Question

List and briefly discuss two (2) “policies and procedures” for system security that companies should have in place.

Answer 1

Maintaining a secure site is crucial. One must put the proper security policies, procedures and technologies in place to protect your organization from inadvertent or intentional damage or loss of data. Perhaps the organization is not attractive to hackers and other intruders and thus does not require much in the way of security. This may or may not be true but a recent survey of over 560 companies by the Computer Security Institute (CSI) and the Federal Bureau of Investigation's International Computer Crime Squad in San Francisco revealed the
following information:

Of the respondents, 75% reported that they had financial losses due to security breaches ranging from financial fraud, theft of proprietary information, sabotage on the computer, viruses and laptop theft on the low end.
The total estimated losses were a staggering $100119555.
This indicates that the probability of mischief is so high that no one can afford not to invest in proper Web site security. Firstly, it must be decided what should be protected, in other words, what needs to be
secured. For example, a firewall consists of a number of components and systems between
two networks and it is generally implemented to limit access to information from users
inside and outside the enterprise. Before a firewall necessarily means anything practical to
the planners, it is important to define information:

• Which information should be limited to internal users?
• Is there any information outside the organization that should not be accessed by users inside? Is there information that is used by one group but not required by others?
• Should all information be limited, based on need to know?

Physical security
Physical security means the steps taken to protect the actual machines used to store and process sensitive and/or valuable data. Protecting against accidental or deliberate access (including changes to the way the computer is set up) should not prevent users from doing their work nor should it erect unrealistic or inconvenient barriers to user resources.

Standard security
For standard security, the computer system must be protected, as any valuable equipment would be. Generally, this involves housing the computer in a building that is locked and out-of-bounds to unauthorized users.

Backups
Regular backups protect data from all sorts of hazards such as hardware failures, honest mistakes, viruses, and malicious mischief. Because files must be read to be backed up, and written to be restored, backup privileges should be limited to administrators and backup operators, in other words, the people who can be trusted with read and write access to all files.

Auditing
Often one does not know about a breach of security until one stumbles across it, usually by auditing the network. Effective auditing can also uncover actions that pose a security risk and identify the user accounts from which the actions were taken. Establishing an audit policy requires that one balances the auditing cost (in disk space and central processing unit cycles) against its advantages. System setup and capacity may dictate how many functions one can audit realistically. At the very least one should make a point of auditing, failed logon attempts, attempts to access sensitive data and changes to security settings.

High-level security
Depending on the level of security required, an organization can implement additional security measures to create a high-security environment. Firstly it should be identified which computers, if any, contain sensitive data at high risk for theft or intentional violation and disruption. Security for these machines, or their subnet, can be augmented with more stringent security features than those used for the rest of network. One could begin by examining the network's physical links.

Network level security
When a computer is put on a network, a new access route is added to the computer that should be secured against some level of intrusion, for example from casual to intentional intrusion. User validation and protections on files and other objects are sufficient for standard-level security, but high-level security demands that the physical network is secured. The main risk is unauthorized network taps. If the network is set up completely within a
secure building (a rarity), the risk of unauthorized taps is minimized or eliminated. If the network is not completely within direct physical control, the level of realistic protection must be decided and instituted, beginning with physical security. If, for instance, cabling passes through unsecured areas, optical fiber links should be considered rather than twisted pair, as it is much harder to tap a fiber and siphon off data.

A second, and more common, risk these days is Internet access. The security issue here cuts both ways because this type of connection provides access to and from the Internet community. In essence, this means that just about everyone in the world with access to a computer can access the organization's system. To get in, however, the person has to come through the outside network. This indicates how important all round security is and with
Internet access the security of the entire network must be ensured.

Another threat is the damage that can be caused as a result of a security breach. This
generally leads to the following problems:
Loss of service
Loss of information
Loss of control.