a network security policy group project unit 4 (1) july 2015
TRANSCRIPT
Running Head: NETWORK SECURITY POLICY 1
Network Security Policy
Group Project Unit 4
AIU Online
Jeffery Brown
Patricia Rodericks
Anthony Wigglesworth
Ralvin Wilson
April Withers
NETWORK SECURITY POLICY 2
Abstract
Every line in life has some rule or regulation to keep the peace. The companies have rules and
permissions to access its information. Networks need this same type of permission in any
business or even personal area to keep it secure. Security is a big priority today with the
outsourcing of information so readily available. Securing the network takes skill, diligence,
perseverance and confidences to keep up with each new attack. Society is under constant change
and new ways to attack a network is just one of the many things that are happening. Can security
network administrator keep the network secure? Is it even possible to have a secure network?
Security is in everyone’s hand all must be aware and awake to every possible threat.
NETWORK SECURITY POLICY 3
Introduction
A network security policy is a policy to uphold regulations and procedure in an
organization so that the basic of any threat can be handled quickly and thoroughly. Policies
handle use of, access of, permissions, regulations, procedures, prevention, and security of all of
these policies. These include Social Engineering Safeguards, Files and Folders, Network
Firewall Protection, External Drives, Training Plans and End User Behavior.
Social Engineering Safeguards and Security Hardware
In this Introduction to the Social Engineering Safeguards and Security Hardware, these
are very important to a completed Information Security Network Implementation Design a
Policy. The Social Engineering Safeguards are here to keep the Users and Clients/Employees the
advantages to have access to all the Data through a Secured Network. As for the Security
Hardware this is the place where the Network Equipment needs to be properly Maintenance and
Upgraded as needed. When you notice that the Data is being access by Non-Authorized
Users/Clients on all the Platforms Levels.
These are the Parts I will be Focusing on within this Section;
Social Engineering Safeguard
Security Hardware
SOCIAL ENGINEERING SAFEGUARDS
The Importance of Having Social Engineering Safeguards.
A Brief overview of the importance of Social Engineering Safeguards, within an
Information Technology Security Network, when dealing with different Policies and Process that
goes into each Daily IT Routine. Making sure that the User Community on the Internet Networks
NETWORK SECURITY POLICY 4
on the Outside in Public Locations that can gain access is getting the needed Data from all
Platforms within that Information Security Network System. This why Social Engineering
Safeguards are a major Player in the Information Security Networks; they keep their Users Data
Information secured from all unsecured Accesses from gaining their Users Personal Information.
There are some Techniques that Hackers are using to manipulate the Organization and Business
Users, to gain entry into the Information Security Networks. These are countless issues dealing
with Unsuspected Employees in giving information to Un-Authorize Individuals outside the
Organization and Business Security Networks. In order to keep all Employees and
Clients/Subscribers from giving Personal Data to Un-Authorize Users, it is best to screen all the
Users Social behavior while on the Information Security Network System on all Platform Levels.
Make sure to suspend the User/Employees and not to leave out the Clients or Visitors from some
features on the Security Networks. This makes the Information Security Network a more secure
enough that just the areas of the Networks are available for the needed purposes toward the
Users/Visitors. We need to look closely at these Hackers that use some Social Engineering
Attacks to gain the Organization and Business information of their Employees/Users. Mostly
importantly making sure we put into place a Secure E-Mail Verification in tracking all Foot
printing that Hackers uses for incoming and outgoing E-Mail Message on a Daily Basis.
Another Social Engineering Attacks that being use are when the Hackers are revealing
themselves as imposters as the Organization and Business IT Department Engineers and
Information Technology Security Officers. However, making every Contact with any Employees,
Users, and Clients giving them a since of not being suspicious to who are they Communicating
with. To put into place a Secured System to re-route all the Contacts to a Security Information
Center where each IT Screening Center will be able catch these types of false unidentified Users.
NETWORK SECURITY POLICY 5
One last Social Engineering attacks when hackers Represents Himself or Herself as Delivery
Person, IT Service Technician, or just have a reason legally and Legitimate for being on the
Organization and Business Grounds. Lastly for this Secured area to have a 21st Century Chip on
the Employees and Clients Authorize Building and Grounds to be Scan at the New Improved
Security Entrance System at the Main Entrance the Organizations and Businesses.
