The document discusses security policies and procedures, including defining security policies, establishing requirements for policies such as addressing network security incidents and allowed/prohibited behaviors, setting username/password guidelines with multiple levels of protection, applying file/folder permissions according to the principle of least privilege, and regularly reviewing and updating policies.
The document discusses security policies and procedures, including defining security policies, establishing requirements for policies such as addressing network security incidents and allowed/prohibited behaviors, setting username/password guidelines with multiple levels of protection, applying file/folder permissions according to the principle of least privilege, and regularly reviewing and updating policies.
The document discusses security policies and procedures, including defining security policies, establishing requirements for policies such as addressing network security incidents and allowed/prohibited behaviors, setting username/password guidelines with multiple levels of protection, applying file/folder permissions according to the principle of least privilege, and regularly reviewing and updating policies.
LEARNING OUTCOMES At the end of this topic, student should be able to: 2.1.1 Explain Security Policy 2.1.2 Identify Security Policy Requirement 2.1.3 Apply usernames and password 2.1.4 Discover password requirements 2.1.5 Apply file and folder permission 2.1.1 Security Policy A security policy is a written document that states how an organization plans to protect the company’s information technology assets. Mark Ciampa - CompTIA Security Guide to Network Security Fundamentals.
The policy outlines the protections that should be enacted
to ensure that the organization’s assets face minimal risks. A security policy, along with the accompanying procedures, standards, and guidelines, is key to implementing information security in an organization. Having a written security policy empowers an organization to take appropriate action to safeguard its data. 2.1.2 Security Policy Requirements When developing a security policy for the first time, one useful approach is to focus on the why, who, where, and what during the policy development process. An organization should strive to achieve the best and most affordable security protection against data loss or damage to software and equipment. 2.1.2 Security Policy Requirements cont.. When creating a security policy, ask the following questions to determine the security factors: 2.1.2 Security Policy Requirements cont.. When creating a security policy, these are some key areas to address: 1. Process for handling network security incidents 2. Process to audit existing network security 3. General security framework for implementing network security 4. Behaviors that are allowed 5. Behaviors that are prohibited 6. What to log and how to store the logs: Event Viewer, system log files, or security log files 7. Network access to resources through account permissions 8. Authentication technologies to access data: usernames, passwords, biometrics, and smart cards 2.1.2 Security Policy Requirements cont.. The security policy should also provide detailed information about the following issues in case of an emergency: 1. Steps to take after a breach in security 2. Who to contact in an emergency 3. Information to share with customers, vendors, and the media 4. Secondary locations to use in an evacuation 5. Steps to take after an emergency is over, including the priority of services to be restored 2.1.2 Security Policy Requirements cont.. Security policies should be reviewed regularly and updated as necessary. Keep a revision history to track all policy changes. Security is the responsibility of every person within the company. All employees, including non-computer users, must be trained to understand the security policy and notified of any security policy updates. 2.1.2 Security Policy Requirements cont.. You should also define employee access to data in a security policy. The policy should protect highly sensitive data from public access, while ensuring that employees can still perform their job tasks. Data can be classified from public to top secret, with several different levels between them. Public information can be seen by anyone and has no security requirements. Top secret information needs the most security, because the data exposure can be extremely detrimental to a government, a company, or an individual. 2.1.3 Usernames and Passwords A username and password are two pieces of information that a user needs to log on to a computer. When an attacker knows one of these entries, the attacker needs only to crack or discover the other entry to gain access to the computer system. It is important to change the default username for accounts such as administrator or guest, because these default usernames are widely known. 2.1.3 Usernames and Passwords Some home-networking equipment has a default username that cannot be changed. Whenever possible, change the default usernames of all users on computers and network equipment. 2.1.3 Usernames and Passwords cont.. Password guidelines are an important component of a security policy. Any user that must log on to a computer or connect to a network resource should be required to have a password. Passwords help prevent theft of data. 2.1.3 Usernames and Passwords cont.. Using secure, encrypted login information for computers with network access should be a minimum requirement in any organization. Malicious software could monitor the network and record plaintext passwords. If passwords are encrypted, attackers must decode the encryption to learn the passwords. Attackers can gain access to unprotected computer data. Password protection can prevent unauthorized access to content. All computers should be password protected. 2.1.3 Usernames and Passwords cont.. Three levels of password protection are recommended: BIOS - Prevents the operating system from booting and the BIOS settings from being changed without the appropriate password.
