources can be accessed through BYOD devices?
What features need to be disabled in BYOD devices?
What are the data storage considerations for BYOD devices?
What security measures are required for data and BYOD devices?
 Other Policies
An acceptable use policy defines properly using an organization’s information,
user accounts, and network resources.
The remote access policy defines who can have remote access, access mediums,
and remote access security controls.
Information protection policy defines guidelines for processing, storing, and
transmitting sensitive information.
Network connection policy defines the standards for connecting computers,
servers, or other devices to the network.
An email security policy defines the proper usage of corporate email.
Password policy provides guidelines for using strong passwords for an
organization’s resources.
 Conduct security awareness training
An organization needs to provide formal security awareness training for its
employees when they join and periodically thereafter.
Know how to defend themselves and the organization against threats
Follow security policies and procedures for working with IT
Know whom to contact if they discover a security threat
Different methods to train employees
Classroom style training
Online training
Round table discussions
Security awareness website
Making short films
 Staff Hiring and Leaving Process
Consider and implement personnel security measures, starting from the selection
and hiring of staff or contractors to relieve them of their duties.
Provide orientation about their roles and responsibilities, and security policies.
Insert clauses in the contract to enforce personnel security for contractors and
audit their compliance.
Remove access rights and collect all company assets from employees and
contractors when they leave the organization.
Hire employees after a thorough identity verification and background check.
 Employee Monitoring
The organization should conduct indiscriminate monitoring of employees'
activities to detect any act related to the policy violation
Use employee monitoring tools such as Spytech SpyAgent to monitor employee
behavior.
Thank You!