1 / 60

Maximizing Security: Essential Policies for Company Protection

Discover why companies need robust security policies to safeguard against threats like hacking, viruses, and data loss. Learn about physical and software methods to enhance security measures, plus the importance of disaster recovery planning.

adamb
Download Presentation

Maximizing Security: Essential Policies for Company Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Policies

  2. All companies adopt ICT Security Policies to protect themselves against:- • Bad publicity • Security threats • Loss of data – accidental or deliberate

  3. Consequences. • LOSS of income • LOSS of reputation from customers • Possible LEGAL action against the company [DPA] • Loss of computer time • Wasting staff time sorting out problems

  4. Most companies will have Security Policies in place so that they will comply with the Data Protection Act 1998

  5. What are the Threats? • Terrorism • Natural disasters • Sabotage • Fire • Theft • Viruses • Faulty software • Faulty hardware • Power supply

  6. Natural Disasters • Flood • Earthquake • Storms • Tidal Waves

  7. Threats can be INTERNAL or EXTERNAL EXTERNAL THREATS Natural disasters Hacking Viruses Power Loss INTERNAL THREATS Theft from staff Hardware & software problems

  8. A company can adopt many procedures to reduce risks and threats to its IT systems. Why companies need to have Security policies

  9. The purpose of a disaster recovery plan is to ensure the availability of essential resources (staff, buildings, power, computer equipment) should a disaster occur. The plan will usually cover the possibility of the following happening: Why companies need to have Security Policies

  10. - the total or partial loss of computing equipment • computers or networks failing • - the loss of essential services • such as electricity, heating or air conditioning the loss of certain key employees (e.g., losing all the qualified network staff in one go due to them choosing to form their own facilities organisation) • the loss of maintenance or support services • - the loss of data or software • accidental or intentional loss of data • - the complete or partial loss of the premises housing the IT equipment. • Fire, earthquake or floods • set up a budget for it • How much money can the company allocate to address the issues Why companies need to have Security Policies

  11. likelihood of disaster occurring • Some addresses and locations will be more susceptible to problems such as flooding or earthquakes. Some organisations will have a higher risk threat to terrorism • - produce the plan of what to do if the worst happens • This will be the Security Policy Plan • - produce procedures for minimising the risks • What are the steps taken to reduce the risk of the problem arising • test the plan on a regular basis to make sure it still sufficient • Evaluate and monitor the situation and the procedures in place to implement the policy Why companies need to have Security Policies

  12. Rules on Passwords and user id’s • Access rights • Firewalls • Virus checkers • Encryption • Physical security measures • Backup and restoration strategies • Staff code of conduct • Disciplinary procedures • User Accounts & Logs Factors that should be taken into account when designing security policies

  13. PHYSICAL SECURITY This involves methods used to protect the hardware and software from threats. Usually can be as straight forward as locking the IT rooms and preventing people access to computers and data storage facilities. Factors that should be taken into account when designing security policies

  14. Prevention of misuse • There are TWO main methods available to companies:- • PHYSICAL METHODS • SOFTWARE METHODS Factors that should be taken into account when designing security policies

  15. 1. PHYSICAL METHODS • Controlling access to building or IT rooms - security guards • Serial numbers – Keep a record of all serial numbers of software and hardware • Alarms – Protect computer room with burglar alarms. • Using Locks on computers • Security cameras in IT rooms Factors that should be taken into account when designing security policies

  16. 1. PHYSICAL METHODS • Fire Protection – Use fire doors and smoke alarms • Controlling access to IT rooms, keys, codes or Biometric systems. • Fireproof safes to keep data protected • Prevent use of data storage devices in case of unauthorised copying of data Factors that should be taken into account when designing security policies

  17. 2. SOFTWARE METHODS • All authorised users should be given user names and passwords. This will limit unauthorised access to the network. • Passwords should be un-guessable and should never be told to anyone or written down. Factors that should be taken into account when designing security policies

  18. 2. SOFTWARE METHODS • Users should change their passwords frequently. • Unauthorised access can be reduced by assigning different users different access rights. For example, network managers can be given complete access to the network whilst other users may be limited to certain types of applications software such as word processors. Factors that should be taken into account when designing security policies

  19. OTHER FACTORS • Audit trails for detection • Continuous investigation of irregularities • System Access - establishing procedures for accessing data such as log on procedures, firewalls • Personnel administration • Operational procedures including disaster recovery planning and dealing with threats from viruses • Staff code of conduct and responsibilities • Disciplinary procedures. Factors that should be taken into account when designing security policies