Login - Prevents unauthorized access to the
local computer.
Network - Prevents access to network
resources by unauthorized personnel. 2.1.4 Password Requirements Passwords should be required to have a minimum length and include uppercase and lowercase letters combined with numbers and symbols. This is known as a strong password. It is common for a security policy to require users to change their passwords on a regular basis and monitor the number of password attempts before an account is temporarily locked out. 2.1.4 Password Requirements These are some guidelines to creating strong passwords: 1. Length - Use at least eight characters. 2. Complexity - Include letters, numbers, symbols, and punctuation. Use a variety of keys on the keyboard, not just common letters and characters. 3. Variation - Change passwords often. Set a reminder to change the passwords you have for email, banking, and credit card websites on the average of every three to four months. 4. Variety - Use a different password for each site or computer that you use. 2.1.4 Password Requirements To create, remove, or modify a password in Windows 7 or Windows Vista, use the following path. Start > Control Panel > User Accounts 2.1.4 Password Requirements Screensaver required password It is important to make sure that computers are secure when users are away from the computer. A security policy should contain a rule about requiring a computer to lock when the screensaver starts. This will ensure that after a short time away from the computer, the screen saver will start and then the computer cannot be used until the user logs in. 2.1.4 Password Requirements Screensaver required password To set the screen saver lock in Windows 7 and Windows Vista, use the following path: Start > Control Panel > Personalization > Screen Saver. Choose a screen saver and a wait time, and then select the On resume, display logon screen option 2.1.5 File and Folder Permissions Permission levels are configured to limit individual or group user access to specific data. Both FAT32 and NTFS allow folder sharing and folder- level permissions for users with network access. 2.1.5 File and Folder Permissions The additional security of file-level permissions is provided only with NTFS. 2.1.5 File and Folder Permissions All file systems keep track of resources, but only file systems with journals, which are special areas where file changes are recorded before changes are made, can log access by user, date, and time. The FAT32 file system lacks journaling and encryption capabilities. As a result, situations that require good security are usually deployed using NTFS. If increased security is needed, it is possible to run certain utilities, such as CONVERT, to upgrade a FAT32 file system to NTFS. 2.1.5 File and Folder Permissions
FAT32 and NTFS comparison
2.1.5 File and Folder Permissions Principle of Least Privilege Users should be limited to only the resources they need in a computer system or on a network. They should not be able to access all files on a server, for example, if they need to access only a single folder. It may be easier to provide users access to the entire drive, but it is more secure to limit access to only the folder that is needed to perform their job. This is known as the principle of least privilege. Limiting access to resources also prevents malicious programs from accessing those resources if the user’s computer becomes infected. 2.1.5 File and Folder Permissions Restricting User Permissions File and network share permissions can be granted to individuals or through membership within a group. If an individual or a group is denied permissions to a network share, this denial overrides any other permissions given. For example, if you deny someone permission to a network share, the user cannot access that share, even if the user is the administrator or part of the administrator group. The local security policy must outline which resources and the type of access allowed for each user and group. 2.1.5 File and Folder Permissions Restricting User Permissions When the permissions of a folder are changed, you are given the option to apply the same permissions to all sub- folders. This is known as permission propagation. Permission propagation is an easy way to apply permissions to many files and folders quickly. After parent folder permissions have been set, folders and files that are created inside the parent folder inherit the permissions of the parent folder.