SECURITY HARDWARE
Keeping the Security Hardware Up to Date.
Within this Overview of the Security Hardware, it is very most important to keep your
Security Network Equipment up to Date. In this 21st Century you can see how easy it is to access
Information Security Networks at all Levels. A few that come to mind are The U.S.
Governmental Departments/Offices, Retails Stores, Financial Institutions, Medical Facilities, and
Etc. There are some Industries where the Information Security Networks are being Hack by other
Governmental and Non-Governmental Individuals. Improvising on all Platforms Levels
throughout the whole Corporation and Organizations, keeping the Information Security
Networks up to date, is very important to have in place and the Budget to cover the cost. Making
sure that there isn’t any Security Hardware; not operating at Full Potential on every Level within
the Platforms. In which that all Data being Process at a Speed that each Authorized
Employee/Clients/Users can get their information at a Greater Speed at a Lesser Time; from the
Information Security Network System.
Files and Folders
It is important to have a policy for the files because they contain or possibly
contain information of confidentiality. Folders contain the files for everyone in the company or
organization there should be a folder for each employee as well as the administration of the
NETWORK SECURITY POLICY 6
company or organization. Files and Folders will be access by the user who’s folder or file it
belongs to. Users who need access to other than their own will have a read only permission and
need to receive approval from the administrator and or the manager of the department all folders
are assets to the company. Access of files is on company time only, will be coded as users name
and the department users are in. All users will need to have a security clearance for access to
files or folders that contain information that is confidential to the company assets or personal.
Secure admin files by locking down IP addresses that access it. Remember to use strong
passwords, changing them on a regular basis. The most important is to be diligent in the security
of the networks and whom and when file or folders are access and the reason they are accessed.
(Wlosinski, 2015) An attitude of knowing what is out there as far as threats; types of hacks, types
of viruses will help to ensure that the files, folders and the network are secure. All user of the
network involving files or folders need to be up to date on all security measures within the
organization or company. The executives and administrators should also be aware of all security
measures with the files and folders. When everyone is secure in the knowledge of the steps
needed the company or organization has a better chance of being safe.
Network Firewall Protection
A vital piece of network security policy is protecting your network from attacks from an
outside party, safeguarding data within your network, safeguarding information, and maintaining
a fully functional network. Having a network firewall is an essential piece to any network
because provides security by keeping threats from penetrating the network.
The purpose of a firewall is to protect the network from an unauthorized intrusion. The
firewall acts like a filter allowing only authorized traffic or information pass through and
NETWORK SECURITY POLICY 7
blocking everything else. The type of traffic or information allowed is configured in the firewall
policy; anything that is not identified in the policy is not allowed to go through.
Firewalls typically fall into two categories hardware and software. A hardware firewall is
piece of equipment that is dedicated to be a protective shield between your network and those
outside your network. They can be quite expensive and difficult to configure. Software firewalls
are commonly used by individuals or those with small networks. Most networks incorporate both
types; hardware products such as routers may have firewall protection pre-installed. Regardless
of which type the user should be knowledgeable in network security to ensure has been properly
configured.
There are several types of firewalls, Packet filters, Stateful inspection, and Proxy. A
Packet filter firewall allows or disallows traffic to pass through by examining the source and
destination addresses, ports, or protocols of each unit of data (packet). Stateful inspection or
dynamic packet filtering monitors the state of each active connection and determines which
packet to allow or disallow. It offers better security than packet filtering because it more
thoroughly examines each packet. Proxy firewalls combine Stateful inspection with the ability to
perform deep application analysis. It acts as a middle man of sorts by establishing a proxy
connection to the server. This is the most recent type of firewall.
As the technology has advanced firewalls can now perform functions that were
characteristically handled by hardware equipment. They now have the capability to filter traffic
based on the IP address, TCP, UDP, port numbers, etc. They can discriminate what type of access
is to be granted based on the user. However, firewalls do have limitations. For instance they
cannot protect against viruses especially programs or files. They cannot ensure data integrity nor
its’ confidentiality.
