ghostpc
Posts : 85
أهمية العضو : 0
Join date : 18/11/2008
 | موضوع: Security Policies  الأحد نوفمبر 30, 2008 1:57 pm | |
| Security Policies This page provides a list of computer security policies that may help organizations define their enterprise security controls. Set security policies must be communicated, enforced, and audited to be effective. Security policies may include:
1. Password policy : Defines minimum and maximum length of passwords, password complexity, how often it must be changed.
2. Network login policy - May be defined by the password policy. Defines how many bad login attempts over what specific amount of time will cause an account to be locked. This may be included in the password policy.
3. Remote access policy : Specifies how remote users can connect to the main organizational network and the requirements for each of their systems before they are allowed to connect. This will specify the anti-virus program remote users must use, how often it must be updated, what personal firewalls they are required to run, and other protection against spyware or other malware. Also defines how users can connect remotely such as dial up or VPN. It will specify how the dial up will work such as whether the system will call the remote user back, and the authentication method. If using VPN, the VPN protocols used will be defined. Methods to deal with attacks should be considered in the design of the VPN system.
4. Internet connection policy : Specifies how users are allowed to connect to the internet and provides for IT department approval of all connections to the internet or other private network. Requires all connections such as connections by modems or wireless media to a private network or the internet be approved by the IT department and what is typically required for approval such as the operation of a firewall to protect the connection. Also defines how the network will be protected to prevent users from going to malicious web sites. Defines whether user activity on the network will be logged and to what extent. Specifies what system will be used to prevent unauthorized viewing of sites and what system will log internet usage activity. Defines whether a proxy server will be used for user internet access.
5. Approved Application policy : Defines applications which are approved to operate on computer systems inside or connected to the organizational network.
6. Asset control policy : Defines how assets such as computers are tracked. This policy will allow the locations and users of all assets to be tracked. This policy will define a property move procedure. This policy will define what must be done when a piece of property is moved from one building to another or one location to another. It will define who signs off on the movement of the property. This will allow the database to be updated so the location of all computer equipment is known. This policy will help network administrators protect the network since they will know what user and computer is at what station in the case of a worm infecting the network. This policy must also cover the fact that data on the computer being moved between secure facilities may be sensitive and must be encrypted during the move.
7. Equipment and media disposal policy - May be incorporated into the asset control policy. Ensures that electronic equipment or media to be disposed of does not contain any kind of harmful data that may be accessible by third parties.
8. Media use and re-use policy - May be incorporated into the asset control policy. Defines the types of data that may be stored on removable media and whether that media may be removed from a physically secure facility and under what conditions it would be permitted.
9. Mobile computer policy * - Defines the network security requirements for all mobile computers which will be used on the network, who is allowed to own them, what firewall they must run, what programs may be run on them, how the system will be protected against malware, how often the system must be updated, and more. Also defines what data may be stored on them and whether the data must be encrypted in case of theft.
10. -Computer Training policy - This policy defines the minimum training for users on the network to make them aware of basic computer threats to protect both themselves and the network. This policy especially applies to employees with access to sensitive or regulated data.
11. IT Resource acceptable use policy - Defines how users may use IT computer resources. Available at:
http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf
http://www.sans.org/resources/policies/Acceptable_Use_Policy.doc
12. Wireless Use Policy * - Defines whether wireless will be used on the network, what protocols can be used, and how it will be kept secure from unauthorized access including allowing only specific computers to connect.
13. Information security policy available at http://www.sans.org/resources/policies/Information_Sensitivity_Policy.pdf http://www.sans.org/resources/policies/Information_Sensitivity_Policy.doc http://www.sans.org/resources/policies/
14. Anti-virus and malware policy * (data protection plan) - Defines anti-virus policy on every computer including how often a virus scan is done, how often updates are done. Defines what programs will be used to detect, prevent, and remove malware programs. It may define what types of files attachments are blocked at the mail server and what anti-virus program will be run on the mail server. It may specify whether an anti-spam firewall will be used to provide additional protection to the mail server. It may also specify how files can enter the trusted network and how these files will be checked for hostile or unwanted content. For example it may specify that files sent to the enterprise from outside the trusted network be scanned for viruses by a specific program.
15. System update policy * - How often systems and applications are checked for security updates and whose responsibility it is to do them. How the updates for client computers and servers will be done. Will an update service be used?
16. User privilege policy * - Defines what privileges various users are allowed to have, specifically defining what groups of users have privileges to install computer programs on their or other systems. Defines the users who have access to and control of sensitive or regulated data. Also may define internet access to specific sites for some users or other ways they may or may not use their computer systems.
17. - Application implementation policy - Defines how major computer to computer applications will be implemented on the network to protect both the data used in the application and the rest of the computer network. Defines who will be involved, and who will sign off on the project plan.
18. - System lockdown policy (baseline host/device security) - Defines what kind of lockdown process will be used on what types of systems.
May include:
1. Services not to be installed or run due to excessive vulnerability such as Windows messenger or Windows File and Print Sharing.
2. Recommendation to limit the number of services run on a server.
3. Recommendation to operate host intrusion detection on all servers or specific high risk or high impact servers.
4. Policy to make it difficult for an attacker to access password files on any system.
19. - Server Monitoring Policy - Provides for monitoring servers for file space and performance issues to prevent system failure or loss of service.
20. - IT Equipment Purchase and Failure Prevention Policy - Defines technologies to be used in specific areas of functionality to reduce the chance of any serious disruption of service.
21. Incident response plan * - Defines the response to a security incident such as a virus, network intrusion, abuse of a computer system or other situations.
22. - Intrusion detection policy - Defines what devices will be used on the network to detect any suspicious activity or intrusion. Defines what should be logged and the details of the logs. | |
|
A.Tamimi
Admin
Posts : 1593
أهمية العضو : 16
Join date : 13/11/2008
Age : 39
Location : Jordan
| | موضوع: رد: Security Policies الجمعة ديسمبر 05, 2008 2:51 pm | |
| | |
|
M.ALS3OD
Posts : 854
أهمية العضو : 0
Join date : 13/09/2009
Age : 30
Location : AMMAN
| | موضوع: رد: Security Policies السبت سبتمبر 19, 2009 7:22 pm | |
| يـــعـــطـــيـــك الـــعـــافـــيـــة | |
|
