Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 2: SECURITY POLICIES AND PROCEDURES, JOYCELYN ANG QIU YI …
CHAPTER 2:
SECURITY POLICIES AND PROCEDURES
2.1.1 Security Policy
A security policy is a written document that states how an organization plans to protect the company’s information technology assets.
A security policy is a collection of rules,
guidelines, and checklists.
A security policy includes the following elements:
◦ An acceptable computer usage statement for the organization.
◦ The people permitted to use the computer equipment.
◦ Devices that are permitted to be installed on a network,as well as the conditions of the installation.
◦ Requirements necessary for data to remain confidential on a network.
◦ Process for employees to acquire access to equipment and data.
2.1.2 Security Policy Requirements
When developing a security policy for the first time, one useful approach is to focus on the why, who, where, and what during the policy development process.
The scope of the policy and the consequences of noncompliance must be
clearly described.
Security policies should be reviewed regularly and updated as necessary
The policy should protect highly sensitive data from public access
Public information can be seen by anyone and has no security requirements.
Top secret information needs the most security, because the data exposure can be extremely detrimental to a government, a company, or an individual.
Key areas to address:
Process for handling network security incidents.
Process to audit existing network security.
General security framework for implementing network security.
Behaviors that are allowed.
Behaviors that are prohibited.
What to log and how to store the logs: Event Viewer, system log files, or security log files.
Network access to resources through account permissions.
Authentication technologies to access data: usernames, passwords, biometrics, and smart cards.
Provide detailed information about the following issues in case of an emergency:
Steps to take after a breach in security.
Who to contact in an emergency.
Information to share with customers, vendors, and the
media.
Secondary locations to use in an evacuation.
Steps to take after an emergency is over, including the
priority of services to be restored.
2.1.3 Usernames and Password
A username and password are two pieces of information that a user needs to log on to a computer.
It is important to change the default username for accounts.
Some home-networking equipment has a default username that cannot be changed.
The system administrator usually defines a naming convention for usernames when creating network logins.
A common example of a username is the first letter of the person’s first name and then the entire last name.
Passwords help prevent theft of data and malicious acts.
Passwords also help to ensure that logging of events is correct.
Network logins provide a means of logging activity on the network and either preventing or allowing access to resources.
1 more item...
2.1.4 Password Requirements
When assigning passwords, the level of password control should match the level of protection required.
Passwords should be required to have a minimum length.
Screensaver required password
It is important to make sure that computers are
secure when users are away from the computer.
A security policy should contain a rule about requiring a computer to lock when the screensaver starts. For example,after a short time away from
the computer, the screen saver will start .
Guidelines to creating strong passwords:
Length - Use at least eight characters.
Complexity - Include letters, numbers, symbols, and
punctuation.
Variation - Change passwords often.
Variety - Use a different password for each site or computer that you use.
2.1.5 File and Folder Permission
Permission levels are configured to limit individual or group user access to specific data.
FAT32 and NTFS allow folder sharing and folder-level permissions
for users with network access.
The additional security of file level permissions is provided only with NTFS.
All file systems keep track of resources, but only file systems with journals.
The FAT32 file system lacks journaling and encryption capabilities. As a result, situations that require good security are usually deployed using NTFS.
The conversion process is not reversible.
It is important to clearly define your goals before making the transition.
Four file sharing options in Windows 7
Homegroup(Read)
The folder is shared only with members of the Homegroup.Homegroup members can only read the contents of the folder.
Specific People
Only shared with the people specific who being selected.
Nobody
The folder is
not shared
Homegroup(Read/Write)
Only shared with member Homegroup.Homegroup members can read the contents of the folder and
create files and folders in the folders.
Principle of Least Privilege
Users should be limited to only the resources they need in a computer system or on a network.
They should not be able to access all files on a server.
Limiting access to resources also prevents malicious programs from accessing those resources if the user’s computer becomes infected.
Restricting User Permissions
File and network share permissions can be granted to individuals or through membership within a group.
If an individual or a group is denied permissions to a network share,this denial overrides any other permissions given. For example, if you deny someone permission to a network share, the user cannot access that share.
When the permissions of a folder are changed, you are given the option to apply the same permissions to all sub-folders.
Permission Propagation
Permission propagation is an easy way to apply permissions to many files and folders quickly.
After parent folder permissions have been set, folders and files that are created inside the parent folder inherit the permissions of the parent folder.
JOYCELYN ANG QIU YI (05DDT20F1029)