8.5.5(2)
Internet Security Controls
To establish effective Internet security controls, an organization must DEVELOP CONTROLS WITHIN INFORMATION SYSTEM SECURITY FRAMEWORK
framework entails defining, through CORPORATE POLICIES AND PROCEDURES, the rules the organization will follow to control Internet usage.
From an evaluation of these issues, an organization will be able to develop GUIDELINES specific to its situations for defining the level of security controls related to the confidentiality, integrity and availability of information resources (i.e., business applications) on the Internet
RULES define for e.g #
what information resources should be available for outside users,
trusted and untrusted networks within and outside the organization
classification of the sensitivity or criticality of corporate information resources.
what information will be AVAILABLE FOR USE on the Internet and the level of security to be used for corporate resources of a sensitive or critical nature on the Internet
OS SECURITY HARDENING GUIDELINES can be developed that define how the OS should be configured
detail which INTERNET SERVICES should be blocked from use or exploitation by EXTERNAL UNTRUSTED USERS
define how the system will
be protected by FIREWALLS.
supporting processes over these
controls should be defined including: #
click to edit
• Risk assessments performed periodically over the development and redesign of Internet-based web applications
• Security awareness and training for employees, tailored to their levels ofresponsibilities
• Firewall standards and security to develop and implement firewall architectures
• Intrusion detection standards and security to develop and implement IDS architectures
• Remote access for coordinating and centrally controlling dial-up access on the Internet via corporate resources
• Incident handling and response for detection, response, containment and recovery
• Configuration management for controlling the security baseline when changes do occur
• Encryption techniques applied to protect information assets passing over the Internet
• A common desktop environment to control, in an automated fashion, what is displayed on a user’s desktop
• Monitoring Internet activities for unauthorized usage and notification to end users of security incidents via computer emergency response team (CERT) bulletins or alerts
Firewall Security Systems
Internet’s openness, every corporate network connected to it is vulnerable to attack
Hackers on the Internet could theoretically break into the corporate network and do harm
sensitive or critical systems that need to be protected from untrusted users inside the corporate network (internal hackers)
Firewalls are defined as a device installed at the point where networkconnections enter a site; they apply rules to control the type of networking traffic flowing in and out.
Firewall General Features
separate networks from each other and screen the traffic between them.
Thus, along with other types of security, they control the most vulnerable point between a corporate network and the Internet, and
they can be as simple or complex as the corporate information security policy demands.
• Block access to particular sites on the Internet : PARENTAL CONTROL
• Limit traffic on an organization’s public services segment to relevant addresses and ports
• Prevent certain users from accessing certain servers or services COMPETITOR' SITE
• Monitor communications and record communications
• Encrypt packets that are sent between different physical locations within an organization by creating a VPN over the Internet (i.e., IPSec, VPN tunnels) #
between an internal and an external network
between an internal network and the outside world
to investigate network penetrations or detect internal subversion
can also provide for protection against viruses and attacks directed to exploit known OS vulnerabilities
Cm, Ra, CERT, T,I,F,E,R,I