  20. AUDIT TRAIL. • Keep records of all activities carried out by each user. • Records of:- • Number of documents printed. • Times and dates of logging on & off. • WebPages visited and downloaded. • Who has accessed data and who has changed any data

  21. Continuous investigation of irregularities This is a continuous procedure of looking at anything out of the ordinary that has happened. A lot of credit card companies employ this method, if they see any transaction that is extremely high or out of the ordinary, they will usually stop the payment and contact the owner of the card to confirm that the payment is genuine. Companies do this with all transactions carried out. This could flag up any fraudulent activity within the company.

  22. System Access - establishing procedures for accessing data such as log on procedures, firewalls ACCESS RIGHTS Logging on procedures User name & Passwords FILES Read only files - employees can only add data but cannot delete or change existing data. Cannot open files at all USE OF FIREWALL Prevent un-authorised access to the Network from the outside [Hacking]

  23. Personnel administration Making sure that staff respect policies and security issues within the company. Make sure that they are also aware of disciplinary procedure if they were to break any rules. Train Staff on how to use equipment and use data responsibly Staff have the necessary skills or qualifications to carry out the job in hand.

  24. Operational procedures- including disaster recovery planning and dealing with threats from viruses • Screening/checking potential employees. • Make sure that employees don’t download games or music. Not using removable media in work eg USB Memory Stick • Routines to update virus software. • Rotating staff - used to prevent company fraud, less likely that two employees would carry out fraudulent activity together. • Establish a disaster recovery plan.

  25. “It is estimated that most large companies spend between 2% and 4% of their IT budget on disaster recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to function due to loss of IT infrastructure and data. Of companies that had a major loss of business data, 43% never reopen, 51% close within two years, and only 6% will survive long-term.As a result, preparation for continuation or recovery of systems needs to be taken very seriously. This involves a significant investment of time and money with the aim of ensuring minimal losses in the event of a disruptive event”

  26. 18,000 small business affected or displaced by 9/11 Many did not recover due to lack of Planning

  27. The goal of the disaster recovery plan (DRP) is to plan responses to possible disasters, providing for partial or complete recovery of all data, application software, network components, and physical facilities. Disaster Recovery Plans (DRP)

  28. It doesn’t matter how careful companies can be there is always a chance that data could be lost by accident. • Remember hardware can be bought again, but it would be virtually impossible to regain lost data. • In nearly 50% of cases businesses have gone out of business when they experienced a major data loss due to a disaster, losing data such as:- • Customers databases • Product databases • Supplier databases • Transaction and invoice databases • Staff details BACKING UP

  29. BACKUP STORAGE DEVICES • Data can be backed up regularly on to suitable Media. • Floppy disks • Magnetic Tape • Optical Media [CDRW,DVDRW] • Flash drives • Magnetic Disk

  30. Types of procedures to do with backing up data • Use a different tape or disk each day and have a system for rotating them, so that there is always a copy to restore with minimum chance of data loss. [Grandfather, Father and Son method] • Make one person responsible for the taking of backups so that it doesn’t get forgotten or someone leaving it because they think someone else is responsible. • The type of backup to be taken such as full, incremental or differential depending on how many items of data change. • How often the backups should be taken such as continuously, every hour, every day, etc.

  31. Types of procedures to do with backing up data • The backup medium/devices used such as magnetic tape/disk, etc., depending on the speed with when they want to recover the data • Who should be responsible for the taking and storage of backups – so that they are treated as high priority. • Where the backup is to be held/stored – off-site, in fireproof safe, transferred using the internet, depending on cost and the likelihood of a fire, etc., occurring, etc.

  32. Procedures that can be used:- • Backup and recovery procedures. • Backups to storage media • RAID system - Redundant Array of Inexpensive Disc. • Grandfather, Father, Son systems • Backing up programme Prevention of accidental misuse.

