Please enable JavaScript.
Coggle requires JavaScript to display documents.
8.5.5(2) (Internet Security Controls (supporting processes over these …
8.5.5(2)
Internet Security Controls
To establish effective Internet security controls, an organization must
DEVELOP CONTROLS WITHIN INFORMATION SYSTEM SECURITY FRAMEWORK
framework entails defining, through
CORPORATE POLICIES AND PROCEDURES
, the rules the organization will follow to control Internet usage.
RULES
define for e.g
#
what information resources should be available for outside users,
trusted and untrusted networks
within and outside the organization
classification of the sensitivity or criticality of corporate information resources.
what information will be
AVAILABLE FOR USE
on the Internet and the
level of security to be used for corporate resources of a sensitive or critical nature on the Internet
From an evaluation of these issues, an organization will be able to
develop GUIDELINES
specific to its situations for
defining the level of security controls related to the confidentiality, integrity and availability of information resources (i.e., business applications) on the Internet
OS SECURITY HARDENING GUIDELINES
can be developed that define how the OS should be configured
detail which
INTERNET SERVICES should be blocked from use or exploitation by EXTERNAL UNTRUSTED USERS
define how the system will
be protected by FIREWALLS.
supporting processes over these
controls should be defined including:
#
•
Risk assessments performed
periodically over the development and redesign of Internet-based web applications
•
Security awareness and training for employees,
tailored to their levels ofresponsibilities
•
Firewall standards and security to develop and implement firewall architectures
•
Intrusion detection standards and security
to develop and implement IDS architectures
•
Remote access for coordinating and centrally controlling dial-up access
on the Internet via corporate resources
•
Incident handling and response for detection, response, containment and recovery
•
Configuration management
for controlling the security baseline when changes do occur
•
Encryption techniques applied to protect information assets passing over the Internet
• A
common desktop environment to control, in an automated fashion,
what is displayed on a user’s desktop
•
Monitoring Internet activities for unauthorized usage and notification to end users of security incidents via computer emergency response team (CERT) bulletins or alerts
Firewall Security Systems
Internet’s openness, every corporate network connected to it is vulnerable to attack
Hackers on the Internet could theoretically
break into the corporate network and do harm
sensitive or critical systems that need to be protected
from untrusted users inside the corporate network (internal hackers)
Firewalls are defined as a device installed at the point where networkconnections enter a site; they apply rules to control the type of networking traffic flowing in and out.
separate networks from each other and screen the traffic between them.
Thus, along with other types of security, they control the most vulnerable point between a corporate network and the Internet, and
they can be as simple or complex as the corporate information security policy demands.
Firewall General Features
• Block access to particular sites on the Internet : PARENTAL CONTROL
• Limit traffic on an organization’s
public services segment to relevant addresses and ports
•
Prevent certain users from accessing certain servers or services
COMPETITOR' SITE
• Monitor communications and record communications
between an internal and an external network
between an internal network and the outside world
to investigate network penetrations or detect internal subversion
•
Encrypt
packets that are sent between different physical locations within an organization by creating a VPN over the Internet (i.e., IPSec, VPN tunnels)
#
can also provide for
protection against viruses and attacks directed to exploit known OS vulnerabilities
Cm, Ra, CERT, T,I,F,E,R,I