search

Is a document that outlines specific requirements or rules that must be met?

1 Jahrs vor
Kommentare: 0
Ansichten: 86

The best way to handle an incident is to prevent it from happening. To do that, you will need to establish effective security policies that will monitor and analyze the network traffic. The use of proactive techniques is the first line of defense against security threats. Well-defined enforceable security policies will make it more difficult for intruders to access your system. These policies must be established, understood, practiced, and frequently updated throughout your organization to prevent potentially catastrophic security breaches.

Show

An effective security policy is the foundation of a secure network.

Policies, Standards, and Guidelines Defined

A policy is a document that outlines specific requirements or rules that must be met. In the network security realm, policies usually cover a single area. For example, a “password policy” would fully cover all the rules and regulations for the appropriate use, complexity, and lifetime of passwords.

A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone in an organization. For example, you might have a standard that describes how to harden an Internet-facing Windows server. This standard must be exactly followed for placing the server on an Internet-facing the network segment.

A guideline is typically a collection of system-specific or procedural-specific “suggestions” or best practices. They are not requirements that must be met, but it is strongly recommended that they are.

 Our Phased Approach:

• Define security goals based on your business needs.
• Assess the safety level of your assets.
• Identify, refine, and establish new policies.
• Work with your security and IT teams to develop a plan that activates these new policies.

What's in a name? People frequently use the names "policy," "standard," and "guideline" to refer to documents that fall within the policy infrastructure. Although they all have different definitions, most people use these names synonymously, which is why the sections that follow define each term separately.

A policy is typically a document that outlines specific requirements or rules that must be met. In the information and network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities. Top management usually sets policies.

A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment. Middle management usually sets standards.

A guideline is typically a collection of system-specific or procedure-specific suggestions for best practices. Guidelines are not requirements to be met but are procedures that are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization. The IT staff usually sets guidelines.

The following examples further clarify the difference between the three words:

• A password policy should state that passwords must be sufficient to properly secure a resource.

• A password standard specifies that a password generator should be used.

• A password guideline lists all the company-approved, licensed password generators.

Sample Policies

On the SANS website, you can find some sample security policy templates. They can be used as a start for developing your own security policy. The documents on the SANS website continue to be works in progress, and the policy templates are living documents. The available policies on the SANS website are as follows:

• Acceptable Use Policy Defines acceptable use of equipment and computing services and the appropriate employee security measures to protect the organization's corporate resources and proprietary information.

• Acquisition Assessment Policy Defines responsibilities regarding corporate acquisitions and defines the minimum requirements of an acquisition assessment to be completed by the information security group.

• Analog/ISDN Line Policy Defines standards for use of analog/ISDN lines for sending and receiving a fax and for connection to computers.

• Anti-Virus Process Defines guidelines for effectively reducing the threat of computer viruses on the organization's network.

• Application Service Provider (ASP) Policy Defines minimum security criteria that an ASP must execute in order to be considered for use on a project by the organization.

• Application Service Provider (ASP) Standards Outlines the minimum security standards for the ASP. This policy is referenced in the ASP Policy (see previous item).

• Audit Vulnerability Scanning Policy Defines the requirements and provides the authority for the information security team to conduct audits and risk assessments. The team conducts assessments to ensure integrity of information and resources, to investigate incidents, to ensure conformance to security policies, or to monitor user and system activity when appropriate.

• Automatically Forwarded E-Mail Policy Documents the requirement that no e-mail is automatically forwarded to an external destination without prior approval from the appropriate manager or director.

• Database Credentials Coding Policy Defines requirements for securely storing and retrieving database usernames and passwords.

• Dial-in Access Policy Defines appropriate dial-in access and its use by authorized personnel.

• DMZ Lab Security Policy Defines standards for all networks and equipment deployed in labs located in the demilitarized zone or external network segments.

• E-Mail Retention Helps employees determine what information that is sent or received by e-mail should be retained and for how long.

• Ethics Policy Defines the means to establish a culture of openness, trust, and integrity in business practices.

• Extranet Policy Defines the requirement that third-party organizations requiring access to the organization's networks must sign a third-party connection agreement.

• Information Sensitivity Policy Defines the requirements for classifying and securing the organization's information in a manner appropriate to its sensitivity level.

• Internal Lab Security Policy Defines requirements for internal labs to ensure that confidential information and technologies are not compromised and that production services and interests of the organization are protected from lab activities.