NETWORK SECURITY POLICY 8
The firewall should be seen as the first line of defense for a network. Much like the walls
protecting an ancient city, it is not meant to be the only form of defense. It should be combined
with other defensive tactics that cover its’ vulnerabilities. If done effectively the results will help
bolster a successful network security policy.
What Should Not Be Included In The security Policy
Virtual Private Network Policy, Users Password Policy, Company Audit Policy,
Acceptable Encryption Policy, Server Security Policy, Information Sensitivity Policy, Anti-Virus
Guidelines, Wireless Communication Policy, Risk Assessment Policy, EMS Network and
Computer Acceptable Use Policy, Analog Line Policy, Remote Access Policy, Automatically
Forwarded Email Policy, Acceptable Use Policy.
Company security polices Problem and solution
A reviewed was completed and the protection applied to the information assets, and the
security controls suggested above is proportion to the value and sensitivity of the information;
we have balance these attributes against (1) Cost of the Controls. (2) Reviewed the impact of the
controls over the effectiveness of data to day operations. (3) Analyzed Risk of disclosure,
damage and modification of the intellectual property contained within.
The security policy for this organization will cover all entities that interact with the
organization including employees, vendors, and contractors. Each party involved will be
provided the security policy and will be required to comply with company policies henceforth, a
signed agreements acknowledging understanding of personal responsibility which will be kept
on file. These security policies will adhere to all Laws, regulations, industry standards and
contractual commitments, associated with intellectual property information commitments.
NETWORK SECURITY POLICY 9
External Hardware - Connecting Devices to the Network
Security rules that apply to non-compliant devices connecting to the company’s network
should be provided to employees, and vendors alike.
Only company authorized devices may be connected to the network. Users should not
connect non company devices to the network this includes Local or remote users. Approved
devices include workstations owned by company and that complies with the company security
configuration guidelines in addition to management and monitoring network infrastructure
equipment used on the network. Unauthorized devices includes unauthorized storage devices,
e.g. thumb drives and writable CD’s, including personal Hubs, routers etc. Any device that
would alter the topology characteristics of the Network is considered and unauthorized device.
Purpose
The importance of end user behavior and responsibility to the security of the network will
be discussed and the importance of it will be shown. This section will also describe in detail the
training requirements for the company to follow for each employee at the beginning of their
employment and follow up training to keep the employees updated on the new possible security
attacks that are discovered.
End User Behavior
As IT professionals we know the dangers of network security breaches, however an end
user never thinks about such things and may be careless when accessing the network. This is
why it is important to educate them about the different security attacks and the tactics
cybercriminals will use. It is important to make sure the users have the information and
understand exactly what can happen if they do not follow the different safety precautions set up
NETWORK SECURITY POLICY 10
within this policy. The first thing that needs to be done is to educate end users on what
cybercrimes and malware are. Getting them to understand malware in terms of spyware, key
loggers, worms and helping them to understand how they relate to criminal activity is very
important and can make the security team’s job easier. Most end users do not understand that
even the tiniest bit of information can be used by these criminals to steal information or cause
harm to a company network or that anyone can become a victim or be used to obtain the
information the criminals want. (Balci, 2015)
The end user needs to be shown how clicking to open an email from someone they do not
know can actually give access to a hacker or other type of cyber-criminal. Explain to the end
user how some programs are rogue and what is meant by this is that they appear to be exactly
what they say they are but in all actuality they are hiding worms, or Trojans to obtain access into
the user’s computer so the individual that created it can steal information or even take over
control of the computer. The next topic that needs to be explained to the end-user is the tactic of
phishing. Criminals use phishing to obtain information that individuals do not really understand
are important or even if the individual understand the importance of the information they still
manage to give it up because the criminal utilizes trust to obtain from them. In order to avoid
attacks such as these the best way for end users to avoid them is to not open emails from
unknown senders, not to download applications other than the ones approved and supplied by
supervisors and security team members, and not to visit social network sites on company
computers. (Balci, 2015)
Training
The training of end users is very important as they will be the first to spot something that
may be an attack on the network. The end-user will come into contact with the attacks long
NETWORK SECURITY POLICY 11
before the security team will as they are the ones working on the computers within the company
daily. There needs to be several stages to the training of the employees and users of the network.
