Question

Imagine you are the Newly hired Security Personnel responsible for creating a security and privacy plan for your organization. The purpose of your plan is to describe standards that help ensure the privacy and integrity of the many different facets of a network.

• What policies will you include in your plan that protects the hardware and physical aspects of the network and;
• Identify hardware areas that need to be secured.

Answer 1

**Every organization has something that someone else wants. Someone might want that something for himself, or he might want the satisfaction of denying something to its rightful owner. Your assets are what need the protection of a security policy.

-->A security policy comprises a set of objectives for the company, rules of behavior for users and administrators, and requirements for system and management that collectively ensure the security of network and computer systems in an organization. A security policy is a “living document,” meaning that the document is never finished and is continuously updated as technology and employee requirements change.

The security policy translates, clarifies, and communicates the management position on security as defined in high-level security principles. The security policy acts as a bridge between these management objectives and specific security requirements. It informs users, staff, and managers of their obligatory requirements for protecting technology and information assets. It should specify the mechanisms that you need to meet these requirements. It also provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the security policy. Therefore, an attempt to use a set of security tools in the absence of at least an implied security policy is meaningless.

One of the most common security policy components is an acceptable use policy (AUP). This component defines what users are allowed and not allowed to do on the various components of the system, including the type of traffic that is allowed on the networks. The AUP should be as explicit as possible to avoid ambiguity or misunderstanding. For example, an AUP might list the prohibited website categories.

**NOTE:

Some sites refer to an acceptable use policy as an appropriate use policy.

A properly defined security policy does the following:

• Protects people and information
• Sets the rules for expected behavior
• Authorizes staff to monitor, probe, and investigate
• Defines the consequences of violations

Most corporations should use a suite of policy documents to meet their wide and varied needs:

• Governing policy: This policy is a high-level treatment of security concepts that are important to the company. Managers and technical custodians are the intended audience. The governing policy controls all security-related interaction among business units and supporting departments in the company. In terms of detail, the governing policy answers the “what” security policy questions.
• End-user policies: This document covers all security topics important to end users. In terms of detail level, end-user policies answer the “what,” “who,” “when,” and “where” security policy questions at an appropriate level of detail for an end user.
• Technical policies: Security staff members use technical policies as they carry out their security responsibilities for the system. These policies are more detailed than the governing policy and are system or issue specific (for example, access control or physical security issues). In terms of detail, technical policies answer the “what,” “who,” “when,” and “where” security policy questions. The “why” is left to the owner of the information.

Governing Policy:

The governing policy outlines the security concepts that are important to the company for managers and technical custodians:

• It controls all security-related interactions among business units and supporting departments in the company.
• It aligns closely with not only existing company policies, especially human resource policies, but also any other policy that mentions security-related issues, such as issues concerning email, computer use, or related IT subjects.
• It is placed at the same level as all companywide policies.
• It supports the technical and end-user policies.
• It includes the following key components:
  • A statement of the issue that the policy addresses
  • A statement about your position as IT manager on the policy
  • How the policy applies in the environment
  • The roles and responsibilities of those affected by the policy
  • What level of compliance to the policy is necessary
  • Which actions, activities, and processes are allowed and which are not
  • What the consequences of noncompliance are

End-User Policies:

End-user policies are compiled into a single policy document that covers all the topics pertaining to information security that end users should know about, comply with, and implement. This policy may overlap with the technical policies and is at the same level as a technical policy. Grouping all the end-user policies together means that users have to go to only one place and read one document to learn everything that they need to do to ensure compliance with the company security policy.

Technical Policies

Security staff members use the technical policies in the conduct of their daily security responsibilities. These policies are more detailed than the governing policy and are system or issue specific (for example, router security issues or physical security issues). These policies are essentially security handbooks that describe what the security staff does, but not how the security staff performs its functions.

