Network management policies include resource accountability, reporting errors and malfunctions, and preventative maintenance. There are some repetitions of policy elements here, but it is recommended that this section is reviewed. Network protection policies address the continuing need for risk analysis, security awareness and training, security administration, and facilities security. Following are some measures that address network management policies:
Initiate and maintain a formal inventory of network components such as hardware, applications, and attendant components including serial numbers, physical location, version numbers, and dates of acquisition, implementation or installation.
All company network users must be formally authorized to use the network. All users must request access in writing, accompanied by the approval of their supervisor or manager. All access requests, approvals, and denials are retained and archived.
Regularly review network configuration ensuring that all attached components are authorized and configured correctly. Any attempt by employees to alter network configurations by installing unauthorized software or hardware must be reported immediately. Verify network interface equipment and configurations after a unit has been serviced or an audit has been performed. Verify the identity of network interface card user at time of unit maintenance. Deny access to anyone having no authorized network interface card, and report violations.
Depending on the type of work, maintain logs of all network transactions including but not limited to identity of user, log-in time, files accessed, transactions performed, and log-off time.
All media where logs, when feasible, are recorded on WORM media.
Through manual or automated means, all logs are reviewed and filed daily as permanent records.
All security and risk-related events are to be reported immediately and receive immediate senior management attention.
All corrective actions are documented and reported in a timely fashion.
Develop and maintain a schedule of preventative maintenance activities for applications, and equipment. Any hardware and software not conforming to policy, procedures, or standards will be addressed appropriately, with reports made to senior managers. Ensure there is documentation relative to the time and type of maintenance performed on all network components.
Remove any and all data from storage media, e.g., floppy disks, hard drives, tapes, and CDs, before equipment is delivered to maintenance or disposal personnel.
Periodic risk assessments and audits are the responsibility of the network owner and the audit unit. Documentary evidence of these processes is to be made and maintained.
Risk analyses will be performed during the network's SDLC design stage and at any time changes are made to the network design or components. These analyses should measure, among others, the network's vulnerability to:Improper disclosure of information
Fraud, theft, and abuse
Inadvertent harmful errors
Financial losses to the organization
Harm to individuals' privacy rights
Loss of intellectual property
Loss of continuing profitable operations
Employees responsible for the company's network security and administration must have the necessary experience and should receive sufficient formal training to be able to perform their duties.
All network users are required to attend training sessions and sign an agreement regarding their security responsibilities, privacy, proper use of network facilities, and the safeguarding of data.
Employees have the responsibility to challenge strangers and other individuals who do not possess appropriate identification badges. At no time is an employee to allow someone access to any area by holding open a door equipped with an access control device.
All user activities and their accounts are subject to unannounced audits.
0 comments:
Post a Comment