XYZ Company is a small non-profit organization in need of a network security. This blog post will explain what security measures need to be set-up for XYZ Company.
Good security will protect against physical threats, application threats, environmental threats, legal threats and authentication threats. Any data or information that can potentially be destroyed, modified, or misused to cause damage needs to be secured. To ensure security of data, you need to secure all sources from where data can be retrieved.
Physical security needs to be addressed as well as network data security.
Overview of XYZ Company Network
XYZ Company's' network spans two floors and consists of: 6 workstations, 3 printers, 1 copier, 1 server, 1 SonicWall router/firewall appliance, 1 Belkin wireless access point, and1 Cisco switch. The server, SonicWall appliance, switch and copier are housed in the mechanical room on the 2nd floor. XYZ Company connects to the internet via DSL. XYZ Company owns the building and also leases out space to several other businesses within said building.
The first thing I recommend for securing XYZ's network is implementing a Security Policy.
A security policy is a set of rules and regulations that an organization defines to handle various situations, such as the unauthorized access of data, disclosure of confidential information, and virus/malware attacks.
Components of the Security Policy for XYZ Company:
· Acceptable use policy
· Password policy
· Remote access policy
· Virus protection and prevention policy
· Visitor and Contractor Premise Access Policy
· Server policy
Acceptable Use Policy
An acceptable use policy should include rules and regulations for Internet usage.
Wired/Wireless Internet Usage:
· Acceptable Use of Internet Services
· Unacceptable Use of Internet Services
· Responsibilities the employees must adhere to while using the organizations Internet services
· Compliance
E-mail Usage:
· Acceptable Use of E-mail Services
· Unacceptable Use of E-mail Services
· Responsibilities the employees must adhere to while using the organizations E-mail services
· Compliance
Computer and Network Resource Usage:
· Guidelines for handling organizational resources, such as computer and network hardware
· Compliance
Password Policy
A password policy states certain rules and regulations that each employee should follow while setting passwords corresponding to their user name. This password policy also needs to cover the server and router/s.
Remote Access Policy
A remote access policy should clearly define the following:
· Who can access an organization's network from a remote location
· What methods can be used to access an organization's network
· Which organizational resources and information can a person access remotely
· What extra permissions and privileges should be assigned to authorized people accessing an organization's network remotely
· Compliance
Virus Protection and Prevention Policy
A virus protection and prevention policy should clearly state precautions to take while communicating through e-mail, downloading material from the internet, and transferring data by CD/DVD or flash drive. this policy should also state guidelines the employee should follow if they detect a virus on their computer or network. This policy also requires compliance.
Visitor and Contractor Premise Access Policy
The visitor and contractor premise access policy should state guidelines that visitors and contractors must adhere to for their own safety as well as the organization's. This policy also requires compliance.
Server Policy
The server policy should contain the following:
· Configuration guidelines
· Monitoring guidelines
· Ownership and responsibility guidelines
· Compliance
Visibility is an important aspect of a security policy. A good security policy is of no use to an organization if most of the employees are unaware of it and/or the policy is not enforced. Management should ensure the visibility of security policies through periodic presentations, trainings, question answer sessions, etc.
Once implemented, a security policy must be constantly reviewed and monitored for changes and improvement.
Physical and data security
To secure the physical and data aspects of the network in the mechanical room I recommend that the Cisco switch and patch panel be encased in a locked enclosure , the server and the SonicWall appliance be password protected with limited access and to also limit access to the mechanical room itself. I recommend that the mechanical room be locked but that probably isn't feasible since the copier/scanner/fax is housed in that room.
The SonicWall appliance is a firewall/wireless router and as such needs secure encryption and the default login and password changed.
File shares on the server need the proper rights assigned to the authorized users.
The Belkin wireless access point also requires secure encryption such as WPA/WPA2 , the SSID broadcast disabled, the default SSID name changed and the default login and password changed.
Secure passwords for all users is also recommended.
In conclusion it is recommended that a good Security Policy be implemented and enforced with strict compliance.
No comments:
Post a Comment