sweetom
asked on
Creating Network security procedure
I need to create a network security procedure for my company. Can anyone tell me what needs to be in one or can I get an example?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with Rich.
That SANS link is the best place to go.
There are pay-sites that have sample policies, but SANS has all you need.
Also useful (and from SANS again) would be the sans reading room for all things related to infosec:
http://www.sans.org/rr
For things specifically related to developing and implementing policy:
http://www.sans.org/rr/whitepapers/policyissues/
And remember - developing policy is one thing. Ensuring it's followed and reviewing it's relevance/practicality is another thing altogether and crucial. It's no use enforcing 15 character complex passwords if people are going to write them on a post-it note and stick it on the monitor! :)
-Mark
That SANS link is the best place to go.
There are pay-sites that have sample policies, but SANS has all you need.
Also useful (and from SANS again) would be the sans reading room for all things related to infosec:
http://www.sans.org/rr
For things specifically related to developing and implementing policy:
http://www.sans.org/rr/whitepapers/policyissues/
And remember - developing policy is one thing. Ensuring it's followed and reviewing it's relevance/practicality is another thing altogether and crucial. It's no use enforcing 15 character complex passwords if people are going to write them on a post-it note and stick it on the monitor! :)
-Mark
I had to put these types of policies in place for my company. Here are a list of suggestions ontop of what has already been said.
Once you get your policies in place make sure your Human Resources, or other Executive Managment personnel, agree with the policies and will support them. The policies are no good if they are not supported by upper management. Keep in mind that you will most likely have to enforce these policies at one time or another. We had ours user sign a form stating that they read, understood, and agreed to follow all the policies. We also had all of the policies posted on the Company intranet.
Get a good password policy. I am a consulatant now and I have walked into many customers sites and been able to get on their network too easily. Blank passwords, password on sticky notes etc are a very bad thing to have in your organization and are very hard to prevent.
A good firewall is also very important to your network. Remember to log the firewall and to block unwanted traffic from comming in and going out. Most people overlook the outbound policies. Also make sure you have some intrusion detection, this is often overlooked as well.
Keep all you machines up to date with service packs and patches.
Have up to date anti virus software on all workstations and servers.
If you can remove all modems from servers and workstations, this may not be cost effective or feasible for you to do. Cisco had analog line cards that can be added to some of thier routers. that way all modem traffic can be passed though a firewall.
If you have Windows 2000 or Windows XP workstation prevent users from installing software. There is usually never a good reason why a user would need to install software on thier machine.
Use a proxy server to monitor Internet use. Providing reports of users activities to managment is a great deterent to inappopriate use.
Have a good backup and distaster recover procedure. I would typically ghost my servers after new software or service packs, etc were installed. All the actual data was backed up daily and achived once a week. The previous weeks tapes were kept off site. Monitor your backup logs to make sure the backup are actually running okay.
Docuement your network, and I mean everything that you have in it. If you have to rebuild anything it's much easier if its been documented. Your docuementation should be kept in a secure place, since if its done right you would not want it to fall into the wrong hands.
There are a lot of other things that can/should be done to build a godo network secuity procedure. I hope this list helped.
Once you get your policies in place make sure your Human Resources, or other Executive Managment personnel, agree with the policies and will support them. The policies are no good if they are not supported by upper management. Keep in mind that you will most likely have to enforce these policies at one time or another. We had ours user sign a form stating that they read, understood, and agreed to follow all the policies. We also had all of the policies posted on the Company intranet.
Get a good password policy. I am a consulatant now and I have walked into many customers sites and been able to get on their network too easily. Blank passwords, password on sticky notes etc are a very bad thing to have in your organization and are very hard to prevent.
A good firewall is also very important to your network. Remember to log the firewall and to block unwanted traffic from comming in and going out. Most people overlook the outbound policies. Also make sure you have some intrusion detection, this is often overlooked as well.
Keep all you machines up to date with service packs and patches.
Have up to date anti virus software on all workstations and servers.
If you can remove all modems from servers and workstations, this may not be cost effective or feasible for you to do. Cisco had analog line cards that can be added to some of thier routers. that way all modem traffic can be passed though a firewall.
If you have Windows 2000 or Windows XP workstation prevent users from installing software. There is usually never a good reason why a user would need to install software on thier machine.
Use a proxy server to monitor Internet use. Providing reports of users activities to managment is a great deterent to inappopriate use.
Have a good backup and distaster recover procedure. I would typically ghost my servers after new software or service packs, etc were installed. All the actual data was backed up daily and achived once a week. The previous weeks tapes were kept off site. Monitor your backup logs to make sure the backup are actually running okay.
Docuement your network, and I mean everything that you have in it. If you have to rebuild anything it's much easier if its been documented. Your docuementation should be kept in a secure place, since if its done right you would not want it to fall into the wrong hands.
There are a lot of other things that can/should be done to build a godo network secuity procedure. I hope this list helped.
A couple of things that I think are going to be very important as you move forward with this.
1. Make sure that you raise awareness, and show the need for improving security.
2. Make sure that you have senior management buy in. They can say that they want to be more secure, but they will need to back you.
Craig.
<advertizing removed by CetusMOD per http:help.jsp#hi106>
1. Make sure that you raise awareness, and show the need for improving security.
2. Make sure that you have senior management buy in. They can say that they want to be more secure, but they will need to back you.
Craig.
<advertizing removed by CetusMOD per http:help.jsp#hi106>
-rich