Intranet Security Policy
Introduction
Security means having means that will reduce as much as possible, the vulnerability of information and resources; Although 100% security cannot be reached, the trend must be to reach that extreme value. The information constitutes one of the main resources of an organization, therefore a set of activities must be protected, through security controls and policies that must be implemented in a human resources, hardware and software base.
Developing
Information security depends on the appropriate management and procedures, on the employees of the organization, suppliers, clients, shareholders and the level of security of the technical media.
The assets of an organization
The assets associated with the information systems of an organization can be classified according to the following:
Information resources: Databases, user manuals, operational or support procedures, continuity plans, archived information, emergency provisions for information recovery are considered.
- Software: Application software, operating systems, development tools and utilities.
- Equipment: servers, computers, routers, switches, hubs, pabx, energy equipment, air conditioning, communications equipment, etc.
- Services: Communications, computer processing, electricity, lighting, air conditioning services.
Security should allow protecting the following information characteristics:
Confidentiality, that is, that information is known only by authorized persons.
Integrity, that is, its content is not altered unless it is modified by authorized availability personnel, that is, the ability to always be available to be processed by authorized persons. Control, since only authorized people can decide when and how to access information.
- Authenticity: the information is valid and usable and also that the source of information is valid.
- Replay protection: the transaction is only done once, unless the opposite is specified.
- I did not repudiate: to prevent an entity that received or sent information to alleged that he did not do it.
Intranet or internal networks must be protected, since there are various threats. An asset assessment and determine their importance as well as the risk to which they are subjected should be carried out. This assessment must answer the following questions:
Information security threats
- Natural catastrophes: This type of threats generally cause the interruption of services, mainly affecting the availability of information, examples of this type of threats are those caused by nature: floods, earthquakes, tornadoes, etc.
- Physical threats: Relating to physical access to resources, they can result in robberies, physical damage to equipment, sabotages. Unauthorized access, but is achieved through social engineering, exploiting the trust of an organization’s employees.
- Computer fraud: represented by the deception to customers in the sale of products and services through promotions and agencies that do not exist.
- Intrusions: that is, unauthorized access to communications systems, to the servers of an organization, in order to damage the image or obtain undue economic benefits.
- Human errors: As the name implies, they result from human action, such as easily vulnerable passwords, Backup of poorly made systems, interruption of services, incomplete settings of the devices.
- Illegal software: The consequences of copying illegal software lead to vulnerabilities of computer systems, since there are no updates that developers provide, within the illegal software there are also other threats such as malicious codes.
- Malicious code: it is all program or part of the program (software) that causes problems in computer systems, such as viruses, trly, worms, rear doors, when activated in the final systems. This type of threat has evolved by the growing connectivity of the Internet and the deception resources of which the attackers are worth.
We have indicated above lines that need to estimate the risks to which the network, servers, network devices are subject. Although, it is difficult to perform an exact evaluation of the information, it could be tried to evaluate it assuming its loss or alteration.
SECURITY POLITICS.
The implementation of a security system must be complemented with security policies. The security policy requires not only to know the threats to which the information and resources of an organization are exposed, but also establish their origin, which can be internal or external to the organization. You would not be worth protecting the company from outside users if there are also internal threats. For example, if a user uses a floppour that contains a virus could expand it to the entire intranet.
A security policy is the declaration of the rules that must be respected to access information and resources. The documents of a security policy must be dynamic, that is, to adjust and improve continuously according to the changes that arise in the environments where they were created.
conclusion
Security policies are developed in order to preserve the information and systems of a company, and guaranteeing the integrity, confidentiality and availability of information. Documents related to security policies must contemplate the procedures to enforce the rules, responsibilities at all levels. All of them must have the management support of the organization.
Information is a resource of the utmost importance for the company or organization and must be protected through the implementation of security measures based on hardware, software and human resources, but also complemented with adequate security policies that are known by the organization staff at all levels. The organization’s staff must be fully identified with the safety and protection objectives that the company seeks. Information security is everyone’s task: from the company’s staff, of the partners, of the shareholders, of the clients.
Leave feedback