Network Security Policies and Procedures (eBook)

Table of Contents 6
List of Figures 7
Preface 8
Acknowledgments and Dedication 9
Chapter 1 Information Technology and Its Role in the Modern Organization 10
Chapter Objectives 10
1.1 Information Technology's Role in an Organization's Processes 10
1.1.1 Cats and Dogs ( Technical Workers and Management) 11
1.2 The Role Policies Play in an Organization 12
1.3 Incidents That Have Made Security and Accountability Major Issues 13
1.4 The Book's Organization 16
Chapter 2 The Extent of an Organization's Connectivity 20
Chapter Objectives 20
2.1 Access in the Age of the Extended Enterprise 20
2.2 The Players 23
2.2.1 Customer-Facing Employees 23
2.2.2 Internal Functional Employees 25
2.2.3 Internal Support Employees 27
2.2.4 Management 28
2.2.5 External Players 29
2.3 Locations from Which Access is Required 30
2.3.1 Fixed Locations 31
2.3.2 Mobile Locations 31
2.4 Conclusion 32
2.5 Discussion Questions 33
Chapter 3 Network Physical Components 36
Chapter 3 Objective 36
3.1 Introduction 36
3.2 Computers 36
3.3 Connectors 38
3.4 Firewalls 40
3.5 Conclusion 41
3.7 Discussion Questions 42
Chapter 4 Legitimate Networl^ Access 44
Chapter 4 Objective 44
4.1 Introduction 44
4.2 The Three Somethings 44
4.2.1 Something You Are 44
4.2.2 Something You Know 45
4.2.3 Something You Have 46
4.4 Conclusion 46
4.5 Discussion Questions 46
Chapter 5 Illegitimate Network Access 48
Chapter 5 Objective 48
5.1 Introduction 48
5.2 The Profiles 48
5.2.1 Criminals 48
5.3 The Paths to Intrusion 50
5.4 Malware 50
5.5 Conclusion 51
5.6 Questions for Discussion 51
Chapter 6 Encryption 54
Chapter 6 Objective 54
6.1 Introduction 54
6.2 The Information Sent Over Networks 54
6.3 Encryption 55
6.4 Authentication 56
6.5 Conclusion 56
6.6 Discussion Questions 57
Chapter 7 Balanced Scorecard 58
Chapter Objectives 58
7.1 Introduction to the Balanced Scorecard 58
7.1.1 The Balanced Scorecard's Views 58
7.1.3 Dysfunctional Processes 62
7.2 How a Balanced Scorecard Succeeds 62
7.3 Conclusion 64
7.4 Discussion Questions 64
Chapter 8 Sarbanes-Oxley 66
Chapter Objectives 66
8.1 Scandal Leads to Regulation 66
8.2 SOX Described 66
8.2.1 The Consequences of Violating SOX 68
8.2.3 Due Diligence with Offsite Partners 71
8.2.5 Compliance is Costly 73
8.2.6 Mid- Course Corrections? 73
8.3 Applying the Balanced Scorecard to SOX 74
8.4 Conclusion 75
8.5 Discussion Questions 75
Chapter 9 Physical Security 78
Chapter Objectives 78
9.1 Physical Security- Easily Overlooked 78
9.2 Where to Locate Computer Equipment 79
9.3 Employee Identification Procedures 81
9.4 Employees Transitioning Out of the Organization 85
9.5 Visitor Policy 87
9.6 Applying the Balanced Scorecard to Physical Security 91
9.7 Conclusion 95
9.8 Discussion Questions 95
Chapter 10 Disaster Recovery 98
Chapter Objectives 98
10.1 Disaster is Always Just around the Corner 98
10.2 Factors to Be Considered in Formulating a Disaster Recovery Plan 99
10.3 An Organization's Processes 100
10.4 Data as a Critical Element of Business Continuity 104
10.5 Restoring the Original Site 105
10.5 Applying the Balanced Scorecard to Disaster Recovery 106
10.6 Conclusion 109
10.7 Discussion Questions 109
Chapter 11 Initial Employee Communication 112
Chapter Objectives 112
11.1 The Overall Purpose of Initial Employee Communication 112
11.2 Some Examples of ''Confidential Information" 113
11.3 Non-Disclosure Agreements 115
11.4 Non-Compete Agreements 117
11.5 Policies Relative to Employee IT Use 118
11.6 The Consequences of Violating the Employee Agreement 120
11.7 Applying the Balanced Scorecard to Initial Employee Communication 122
11.8 Conclusion 124
11.9 Discussion Questions 124
Chapter 12 The Human Element 126
Chapter Objectives 126
12.1 Humans- The Weakest Link in the Chain 126
12.2 Social Engineering 131
12.2.1 The Mentality of a Successful Social Engineer 131
12.2.2 How a Social Engineer Uses What Your Parents Taught You to Their Advantage 132
12.3 Countering the Social Engineer 134
12.4 Relevant Policies 135
12.5 Applying the Balanced Scorecard to the Human Element 137
12- 6 Summary 138
12.7 Discussion Questions 139
Chapter 13 Email, Instant Messaging and Phishing 140
Chapter Objectives 140
13.1 Email and Instant Messaging are Crucial but Vulnerable 140
13.2 Email 141
13.3 Instant Messaging 145
13.4 Phishing 149
13.5 Fighting the Phishers 155
13.6 List of Potential Vendors 157
13.7 Applying the Balanced Scorecard to Email, Instant Messaging and Phishing 158
13.8 Conclusion 160
13.9 Questions for Discussion 161
Chapter 14 Network Administration 162
Chapter Objectives 162
14.1 The Network Administrator's Role 162
14.2 The Key Business Process Issue Influencing a Network Administrator 164
14.3 Network Administrators are Key Players in an Organization's Business Processes 164
14.4 Applying the Balanced Scorecard to the Management Aspects of Network Administration 165
14.5 Conclusion 166
14.6 Questions for Discussion 166
Chapter 15 Network Monitoring 168
Chapter Objectives 168
15.1 Monitoring the Network 168
15.2 IDS' Relevance to the Enterprise 169
15.3 Applying the Balanced Scorecard to the Management Aspects of Network Administration 170
15.4 Conclusion 170
15.5 Questions for Discussion 170
Chapter 16 Executive Communication 172
Chapter Objectives 172
16.1 Executive Communication is Crucial in Shaping Employee Behavior 172
16.2 Ronald Coase's Transaction Cost Economics 174
16.3 Leibenstein's Theory of X-lnefficiency 176
16.3.1 The Individual is the Proper Unit of Analysis 177
16.3.3 Inert Areas 179
16.3.5 Activity, Pace, Quality and Time 181
16.4 Mari Sako's Analysis of Trust 182
16.4.1 Arms- Length and Obligational Contractual Relationships 182
16.4.3 Trust's Role in Transaction Cost Economics 184
16.5 Applying the Balanced Scorecard to Executive Communication 185
16.6 Conclusion 186
16.7 Questions for Discussion 186
Chapter 17 Information Security Awareness 188
Chapter 18 Synthesis and Conclusion 204
Chapter Objectives 204
18.1 The Current State of an Organization's Operational Environment 204
18.3 Enterprise Architecture 211
18.4 Enterprise Architecture Rationale 213
18.5 Conclusion 215
Chapter 19 Draft Policies 218
Chapter Objectives 218
19.1 Draft Policies 218
19.1.1 The Policy Policy 219
19.1.2 Business Process Documentation Policy 221
19.1.3 Awareness Training 223
19.1.4 Regulatory Compliance 225
19.1.5 Physical Security 226
19.1.7 Initial Employee Communication 229
19.1.8 Email and Instant Messaging 230
19.1.9 Network Access 231
Bibliography 234
Index 246