  33. RAID SYSTEM Data can be backed up or written simultaneously to several disks. Four copies of data could be backed up at the same time. Two might be kept in the same room as the computer system and another two at another location in case of fire or theft. If one disk fails there is a chance that the other disks are OK BACKING UP RAID system Redundant Array of Inexpensive Disks

  34. Four generations of file are kept, before the oldest is overwritten.  Two copies of the master file and each transaction file are kept.  One pair is in a fireproof safe, and the other pair is off-site. Backing up is tedious, but well worth it.  However in small organizations it can be tempting to take short-cuts.  Just putting the back-up media into a fireproof safe in the office is no good.  What would the company do if some thieves nicked not just the computer, but also the safe?  It has happened. Backing up Grandfather, Father, Son system

  35. Monday [Son] Tuesday [Son] New Tape used Tape 1 Tape 2 TAPE 1[Backup is ONE day old] becomes FATHER Grandfather, Father, Son system

  36. Wednesday [Son] New Tape used Tape 3 TAPE 1[Backup is TWO days old] becomes GRANDFATHER TAPE 2[Backup is ONE day old] becomes FATHER Grandfather, Father, Son system

  37. Thursday [Tape 1 is Son again] Tape 1 used again to start again to write over. Tape 1 TAPE 3[Backup is ONE day older] becomes FATHER TAPE 2[Backup is TWO days older] becomes GRANDFATHER Grandfather, Father, Son system

  38. Tape 2 used again to write over. Friday [Tape 2 is Son again] Tape 2 TAPE 1[Backup is TWO days older] becomes FATHER TAPE 3[Backup is ONE day older] becomes GRANDFATHER Grandfather, Father, Son system

  39. In some case there are people who will attempt to deliberately damage IT systems. These could be unhappy employees, hackers, virus writers. Companies have to plan for deliberate misuse or crimes against their IT systems. Prevention of deliberate misuse

  40. Methods used to reduce risk:- • Control access to rooms. • Encryption methods used when transferring Data • Establish Firewalls • Proxy servers • Physical security on hardware and software. • Security of documents and filing systems Prevention of deliberate misuse

  41. Control access to rooms. This involves methods used to protect the hardware and software from threats. Usually can be as straight forward as locking the IT rooms and preventing people access computers and data storage facilities. Prevention of deliberate misuse

  42. Encryption of data. When data is sent over the internet, there is a chance that it could be intercepted and be used for illegal purposes. In this case data is usually encrypted - scrambled, and when the receiver receives the information he would have software with a password that would decipher the data so that it can be understood, Prevention of deliberate misuse

  43. Proxy Servers Proxy servers can be used to control what the user can do on a network. The Proxy Server could block or allow access to certain web pages. Can also include filtering software so that employees keep to the IT policy of the company - games sites restricted. Prevention of deliberate misuse

  44. Access Rights Only people that have authority are able to access the computer system and specific data, This can be done by the use of Passwords. Biometric devices - facial scanning, retina scan, fingerprinting scan. Advantages of these methods are that they are much more secure. Passwords can be given to other people or guessed. Some users would only be allowed to access certain files, these could be ‘Read Only’. Depends on what job you do in the company. Prevention of deliberate misuse

  45. Physical protection Access to IT rooms controlled with locks etc Computer hardware locked and wired to desks so that you cannot remove them. Use of biometric devices to open data and computers. Locks on drives to prevent unauthorised use of USB storage devices and data being copied Firewalls to prevent hackers Prevention of deliberate misuse

  46. Secure Document Filing Important that printed documents are not left out for unauthorised people to view. Unwanted paper documents should be shredded Laptops can be stolen from cars and the data accessed. Prevention of deliberate misuse

  47. Why have a Risk Analysis? - Companies will have to work out what risks will be involved in their security, and how likely they are to happen. - Flooding area, Terrorism, - Consideration will be given to the consequences of these risks. Will the effects be LONG TERM or SHORT TERM? - They will also consider what can be done to reduce these risks and what can be done within reason and financial costs to minimise the problems. - Companies will assess how well equipped they are to cope with these risks Risk Analysis

  48. RISK ANALYSIS • In order to perform a Risk Analysis the company will consider the following factors:- • What could happen to Hardware & Software • What could happen to Staff and employees • What could happen to Data Risk Analysis

  49. Consequences to company! All of these could have serious effect on the company:- -Bad reputation from customers -Cash flow problems -Delivery problems -Stock problems - lack of stock, resulting in unhappy customers Risk Analysis

  50. Short Term Consequences -Staff would have to concentrate on trying to resolve the situation -Possible loss of money because orders weren't coming in, also company having to pay compensation if customers complained. -Bad reputation – customers not happy and spreading the word -Possible legal action if personal data of customers was disclosed to outside agencies. [Data Protection Act] Risk Analysis

More Related