This paper is intended to address the importance of having a written and enforceable Computer Network Security Policy for The Financial Group, an accounting corporation. The company's accounting systems comprise three major elements: a Web-based front-end server, a back-end database, and business-logic applications. OS-level console access is used for system administration. Accountants access the system with Web browsers using HTTP only and are authenticated via the HTTP basic authentication mechanism.
Network Security Policy Components
Network security is the most critical element of The Financial Group's IT security program. This security policy identifies the rules and procedures that all persons accessing computer resources must adhere to in order to ensure the confidentiality, integrity, and availability of data and resources.
Security Definition: This security policy is intended to ensure the confidentiality, integrity, and availability of data and resources through the use of effective and established IT security processes and procedures.
Enforcement: The Chief Information Officer (CIO) and the Information Systems Security Officer (ISSO) will have the primary responsibility for implementing the policy and ensuring compliance. However, members of senior management will be represented as well.
All exceptions to the policy should be reviewed and approved, or denied, by the Security Officer. Senior management, however, should not be given the flexibility to overrule decisions. Otherwise, the security program will be full of exceptions that will lend themselves toward failure.
User Access to Computer Resources: The roles and responsibilities of users accessing resources on the company's computer network should be strictly implemented. This includes: procedures for obtaining network access and resource level permission; policies prohibiting personal use of organizational computer systems; procedures for using portable media devices; procedures for identifying applicable e-mail standards of conduct; specifications for both acceptable and prohibited Internet usage; guidelines for using software applications; restrictions on installing applications and hardware; procedures for Remote Access; guidelines for use of personal machines to access resources (remote access); procedures for account termination; procedures for routine auditing; procedures for threat notification; and Security awareness training.
In addition, external companies with which The Financial Group conducts business (via LAN, WAN, VPN) will be required to meet the terms and conditions identified in the organization's security policy before they are granted access. This is done for the simple reason that the security policy is only as good as the weakest link. (Frye 349-382)
Security Profiles: Security profiles will be applied uniformly across common devices used by the company (e.g., servers, workstations, routers, switches, firewalls, proxy servers, etc.).
Applicable standards and procedures will be followed for locking down devices. In addition, an assessment needs to be completed to determine what services are necessary on which devices to meet the company's organizational needs and requirements. All other services should be turned off and/or removed and documented in the corresponding standard operating procedure.
Passwords: Passwords are a critical element in protecting the company infrastructure. Remember, the security policy is only as good as the weakest link. If users have weak passwords then the company is at a higher risk for compromise not only by external threats, but also from insiders. If a password is compromised through social engineering or password cracking techniques, an intruder now has access to the company's resources. The result is the loss of confidentiality and possibly the integrity of the company's data as well.
Users will be required to use a minimum of eight characters for passwords, use a combination of symbols, alpha charters, and numerals, and a mixture of uppercase and lowercase. Users will be required to change their password at least quarterly. Previous passwords should not be authorized. Lastly, an account lockout policy will be implemented after a predetermined number of unsuccessful logon attempts.
E-mail: A strict e-mail usage policy is a must. Several viruses, Trojans, and malware use e-mail as the vehicle to propagate themselves throughout the Internet. A few of the more recent worms were Code Red, Nimda, and Gonner. (Ogletree. 48) These types of exploits prey on the unsuspecting user to double click on the attachment thereby infecting the machine and launching propagation throughout the entire network. This could cause several hours and/or days of downtime while remedial efforts are taken.
To address this, content filtering of e-mail messages will be required by the company. Attachments with extensions such as *.exe, *.scr, *.bat, *.com, and *.inf will be filtered.…