Chapter 3 Network Physical Components (p. 27-28)

Chapter 3 Objective

This chapter will discuss the various physical components of an organization's network.

3.1 Introduction

In a modern organization there will be a significant IT posture, relative to the size of the operation. While modem connectivity has improved an organization's ability to operate in an extended enterprise spanning all comers of the world, as discussed in Chapter 2, it has also put them at risk for theft, fraud, data loss and hacking, as the examples from Chapter 1 established. To provide the background for the communication, policy and enterprise architecture discussions to follow in later chapters, the next few chapters will discuss the various physical and software-based elements of an organization's IT environment. Chapters 14 and 15 cover network administration and monitoring. As the emphasis of this book is on the policies facilitating a well-stmctured enterprise, the directly technical aspects of the issues are covered in sufficient depth to provide the reader with an overview of the subject matter.

3.2 Computers

3.2.1 Desktops and Laptops

Virtually everyone with an office job uses a computer for at least parts of their job, even if it is only as a typewriter substitute. The desktop computer (Figure 3.1) is the most common piece of hardware used to perform work and to access the Intemet, while the laptop (Figure 3.2) is the choice of consultants, especially those who travel and must work on airplanes, in hotel rooms and on cafe tables, often with one or more colleagues sharing the space. Desktops are the more powerful of the two systems, but laptops now have capabilities sufficient to perform all routine work and at the high end have the ability to perform complex and resource-intensive functions such as economic analysis.