==>The following are typical policy categories for technical policies:

• General policies:-
  • Acceptable use policy (AUP): Defines the acceptable use of equipment and computing services, and the appropriate security measures that employees should take to protect the corporate resources and proprietary information.
  • Account access request policy: Formalizes the account and access request process within the organization. Users and system administrators who bypass the standard processes for account and access requests may cause legal action against the organization.
  • Acquisition assessment policy: Defines the responsibilities regarding corporate acquisitions and defines the minimum requirements that the information security group must complete for an acquisition assessment.
  • Audit policy: Use to conduct audits and risk assessments to ensure integrity of information and resources, investigate incidents, ensure conformance to security policies, or monitor user and system activity where appropriate.
  • Information sensitivity policy: Defines the requirements for classifying and securing information in a manner appropriate to its sensitivity level.
  • Password policy: Defines the standards for creating, protecting, and changing strong passwords.
  • Risk-assessment policy: Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the information infrastructure that is associated with conducting business.
  • Global web server policy: Defines the standards that are required by all web hosts.
• Email policies:-
  • Automatically forwarded email policy: Documents the policy restricting automatic email forwarding to an external destination without prior approval from the appropriate manager or director.
  • Email policy: Defines the standards to prevent tarnishing the public image of the organization.
  • Spam policy: The AUP covers spam.
• Remote-access policies:-
  • Dial-in access policy: Defines the appropriate dial-in access and its use by authorized personnel.
  • Remote-access policy: Defines the standards for connecting to the organization network from any host or network external to the organization.
  • VPN security policy: Defines the requirements for remote-access IP Security (IPsec) or Layer 2 Tunneling Protocol (L2TP) VPN connections to the organization network.
• Application policies:- for EX
  • Acceptable encryption policy: Defines the requirements for encryption algorithms that are used within the organization.
  • Application service provider (ASP) policy: Defines the minimum security criteria that an ASP must execute before the organization uses the ASP’s services on a project.
  • Database credentials coding policy: Defines the requirements for securely storing and retrieving database usernames and passwords.
  • Interprocess communications policy: Defines the security requirements that any two or more processes must meet when they communicate with each other using a network socket or operating system socket.
  • Project security policy: Defines requirements for project managers to review all projects for possible security requirements.
  • Source code protection policy: Establishes minimum information security requirements for managing product source code.
• Network policies:-
  • Extranet policy: Defines the requirement that third-party organizations that need access to the organization networks must sign a third-party connection agreement.
  • Minimum requirements for network access policy: Defines the standards and requirements for any device that requires connectivity to the internal network.
  • Network access standards: Defines the standards for secure physical port access for all wired and wireless network data ports.
  • Router and switch security policy: Defines the minimal security configuration standards for routers and switches inside a company production network or used in a production capacity.
  • Server security policy: Defines the minimal security configuration standards for servers inside a company production network or used in a production capacity.

Cybersecurity and physical security are proportionally connected to your organization’s improved financial picture for a long-term perspective. Our digital lives are getting smaller as technology simplifies our communications, but cyber attacks are also prevalent. While the Internet radically changes the way organizations operate globally, from handling sensitive data to offshore outsourcing of IT architecture, the payoffs of security are significant and can’t be overlooked.

Organizations are becoming smarter as they leverage on the available resources such as physical security systems, software, and advanced IT infrastructures to protect their property, digital assets, and of course the employees. Unfortunately, vulnerabilities, threats, and risks are everywhere. However, you can mitigate them as long you dutifully enforce proper planning and implementation of standards, policies, and procedures through a physical security policy.

==>Physical security: and importance

Organizations are connected internally and externally—the data stored in the hardware, software, and applications are your assets, and so are your gates, doors, and buildings that are being used throughout the daily operations. When you have an established physical security policy, you provide a sense of protection and safety in the working environment.

Physical security as “The most fundamental aspect of protection. It is the use of physical controls to protect the premises, site, facility, building or other physical assets.” The process includes layers of physical protection measures to prevent unauthorized personnel from accessing your property.

Physical security systems can be any of the following:

• Video (cameras, CCTVs, monitors, and encoders)

• Access controls (gates, sensors, doors and locks, panels, alarms, and biometrics)

• Communications (WAN/LAN and phone lines)

• Padlocks and keys

• Roofs, rooms, and other safety areas

• Security guards

We have to --- Protect with passwords, Conduct screening and background checks, Avoid unknown email attachments, Use a virus scanner, and keep all software up-to-date, Keep sensitive data out of the cloud.