Posted by arlene

To have security practices that make sense, you must first define—for yourself and the users of the network resources—a security policy that spells out exactly what can and cannot be done on the network. Intruders who might penetrate the network and compromise data or programs do so in many ways. One of those is to exploit “friendly users” who are on the network. Referred to as social engineering, this is perhaps one of the most overlooked but most often used method for getting access to a network. Most employees who simply use a desktop computer for word processing and other office activities are especially prone to this kind of security breach.

A good security policy that is enforced—in some cases through means of technological enforcement— can go a long way toward keeping naive users from disclosing information to those who might do harm to your network. If you don’t think your users are vulnerable, just ask someone to call up and say they’re calling from the help desk and need to know the user’s password. You’d be surprised how many times this tactic will succeed.

At the same time, you also should establish procedures to follow for routine tasks that are performed on a periodic basis, such as backups, restores, creating user accounts, and the like. When a task is described by a procedure that must be followed, there is less of a chance that something out of the ordinary will be done that can compromise security.

Depending on your site, there are several documents you can use to make users aware of the policies in place for computer and network security. Typically, the human resources department is responsible for having new employees review documents and having them sign the documents to show that they have read and understood them. Documents you might find useful for your site include the following:

• Network connection policy
• Acceptable use statement
• Usage guidelines
• Escalation procedures

Network Connection Policy

This type of document should define the type of system that can be connected to the network. It should set forth the security requirements, such as operating-system features to be used, and a person responsible for approving the attachment of new devices to the network. When configuring a new computer, a switch, or even a router, you should have explicit guidelines as to what is permissible and what is not. For firewalls, you should have a separate network connection policy that dictates what type of network traffic is allowed through the firewall, in both directions. If allowing users to connect using a Virtual Private Network (VPN), you should also have specific documents detailing how the laptop or other computers they use are configured. Allowing someone to work from home using their own computer is about the worst decision you can make. If the computer is used for personal as well as business work, you open yourself up to all sorts of programs that can infiltrate the computer and attempt to compromise your network, whether or not you use a VPN link.

If the business unit of your company (and not the IT department) decides that certain remote work is confidential, a policy should be put in place that requires a separate computer (such as a laptop, to include mobile users) to be used. By using a company-configured laptop, and not allowing users to make use of the laptop for personal access to the Internet, and disallowing a configuration change, you can make your network more secure. Just keep in mind that if the user is entering your network with his own computer, you will probably have little say over what is downloaded. By giving the user a company computer, and preventing (through a company policy) the use of the computer for personal usage, you can further protect your network.

The use of security programs, such as virus monitoring software, should always be required in today’s Internet-centric environment. Any procedures that must be used to obtain a computer account, along with the types of rights and privileges that can be granted to an account, also should be documented here, as well as what network addresses can be used and how they are controlled. Finally, you should explicitly set forth in this document that no connections are to be made to the network without following the procedures in this document, and without notifications made to the proper persons.

It cannot be emphasized enough that you have strict guidelines on how your computers are configured and that users must obtain permission through a written request for any deviances from the established policy. If a program is not supported by your central help desk, it should not be allowed unless a business requirement makes it a necessity. When that becomes the case, you should add the program to your allowable network connection policy documents and educate the help-desk staff on its use. In no situation should you allow users to download software from the Internet and install it on their work computers, on computers that are used in a mobile environment, or on home computers that are used to connect to your corporate environment.

Possibly related posts: (automatically generated)
Basic Network Security Measures Part 1

• Proxy Agents
• Wireless Security Issues
• Privacy, Security, and Email Marketing Data
• What Are Bluetooth Profiles? part 1
• How CMDS Works
• Basic Network Security Measures Part 3
• Basic Computer Security
• Basic Network Security Measures Part 2
• E-NEWSLETTERS - DEFINING AND REFINING Part 2
• Improving Security