CHAPTER 2:

SECURITY POLICIES AND PROCEDURES

2.1 Describe Security Policies

LEARNING OUTCOMES
 At the end of this topic, student should be able to:
 2.1.1 Explain Security Policy
 2.1.2 Identify Security Policy Requirement
 2.1.3 Apply usernames and password
 2.1.4 Discover password requirements
 2.1.5 Apply file and folder permission
2.1.1 Security Policy
 A security policy is a written document that states how an
organization plans to protect the company’s information
technology assets. Mark Ciampa - CompTIA Security Guide to Network Security Fundamentals.

 The policy outlines the protections that should be enacted

to ensure that the organization’s assets face minimal risks.
 A security policy, along with the accompanying
procedures, standards, and guidelines, is key to
implementing information security in an organization.
 Having a written security policy empowers an
organization to take appropriate action to safeguard its
data.
2.1.2 Security Policy Requirements
 When developing a security policy for the first time, one
useful approach is to focus on the why, who, where, and
what during the policy development process.
 An organization should strive to achieve the best and most
affordable security protection against data loss or damage
to software and equipment.
2.1.2 Security Policy Requirements cont..
 When creating a security policy, ask the following
questions to determine the security factors:
2.1.2 Security Policy Requirements cont..
 When creating a security policy, these are some key areas
to address:
1. Process for handling network security incidents
2. Process to audit existing network security
3. General security framework for implementing network security
4. Behaviors that are allowed
5. Behaviors that are prohibited
6. What to log and how to store the logs: Event Viewer, system
log files, or security log files
7. Network access to resources through account permissions
8. Authentication technologies to access data: usernames,
passwords, biometrics, and smart cards
2.1.2 Security Policy Requirements cont..
 The security policy should also provide detailed
information about the following issues in case of an
emergency:
1. Steps to take after a breach in security
2. Who to contact in an emergency
3. Information to share with customers, vendors, and the media
4. Secondary locations to use in an evacuation
5. Steps to take after an emergency is over, including the priority
of services to be restored
2.1.2 Security Policy Requirements cont..
 Security policies should be reviewed regularly and
updated as necessary.
 Keep a revision history to track all policy changes.
Security is the responsibility of every person within the
company.
 All employees, including non-computer users, must be
trained to understand the security policy and notified of
any security policy updates.
2.1.2 Security Policy Requirements cont..
 You should also define employee access to data in a security
policy.
 The policy should protect highly sensitive data from public
access, while ensuring that employees can still perform their
job tasks.
 Data can be classified from public to top secret, with several
different levels between them.
 Public information can be seen by anyone and has no security
requirements.
 Top secret information needs the most security, because the
data exposure can be extremely detrimental to a government,
a company, or an individual.
2.1.3 Usernames and Passwords
 A username and password are two pieces of information
that a user needs to log on to a computer.
 When an attacker knows one of these entries, the attacker
needs only to crack or discover the other entry to gain
access to the computer system.
 It is important to change the default username for accounts
such as administrator or guest, because these default usernames
are widely known.
2.1.3 Usernames and Passwords
 Some home-networking equipment has a default
username that cannot be changed.
 Whenever possible, change the default usernames of
all users on computers and network equipment.
2.1.3 Usernames and Passwords cont..
 Password guidelines are an important component of a
security policy.
 Any user that must log on to a computer or connect to a
network resource should be required to have a password.
Passwords help prevent theft of data.
2.1.3 Usernames and Passwords cont..
 Using secure, encrypted login information for computers
with network access should be a minimum requirement in
any organization.
 Malicious software could monitor the network and record
plaintext passwords. If passwords are encrypted, attackers
must decode the encryption to learn the passwords.
 Attackers can gain access to unprotected computer data.
 Password protection can prevent unauthorized access to
content. All computers should be password protected.
2.1.3 Usernames and Passwords cont..
 Three levels of password protection are
recommended:
 BIOS - Prevents the operating system from
booting and the BIOS settings from being
changed without the appropriate password.

 Login - Prevents unauthorized access to the

local computer.

 Network - Prevents access to network

resources by unauthorized personnel.
2.1.4 Password Requirements
 Passwords should be required to have a minimum length
and include uppercase and lowercase letters combined
with numbers and symbols.
 This is known as a strong password. It is common for a
security policy to require users to change their passwords
on a regular basis and monitor the number of password
attempts before an account is temporarily locked out.
2.1.4 Password Requirements
 These are some guidelines to creating strong passwords:
1. Length - Use at least eight characters.
2. Complexity - Include letters, numbers, symbols, and
punctuation. Use a variety of keys on the keyboard, not just
common letters and characters.
3. Variation - Change passwords often. Set a reminder to
change the passwords you have for email, banking, and credit
card websites on the average of every three to four months.
4. Variety - Use a different password for each site or computer
that you use.
2.1.4 Password Requirements
 To create, remove, or modify a password in Windows 7 or
Windows Vista, use the following path.
Start > Control Panel > User Accounts
2.1.4 Password Requirements
Screensaver required password
 It is important to make sure that computers are secure when
users are away from the computer.
 A security policy should contain a rule about requiring a
computer to lock when the screensaver starts.
 This will ensure that after a short time away from the
computer, the screen saver will start and then the computer
cannot be used until the user logs in.
2.1.4 Password Requirements
Screensaver required
password
 To set the screen saver lock
in Windows 7 and Windows
Vista, use the following path:
 Start > Control Panel >
Personalization > Screen
Saver.
 Choose a screen saver and a
wait time, and then select the
On resume, display logon
screen option
2.1.5 File and Folder Permissions
 Permission levels are
configured to limit
individual or group
user access to
specific data.
 Both FAT32 and
NTFS allow folder
sharing and folder-
level permissions for
users with network
access.
2.1.5 File and Folder Permissions
 The additional
security of file-level
permissions is
provided only with
NTFS.
2.1.5 File and Folder Permissions
 All file systems keep track of resources, but only file systems
with journals, which are special areas where file changes are
recorded before changes are made, can log access by user, date,
and time.
 The FAT32 file system lacks journaling and encryption
capabilities. As a result, situations that require good security
are usually deployed using NTFS.
 If increased security is needed, it is possible to run certain
utilities, such as CONVERT, to upgrade a FAT32 file system
to NTFS. 
2.1.5 File and Folder Permissions

FAT32 and NTFS comparison

2.1.5 File and Folder Permissions
Principle of Least Privilege
 Users should be limited to only the resources they need in a
computer system or on a network.
 They should not be able to access all files on a server, for
example, if they need to access only a single folder.
 It may be easier to provide users access to the entire drive, but
it is more secure to limit access to only the folder that is
needed to perform their job.
 This is known as the principle of least privilege. Limiting
access to resources also prevents malicious programs from
accessing those resources if the user’s computer becomes
infected.
2.1.5 File and Folder Permissions
Restricting User Permissions
 File and network share permissions can be granted to
individuals or through membership within a group.
 If an individual or a group is denied permissions to a
network share, this denial overrides any other permissions
given.
 For example, if you deny someone permission to a network
share, the user cannot access that share, even if the user is
the administrator or part of the administrator group. The
local security policy must outline which resources and the
type of access allowed for each user and group.
2.1.5 File and Folder Permissions
Restricting User Permissions
 When the permissions of a folder are changed, you are
given the option to apply the same permissions to all sub-
folders.
 This is known as permission propagation. Permission
propagation is an easy way to apply permissions to many
files and folders quickly.
 After parent folder permissions have been set, folders and
files that are created inside the parent folder inherit the
permissions of the parent folder.