Chapter 5 - 03 - Learn to Design and Develop Security Policies - 06_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EG-Council
Tags
Full Transcript
Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Password Policy a Password policy provides guidelines for using strong passwords for an organization’s resources @ Common password practice @ Design Q Considerations @ @ Password reuse and history Pass...
Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Password Policy a Password policy provides guidelines for using strong passwords for an organization’s resources @ Common password practice @ Design Q Considerations @ @ Password reuse and history Password duration Password blacklists Complexity of password Password length and formation A Copyright © by il All Rights Reserved. Reproduction Is Strictly Prohibited Password Policy A password policy is a set of rules to increase system security by encouraging users to employ strong passwords to access an organization’s resources and to keep them secure. The purpose of the policy is to protect an organization’s resources by creating robust protected passwords. The policy statement should include a standard practice for creating a robust password. For example, the password should = Have a length between 8 and 14 characters; * Include both uppercase and lowercase letters, numerical digits, and special characters; = Special characters (@, %, S, &, or;); = Be case sensitive, whereas username or login ID may not be; and = Be unique when changing the old password. Thus, passwords cannot be reused. o Maximum password age: 60 days o Minimum password age: No limit regarding password history, old Some of the components of a password policy include: = Password Length and Formation This policy includes the length of the password. The password length varies according to an organization. The formation of a password includes: o One or more numerical digits; o Special characters such as @, #, and $; Module 05 Page 580 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls = Exam 212-82 o Use uppercase and lowercase letters; o Avoid using personal information; and o Use of company name in the password is prohibited. Password Blacklists The password blacklist contains a list of words that are prohibited from use as passwords because of their familiarity. These blacklists help in preventing the usage of common passwords. = Password Duration This policy suggests users change their passwords regularly—usually every 90 or 180 days. Changing a memorized password is hard for the user, but it is necessary to avoid password stealing. = Password Reuse and Password History This policy prevents users from creating passwords that were password history shows how many older passwords are blocked. = Common Password used previously. The Practices The password policy statement should include guidance or best practices on creating, storing, and managing passwords. For example, it should include guidelines such as o Do not share your computer user account details. o Do not keep a common password for all accounts. o Do not share passwords. o Never write the password anywhere, instead remember it. o Employees should not communicate their password through email, phone, or instant messages even to the administrator. o Do not leave the machine unattended. Always log off or lock the system when leaving the desk. o Keep different passwords for the OS and frequently used applications. The password policy should include a disclaimer that informs all users of the consequences of not following the guidelines stated in the password policy. The disclaimer should involve all employees, including top management. Disclaimers can include verbal or written warnings or termination. Module 05 Page 581 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Physical Security Policy ) e ceany policy defines guidelines to ensure that measures are in place Design Considerations » s the building protection deficiency reviewed regularly? ¥ Is there a process to identify outsiders such as visitors, contractors, and vendors before giving them access to. the premises? » Are there adequate lighting systems in place? » Are each of the entry points properly blocked? » Are the badges, locks, keys, and authentication controls audited regularly? » Is video surveillance footage monitored regularly? » s a proper inventory of an organization’s assets maintained regularly? Copyright © by E L All Rights Reserved. Reproduction is Strictly Prohibited Physical Security Policy Physical security policy defines guidelines to ensure that adequate physical security measures are in place. It is the security provided in terms of physical assets, which can be damaged physically. In IT organizations, where large amounts of physical assets are handled, the assets are prone to damage during installations or a transfer of assets from offshore to local locations. Care must be taken in terms of how frequently the risks are being monitored and analyzed, and the training provided to the people handling or working with the physical assets must be monitored. Designing a physical security policy helps an organization maintain certain norms, which can be followed by employees, thus reducing the probability of loss. Design Considerations = |s the building protection deficiency reviewed regularly? = |s there a process to identify outsiders such as visitors, contractors, and vendors before giving them access to the premises? = Are there adequate lighting systems in place? = Are each of the entry points properly blocked? = Are the badges, locks, keys, and authentication controls audited regularly? = |s video surveillance footage monitored regularly? = |s a proper inventory of an organization’s assets maintained regularly? Module 05 Page 582 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Information System Security Policy O Information system security policy defines guidelines to safeguard an organization’s information systems from malicious use Design Considerations 23 B\~ \7 NA4 o v’v' Are the information systems protected with anti-malware? v' Is the anti-malware updated regularly? v'v" Is the OS updated and patched regularly? v’ Are they secured using strong password policies? v’ Are they secured with strong physical security policies? Copyright © by Reserved. Reproduction Reproductionis Strictly Prohibited L AlAll Rights Reserved. Information System Security Policy Information system security policy defines guidelines to safeguard an organization’s information systems from malicious use. The information security policy helps maintain the integrity and confidentiality of the information system. Design Considerations = Are the information systems protected with anti-malware? = |s the anti-malware updated regularly? = |sthe |s the OS updated and patched regularly? = Are they secured using strong password policies? = Are they secured with strong physical security policies? Module 05 Page 583 EG-Council Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Bring Your Exam 212-82 L3 Own ~ Device Q A BYOD policy provides a set of guidelines to maximize business benefits and minimize risks while using an employee’s personal device on an organization’s network (BYOD) Policy Design Considerations “» What personal devices are allowed for use under BYOD ? “* Which resources can be accessed through BYOD devices? ** What features need to be disabled in BYOD devices? “* What are the data storage considerations for BYOD devices? What security measures are required for data and BYOD devices? Copyright © by EC iL All Rights Reserved. Reproductionis Strictly Prohibited Bring Your Own Device (BYOD) Policy The existence of a Bring Your Own Device (BYOD) policy is important. The policy provides a set of guidelines to maximize business benefits and minimize risks while using employee personal devices on an organization’s network. Aspects of a BYOD policy: 1. Permissible Devices: The policy should state the names of the devices an employee is allowed to use. The list of devices may differ based on the designation of each employee in an organization. 2. Permissible Resources: The policy should clearly state the resources an employee can use while using his or her own device. The policy should mention the actions taken if an employee does not adhere to these policies. 3. Disabled Services: Before an employee connects their device to the corporate network, administrators should verify the services and applications running on the device. If certain services or applications are a source of vulnerabilities, administrators should disable those services immediately. 4. Data Storage: It is necessary to document the location of data storage for BYOD. Administrators should provide a separate location for data on employee devices. Storing the data in existing drives can be a threat to the data. Administrators must provide a separate drive to employees. 5. Security Measures for Data and BYOD Device: Employees should be made aware of threats and vulnerabilities that may arise when they use their devices in the corporate Module 05 Page 584 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 network. It is the responsibility of the administrator to monitor these devices along with all corporate devices. While BYOD is emerging as a new trend in organizations, it is the responsibility of the administrator to enforce the BYOD policy. A few administrator responsibilities associated with a BYOD policy are: 1. 2. 3. 4. 5. List of Devices: Administrators can prepare a list of devices and software in the BYOD policy document—for example, o Smart phones (with model number) o Laptops (with model number) o OS (with version) o Any other process specific software or app Resources to be Accessed: Depending on the designation of the employee, administrators can allow the following resources on BYOD: o Email o Contact o Calendar o Process specific documents Disable Use of the Following on BYOD devices: o Storage or transmission of illicit materials o Using another company’s proprietary information o Harassing o Engaging in other business activities Store Data on BYOD Devices with Proper Security Measures using: o The device o Organization server o Cloud To Secure Data on BYOD Devices, Follow these Steps: o Password (BYOD device also) and encryption policies o Monitor data transferred Module 05 Page 585 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
