Computer Security: Corporate Security Documentation Suitable for a Large Corporation
Item
(I) in-Depth Defense Measures
(II) Firewall Design
(III) Intrusion Detection System
(IV) Operating System Security
(V) Database Security
(VI) Corporate Contingency of Operation
(VII) Corporate Disaster Recovery Plan
(VIII) Team Members and Roles of Each
(IX) Timeline with Goal Description
(X) Data Schema
(XI) Graphical Interface Design
(XII) Testing Plan
(XIII) Support Plan
(XIV) Schematics
Computer Security: Corporate Security Documentation Suitable for a Large Corporation
(I) In-Depth Defense Measures
Information Technology (IT) Acceptable Use Policy
The intentions of IT for the publication of an Acceptable Use Policy are to ensure that non-restrictions are imposed that are not contrary to the organizations' culture of openness, integrity and trust. IT has a firm commitment to the protection of the company's employees, partners and the company from any individuals that are illegal or that would otherwise cause damage with or without knowledge or intent to the following:
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of the company and these systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.
Required in the effective security initiative is a team effort with full participation and support of each company employee. Each individual in the company that uses a computer has a responsibility to be aware of the guidelines and to follow these guidelines.
The purpose of this publication is to outline the appropriate use of computers in the organization. These rules are for the purpose of protecting the employee and the company against virus attacks and network systems services and to avoid legal situations. This policy is applicable to employees, contractors, consultants, temporaries and any other workers with this organization. Furthermore, included are personnel affiliated with other or third parties.
General Use and Ownership
Good judgment is required to be exercised by all employees and individual departments are responsible for development of guidelines on the personal use of the Internet/Intranet/Extranet systems. Any sensitive information or information considered vulnerable should be encrypted. The network may be monitored by authorized persons including equipment, systems and network traffic at any time for security purposes.
Security and Proprietary Information
The user interface for information included on the related systems will be classified as confidential or alternatively as non-confidential. Confidential information includes but is not limited to the following:
(1) company private information;
(2) corporate strategies;
(3) competitor sensitive information;
(4) trade secrets;
(5) specifications;
(6) customer lists; and (7) research data.
All PCs, laptops and workstations of the company will be security with a password-protected screensaver with automatic activation feature set for ten minutes or less or through logging off when the host is to be unattended. All host computers used by employees in conducting business for the company shall be equipped with an anti-virus program. Activities that are prohibited in general include any activity deemed illegal by local, state, federal or international law. Activities that are strictly prohibited include:
(1) violations of the right of any individual or company protected under copyright, trade secret, patent or other type of intellectual property including any similar laws or regulations.
(2) unauthorized copying of copyrighted material -- this includes photographs from magazines, books or other sources under copyright protection as well as music and any copyright software.
(3) exporting software, technical information, encryption software or technology in violation of international or regional laws controlling exports.
(4) introducing programs that are malicious into the network or server that contain any types of virus, worm, Trojan horse, email bomb or any other type of threat;
(5) revealing their password to others or allowing use of their account by others.
(6) Using the company computer or system to engage in the procurement or transmission of material that violate sexual harassment or hostile workplace laws in the jurisdiction of the company or the user.
(7) Making fraudulent offers relating to products, services, or items that originate from any company account.
(8) making statements concerning express or implied warranties unless that is part of the individual normal and regular tasks with the company.
(9) Committing breaches of security or network communication disruptions.
(10) Scanning ports or security scanning is prohibited unless IT is first informed.
(11) Execution of any type of monitoring on the network that will intercept data not intended for the host of the employee is prohibited.
(II) Firewall Design
The Network Support Organization maintained firewall devices are required...
The firewall device is required to be the only access point between the host computers and the company's networks and the Internet. Any type of cross-connection bypassing the company's firewall device is prohibited.
Changes to the original firewall configurations are required to be reviewed and approved by company IT and this includes both general configurations as well as rule sets. If additional security measures are needed these may be instituted by IT for the company. All routers and switches that are not testing or training utilized are under a requirement to conform to the company router and switch standardization documents. All operating systems of host computers internal to the company must be configured to the secure host installation and configuration standards.
Current applicable security patches and hot-fixes for applications that are Internet services must be applied and administrative owners groups must have procedures in place to stay current on the patches and hotfixes that are appropriate. All applicable security patches and hot-fixes that the vendor recommends are required to be installed. Services and applications that are not serving requirements of the company should be disabled.
Company information that is confidential is prohibited to be kept on host computers where company personnel have physical access as required by the information sensitivity classification policy for the company. Remote administration has a requirement of being performed over channels that are secure through use of encrypted network connections.
(III) Intrusion Detection System
The company network will be inclusive of an intrusion detection system (IDS) for the purpose of monitoring network traffic and monitoring for suspicious activity. Should the system detect such incidences the network administrator will be notified. The intrusion detection system utilized by the company will be a network based (NIDS) intrusion detection system. In addition, the company's host computers will have host intrusion detection systems (HIDS) installed for the purpose of monitoring the inbound and outbound packets from the device and which will alert the network administrator should any incidences occur.
Included in the intrusion detection system for the company is a signature-based IDS and an anomaly-based IDS. The signature-based IDS monitors network packets and conducts a comparison of these against a database of signatures from known malicious threats while the anomaly-based IDS will monitor the network traffic and conduct comparison of it against an established baseline that identifies 'normal ' network activity.
(IV) Operating System Security
The work of Heidari (2011) states that operating system security "revolves around the appropriate protection of four elements:
(1) confidentiality;
(2) integrity;
(3) availability; and (4) authenticity.
Confidentiality and integrity "deal with the three important roles of:
(1) protection models;
(2) capability; and (3) assurance. (Heidari, 2011)
Multiprogramming includes resource sharing among users including memory sharing, sharing of I/O devices as well as sharing of programs and data. The Operating System for the company should offer protection that is based on shared access through access limitation involving the operating system (OS) checking the permission levels of each access according to the specific users and the specific object thereby acting as a guard between users and objects and ensuring that the only accesses to occur are those properly authorized. The access control that will be utilized will be 'user-oriented access control' or 'authentication. This is the most commonly used technique for user access control and required an ID and Password.
File sharing will involve several access rights:
(1) reading;
(2) appending; and (3) updating.
These access rights will be granted to different classes of users. When access is granted to more than one individual users to make changes or updates to a file the operating system will enforce discipline with the approach allowing the user to lock the file when it is updated.
The work of Heidari states that there are five common security problems in regards to the operating system including:
(1) improper input validation;
(2) weak cryptographic algorithms;
(3) weak authentication protocols;
(4) insecure bootstrapping; and (5) mistakes in configurations
The first four are such that have a "technical or system-related basis, while the latter is related to organizational problems or management." (Heidari, nd) Therefore, these common security problems must be guarded against by the network administrator and IT department.
(V) Database Security
The largest concern for the system administrator at the server level is that of security because this is where all the action takes place. Microsoft SQL Server 2005 makes provision of effective support for diverse types of data encryption through utilization of symmetric and asymmetric keys along with digital certification. Moreover, management of encryption keys are performed by the system. As management of encryption keys is by far the hardest aspect of key management this is a bonus.
The key encryption hierarchy is shown in the following figure labeled Figure 1 in this document. The database administrator will manage the service…
