Chapter 5 - 03 - Learn to Design and Develop Security Policies - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 User Account Policy Q The user account policy defines the creation process of user accounts and includes user rights and responsibilities Design Considerations ° Who has the authority to approve account requests? Who (employees, spouses, children, or company visitors) are permitted to use the computing resources? Can users have multiple accounts on a single system? Can users share accounts? What are the rights and responsibilities of the user? When should an account be disabled and archived? Copyright © by EC- cll All Rights Reserved. Reproductions Strictly Prohibited User Account Policy The user account policy defines the creation process of user accounts and includes user rights and responsibilities. It is a document specifying the requirements for requesting and maintaining an account on an organization’s network. It mentions the processes for creation, deletion, and operation of user accounts by defining the type of accounts created under a specific network. The user account policy defines the process of account authorization, user responsibilities as well as Internet services for both internal and external users. It also defines the creation of a username and password, encryption standards, type of verifications in case the user forgets the password, and the devices used for accessing or linking to the account. Example Wording: “Employees shall only request/receive accounts on systems they have a true business need to access. Employees may only have one official account per system and the account ID and login name must follow the established standards. Employees must read and sign the AUP prior to requesting an account.” Security professionals as well have responsibilities when implementing a user account policy. These include: 1. Types of Accounts: As per an organization’s policy, administrators are asked to create two types of accounts in the network—administrator and standard. The administrator account is for the network administrators only. Standard accounts are for employees irrespective of the department in which they are working. 2. Account Permissions: Administrators are required to set the level of permissions to every employee in an organization. Although a team leader may not have access to administrator privileges, the level of permission will differ with the reporting member of this team. Administrators should assign permissions according to employee designation. Module 05 Page 568 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Permissions can also be set for a group. All human standard set of permissions, for example. 3. The resource group members have a Account Auto-Lock: An administrator sets a length of time an account will automatically lock. This feature is present in mobile phones as well and prevents others from accessing the device without the log in code. user account policy should mention certain important characteristics, operations, and maintenance. Design Considerations = Who has the authority to approve account requests? = Who (employees, spouses, children, or company visitors) are permitted to use the computing resources? = (Can users have multiple accounts on a single system? = (Can users share accounts? = What are the rights and responsibilities of the user? = When should an account be disabled and archived? Module 05 Page 569 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Remote Access Policy U —. mflb ' Q’ O g =; - Remote access policy defines who can have remote access, access mediums, and remote access security controls > Whois allowed remote access? )) What specific methods (such as cable modem/DSL or dial-up) does the company support? )) Are dial-out modems allowed on the internal network? )) Are there any extra requirements such as mandatory anti-virus and security software on the remote system? )) Can other family members of an employee use the company network? )) Do any restrictions exist on the data that can be accessed remotely? Copyright © by EC-Council All Rights Reserved. Reproductionis Strictly Prohibited Remote Access Policy The remote access policy document defines the acceptable guidelines for remote access to the network and resources. A remote employee should follow the policy when connecting to the internal network. The remote access policy is helpful to organizations with a geographically dispersed network. Implementing the remote access policy helps minimize potential damage that can occur from unauthorized external network traffic. Implementing remote access includes dialin modems, frame relay, integrated services digital network, digital subscriber line, virtual private network (VPN), secure shell (SSH), and Wi-Fi. Points to consider in the policy: = User Authentication: Organizations should have a strict user authentication policy for remote users. An organization has the right to deny access to users with a weak password or user credentials. The policy should also state the action taken against employees if they share their remote credentials with others. = Information Encryption: Employees working as a remote user should include encryption of their data while working on a shared infrastructure. This maintains the confidentiality and integrity of the data. An organization must educate remote users on the encryption policy to be followed. = Usage of Network and Network Devices: The policy should restrict employees from reconfiguring their network devices. Employees should not perform any unauthorized activities on an organization’s network and should not connect to any other third-party network. Module 05 Page 570 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Antivirus and Patches: The systems used by remote users should meet an organization’s requirement. Users should have an up-to-date antivirus installed on their system. They should proactively install updates for the antivirus and patches for the OS. Data Access: Administrators should assign privileges to the remote user according to the users’ roles and responsibilities in an organization. Design Considerations Who is allowed remote access? What specific methods (such as cable modem/DSL or dial-up) does the company support? Are dial-out modems allowed on the internal network? Are there any extra requirements such as mandatory anti-virus and security software on the remote system? Can other family members of an employee use the company network? Do any restrictions exist on the data that can be accessed remotely? The security professional's responsibilities in enforcing remote access include: 1. Ensure remote system has an approved version of antivirus, firewall, and malware; 2. Enforce an authentication method for the remote virtual private network; 3. Enforce access control on the remote system when connected through remote access; and 4. List a set of devices which can be used for remote access. Module 05 Page 571 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Information Protection ) Policy O Exam 212-82 | N Information protection policy defines guidelines for processing, storing, and transmitting sensitive CNONCHRONON: information Design Considerations What are the information sensitivity levels? Who can access the sensitive information? How is the sensitive information stored and transmitted? What level of sensitive information can be printed on public printers? What is the process for removing sensitive information from storage media (paper shredding, scrubbing HDDs, or degaussing disks)? Copyright © by EC-C il All Rights Reserved. Reproduction is Strictly Prohibited Information Protection Policy Information protection policy defines guidelines for processing, storing, and transmitting sensitive information. The information security policy is a document that guides employees to defend their data or physical devices from unauthorized access. The main aim of the policy ensures the information is not shared or modified by any external sources. An organization should define the level of sensitive information. Organizations should make it a practice to ask new employees to sign the information security policy. Lack of an information security policy can lead to vulnerabilities in the network and system. With no information security policy in place, employees can knowingly or unknowingly share the data with external sources. The information security policy should be drafted based on the following points: = (Create a list of authenticated users who can have access to sensitive information. = The process and method of saving sensitive information should be outlined. This can include data that is either archived or encrypted. = The policy should mention the location where the sensitive information is stored. The authorized users should be asked to save the information in this location. Saving the data at any other location can potentially cause data theft or exposure of information to other sources. Design Considerations = What are the information sensitivity levels? = Who can access the sensitive information? Module 05 Page 572 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls = Exam 212-82 How is the sensitive information stored and transmitted? = What level of sensitive information can be printed on public printers? = What is the process for removing sensitive information from storage media (paper shredding, scrubbing HDDs, or degaussing disks)? Implementation of information security assures the data will be protected throughout the functioning of an organization. Module 05 Page 573 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.