• Internet DMZ Equipment Policy Defines the standards to be met by all equipment owned and operated by the organization that is located outside the organization's Internet firewalls (the demilitarized zone, or DMZ).

• Lab Anti-Virus Policy Defines requirements that must be met by all computers connected to the organization's lab networks to ensure effective virus detection and prevention.

• Password Protection Policy Defines standards for creating, protecting, and changing strong passwords.

• Remote Access Policy Defines standards for connecting to the organization's network from any host or network external to the organization.

• Risk Assessment Policy Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization's information infrastructure associated with conducting business.

• Router Security Policy Defines standards for minimal security configuration for routers and switches inside a production network or used in a production capacity.

• Server Security Policy Defines standards for minimal security configuration for servers inside the organization's production network or used in a production capacity.

• The Third Party Network Connection Agreement Defines the standards and requirements, including legal requirements, needed in order to interconnect a third-party organization's network to the production network. This agreement must be signed by both parties.

• VPN Security Policy Defines the requirements for Remote Access IPSec or Level 2 Tunneling Protocol (L2TP) virtual private network (VPN) connections to the organization's network.

• Wireless Communication Policy Defines standards for wireless systems used to connect to the organization's networks.

Continue reading here: Appendix C Nsa Guidelines

Was this article helpful?

What kind of policy outlines how organizations use personal information it collects?

A Privacy Policy is a legal document outlining how your organization collects, uses, and discloses personal information.

Is a written document that states how an organization plans to protect the company?

A security policy is a document that states in writing how a company plans to protect its physical and information technology (IT) assets.

What type of security policy defines what actions the users of a system may perform while using the computing and networking equipment?

A due process policy is a policy that defines the actions users may perform while accessing systems and networking equipment.

What type of control is designed to provide an alternative to normal controls that for some reason Cannot be used?

A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.

document outlines specific requirements rules met

zusammenhängende Posts

Can translate the image of a scanned document into text that can be edited and formatted.
Can translate the image of a scanned document into text that can be edited and formatted.

The document that consummates the sale of a franchise is called the ________.
The document that consummates the sale of a franchise is called the ________.

Which of the following file extension indicates the file is an HTML document?
Which of the following file extension indicates the file is an HTML document?

What are the blank borders that occupy the top bottom and sides of a document?
What are the blank borders that occupy the top bottom and sides of a document?

Specimen of writing which was executed in the regular course of ones activities
Specimen of writing which was executed in the regular course of ones activities

This group on the home tab contains a button for selecting the entire document.
This group on the home tab contains a button for selecting the entire document.

What was the name of the first document that provided the foundation of U.S. government?
What was the name of the first document that provided the foundation of U.S. government?

What is the process of modifying the text in a document by changing fonts and paragraph characteristics?
What is the process of modifying the text in a document by changing fonts and paragraph characteristics?

In document examination when referring to contemporary documents this refers to
In document examination when referring to contemporary documents this refers to

Which of the following is an example of a source document that provides evidence of a transaction?
Which of the following is an example of a source document that provides evidence of a transaction?

NEUESTEN NACHRICHTEN

Kann ich sehen wer auf mein Profil geht?
1 Jahrs vor . durch HabitualShopping
Baustatik gleich angewandte phsyik
1 Jahrs vor . durch ExasperatedParadox
What are the steps in the planning process Why is it important to follow it?
1 Jahrs vor . durch Eighteenth-centuryLeasing
Why is it important to have unity of command in an organizational structure?
1 Jahrs vor . durch BulgingStairway
Wie nennt man einen weiblichen Gourmet?
1 Jahrs vor . durch UninformedBroth
Was bedeutet es wenn man nach rechts schaut?
1 Jahrs vor . durch TranquilLustre
Wie ist zurzeit der Stand in der Formel 1?
1 Jahrs vor . durch SultryExaggeration
Was ist der unterschied zwischen hurricane und tornado
1 Jahrs vor . durch RoyalBuilding
Which of the following researchers developed the Thematic Apperception Test?
1 Jahrs vor . durch MountainousHoarding
Siemens Waschmaschine schleudert nicht und pumpt nicht ab
1 Jahrs vor . durch RestrainingVariation

Populer

Um

Legal

Hilfe

Sozial

Urheberrechte © © 2024 WIKIFI Inc.