The first session of training should take place at the hiring of the employee. Depending on the
security risks involved within the position inside the company a contract can be signed between
the employee and the company stating the regulations and rules the employee will be required to
follow and maintain. Once the contract is signed the next step would be to give classes and
tutorials to the employees explaining what types of threats are out there and how to identify those
risks on a daily basis. (Blackmore, 2015)
The proper way to report them to the network security team members for each
department will also need to be discussed. The company then needs to schedule meetings with
the different department employees every six months or more frequently depending on the rate of
change in the company’s products, to go over any new attacks that may have come to light so the
users will know what to look for. It would be helpful for the company to utilize training videos
or even to schedule off campus training sessions for the employees to attend that will last three
or four days to give them time to learn and soak in the information about possible security risks
and how to effectively prevent them from occurring. (Blackmore, 2015)
Conclusion
You are probably asking why it is so important for the employees and end users to
understand all of the information within this policy. The best way to explain that to you is to ask
you one simple question. Would you willingly give your house keys to a total stranger to take
care of for a week while you are on vacation? Probably not because you would be afraid they
would rob you blind. This is why you will want to make sure all your employees understand and
know to follow this policy so that they can help you to keep the important and valuable
NETWORK SECURITY POLICY 12
information being held within your network safe from possible hackers or attacks. Like guard
dogs or a security alarm on your house your employees can actually help to deter possible thefts
or attacks if educated properly in ways to keep the network safe.
NETWORK SECURITY POLICY 13
References
Antivirus Software and Internet Security for Your PC or Mac | McAfee. (n.d.). Retrieved
from http://home.mcafee.com/advicecenter/?id=ad_ost_hvsf&ctst=1
Balci, T. (2015, April 24). Simple, Effective Security Tips for End Users. In Web Hosting
Geeks. Retrieved July 1, 2015, from Webhostinggeeks.com website:
https://webhostinggeeks.com/blog/simple-effective-security-tips-for-end-users/
Blackmore, C. (2015, July 3). Customer Success Training Best Practices: End-User Training
[Web log post]. Retrieved from http://www.bluenose.com/blog/customer-success-
training-best-practices/
Brown, J. F. (2015, June 30). Keeping the Security Hardware Up to Date. Midway, Florida,
United States of America: AIU Online Virtual Campus Student.
Fire Wall - Network Firewalls. (n.d.).retrieved from:
http://compnetworking.about.com/od/firewalls/g/bldef_firewall.htm
Firewalls. (n.d.). Retrieved from https://technet.microsoft.com/en-us/library/cc700820.aspx
How do proxy servers and proxy firewalls differ? (n.d.). Retrieved from
http://searchsecurity.techtarget.com/answer/How-do-proxy-servers-and-proxy-
firewalls-differPaquet, C. (2013, February 5). Implementing Cisco IOS Network Security Foundation Learning
Guide (2nd Edition). Retrieved July 1, 2015, from
www.ciscopress.com/articles/article.asp?p=1998559
https://technet.microsoft.com/en-us/library/cc787794(d=printer,v=ws.10).aspx
NETWORK SECURITY POLICY 14
Permissions for files and folders (Jan. 21, 2005) retrieved from: Brown, J. F. (2015, June
30). The Importance of Having Social Engineering Safeguards. Midway, Florida, United
States of America: AIU Online Virtual Campus Student.
Small Business Firewall Software vs. Hardware Firewalls - Cisco Systems. (n.d.). Retrieved
from http://www.cisco.com/cisco/web/solutions/small_business/resource_center/
articles/secure_my_business/small_business_firewall_software/index.html
Wlosinski, Larry G. (June 2, 2015) How to Secure WordPress in 10 Steps, NextGov, retrieved
from: http://www.nextgov.com/technology-news/tech-insider/2015/06/how-secure-
wordpress-10-steps/114226/