Microcomputers are being increasingly used at XXXX as part of departmental and administrative networks and, as such, they have become important elements of highly interdependent and cooperative systems. Further, microcomputers are subject to a variety of security threats including those from system equipment failure, software viruses, and unauthorized access. The networking of microcomputers has made security threats to one networked microcomputer a significant risk to all others on the network. Microcomputer networks have become ubiquitous and essential support elements to XXXX's educational, research and service mission. It has become imperative to interconnect these networks and achieve economies of scale in their purchase and management.
It is important to have a well-conceived and effective network security policy that can safeguard the investment and information resources of XXXX. It is worthwhile to implement a NSP, if the resources and information on its networks are worth protecting. An effective network security policy can be defined as something that all network users and network administrators can agree upon and are willing to enforce.
The XXXX network(s) can be thought of as a system having multiple sites with each having its own networks. Therefore, the required site security policies should take into account the protection of the following resources: Individual workstations, file servers, Interconnection devices such as gateways, routers, bridges, repeaters, etc., terminal servers, networking and application software , network cables, and Information in files and databases. It is also crucial to have a site security policy that considers the security needs and requirements of all the interconnected networks.
Because technology changes rapidly, computer security procedures should be reassessed on a regular basis.
What follows are a set of suggested policy statements and operating guidelines which may make progress toward more security of the multiple LANs at the XXXXX.
Suggested Policy Statements
Data created and stored on microcomputer hard disks will be secured through routine back-ups. Back-up is the process of copying data to the network file server, diskette, magnetic tape or some other form of storage media. These copies may be used to restore electronic files to the microcomputer if the original files are destroyed or corrupted in any fashion. Back-ups will be performed, at a minimum, on a weekly basis. There is a procedure for testing the backup files and check whether they are able to restore those files. However, the frequency of back-up and restore process depends on the importance of the data. Following this process at least once in a month is a good practice.
Networks and File Servers
File Server Backup
All critical files must be backed up on a regular (daily backups are the most desirable) basis and full backups should be stored in a secure offsite location. Files in server must be copied at least in two locations and make sure that those copies are 2-3 miles away from the destroyed information. Using those backup files we must be able to construct the entire infrastructure. Thus we must regularly update these backups weekly or monthly depending upon the organization.
Departmental Network Routers
Standards for Network Naming and Numbering will be established centrally by the XXXX. Network numbering and naming must be managed by the departmental LAN administrators in conjunction with XXXXs Department of Information Technology. All Internet Protocol (IP) numbers must be registered in XXXX Domain Name Servers (DNS).
Encryption of Openly Transmitted Data
As XXXX is frequently transmitting sensitive data such as patient, student or personnel records, all openly transmitted data must be encrypted. Openly transmitted data consists of radio, laser, telephone, or Internet connections.
Secure Network Connectivity Points
All interconnection devices (hubs, bridges, routers, patch panels, etc.) and servers must be located in secure or restricted access rooms. Even though all the devices and servers are located in a restricted room there is a chance of bypassing into the connection illegally, a team must be working on to find out all these illegal activities. By blocking the ports and traffic do not provide security, we need applications that looks into the traffic and find out the suspicious activities those are trying to be hidden.
Internet and Intranet Servers
1. The Super User (SU) or other passwords used for managing servers must be changed regularly.
2. The Server Administrator must implement all known vendor supplied software security fixes.
3. The Server Administrator must implement access security rights in order to manage proper access by groups or individual users.
4. The Server Administrator must restrict root access to system console.
5. Deactivate other services which are not in use, only necessary protocols must be turned on. Security checks must be performed randomly, through review of log history must be done to find out illegal attempts which tries to trespass the security zone.
6. Categorizing of websites must be implemented. This prevents the user from visiting harmful sites which infects system.
7. A separate user database must be maintained which contains duration of each user activity, websites visited, and downloading history. All users must be aware that their activity is recorded and monitored so that they use only for work purpose.
Suggested Operating Guidelines
All microcomputers located on XXXX networks should limit system access through password security measures. Passwords should have a minimum length of 8 characters. A Password must be a combination of Upper case and Lower case alphabets and at least one numeric value and a special symbol. Such type of combination is very difficult to guess. But there is common tendency for users forgetting the password, one must be careful and cautious while setting password. These measures will require that all systems users use unique and secret passwords before utilizing microcomputer systems. Further, the password process should require that users change their password on a regularly scheduled basis. The password change cycle should be appropriate to the level of security exposure. Invalid login attempts should be limited to 3. The exception to this rule would be guest access to systems, however, the level of access afforded the guest should be limited and under the close direction of the appropriate network administrator. The number of times a user can log onto a LAN after their password expires should be limited to no more than 3 attempts.
ï‚· Protection from Viruses
Efforts should be taken to lessen the risk to microcomputers arising from software viruses. Microcomputers are particularly susceptible to damage from software viruses, a species of computer programs maliciously designed to corrupt essential software and data located on computer hard disks. It is necessary that the antivirus program will also detect and cure any known Trojan horses or worms during its scanning process. All microcomputer hard disks should be periodically scanned for software viruses and any viruses encountered will be removed as they are located. This routine scanning and correction process should occur frequently and virus protection software should be updated regularly. In addition to the regular scanning of hard disk E-mail scanning is also required as most of the malware enter through e-mail. This scans all the e-mails and all suspicious mails are deleted. Some of the attachments with dangerous extensions can also be blocked as a precautionary act.
ï‚· Physical & Software Security of Client Workstations
Microcomputers should be protected by surge protectors and secured, both physically and through software, to avoid their use by unauthorized personnel and visitors to XXXX. When feasible, microcomputers will be placed in office areas that may be locked during off hours and have adequate numbers of XXXX staff to supervise their use during business hours. Unattended microcomputers should have keyboard locking mechanisms. All networked microcomputers should utilize software to either terminate systems usage or require re-entry of user passwords after the device has sat unused for ten or more minutes. To avoid unattended workstations, in most cases users should only be allowed to log on to one workstation on a LAN at any given time. Although 24 hour access will be allowed to the network, some applications may be more secure if access is limited to normal working hours.
All users in XXXX should be knowledgeable in the basic operations of the computer and associated programs. A Policy tells someone to do something, every organization has their own policies for some and proper functioning. But if the user don't understand what the organization policy is and the importance of the policy he may not follow it. So in the training itself making sure that everyone are aware of the organization policy is essential. So that we can reduce the chance of misusing the confidential data and who tries to perform such unauthorized or illegal activity attempts can be easily prosecuted.
File Server and Network
ï‚· Virus Protection All networks should employ methods for routinely scanning electronic files coming into the network via diskette, Internet file transfer, remote access links, or other means as they arise. Every organization must have a team who constantly works on updating latest definitions for viruses and download latest patches from the service provider. Thus by keeping software up to date reduces the vulnerability and increases the security level.
ï‚· Uninterrupted Power Supply (UPS) Protection
All file servers should be protected by an UPS. The abrupt termination of a file server could easily result in file corruption.
ï‚· Disconnect Unused Data Jacks
In order to ensure that unused data jacks do not pose a threat for unauthorized access, all unused data jacks should be disabled or disconnected
ï‚· Server Password Protection
Supervisory access to network file servers should be restrictive and the password should be changed regularly.
ï‚· LAN Administrator Training
The person called in to perform LAN administration should have the necessary technical knowledge and experience in the field of operation. Training programs may be required and are encouraged to improve the computing skills and proper utilization of network services and resources.