Practical – 4
Aim: Protect your personal computer system by creating a secure User Accounts policy for safety
and security.
Security policies are a formal set of rules which is issued by an organization to ensure that the user
who are authorized to access company technology and information assets comply with rules and
guidelines related to the security of information. It is a written document in the organization which is
responsible for how to protect the organizations from threats and how to handles them when they
will occur. A security policy also considered to be a "living document" which means that the
document is never finished, but it is continuously updated as requirements of the technology and
employee changes
In a way they are the regulatory of the behaviors of your employees towards the use of technology
in the workplace, that can minimize the risk of being hacked, information leak, internet bad usage
and it also ensures safeguarding of company resources.
In real life you will notice the employees of your organization will always tend to click on bad or virus
infected URL’s or email attachments with viruses.
Role of the Security Policy in Setting up Protocols
Following are some pointers which help in setting u protocols for the security policy of an
organization.
Who should have access to the system?
How it should be configured?
How to communicate with third parties or systems?
Policies are divided in two categories −
User policies
IT policies.
User policies generally define the limit of the users towards the computer resources in a workplace.
For example, what are they allowed to install in their computer, if they can use removable storages.
Whereas, IT policies are designed for IT department, to secure the procedures and functions of IT
fields.
General Policies − This is the policy which defines the rights of the staff and access level to
the systems. Generally, it is included even in the communication protocol as a preventive
measure in case there are any disasters.
Server Policies − This defines who should have access to the specific server and with what
rights. Which software’s should be installed, level of access to internet, how they should be
updated.
Firewall Access and Configuration Policies − It defines who should have access to the
firewall and what type of access, like monitoring, rules change. Which ports and services
should be allowed and if it should be inbound or outbound.
� Backup Policies − It defines who is the responsible person for backup, what should be the
backup, where it should be backed up, how long it should be kept and the frequency of the
backup.
VPN Policies − These policies generally go with the firewall policy, it defines those users who
should have a VPN access and with what rights. For site-to-site connections with partners, it
defines the access level of the partner to your network, type of encryption to be set.
Structure of a Security Policy
When you compile a security policy you should have in mind a basic structure in order to make
something practical. Some of the main points which have to be taken into consideration are −
Description of the Policy and what is the usage for?
Where this policy should be applied?
Functions and responsibilities of the employees that are affected by this policy.
Procedures that are involved in this policy.
Consequences if the policy is not compatible with company standards.
Types of Policies
In this section we will see the most important types of policies.
Permissive Policy − It is a medium restriction policy where we as an administrator block just
some well-known ports of malware regarding internet access and just some exploits are
taken in consideration.
Prudent Policy − This is a high restriction policy where everything is blocked regarding the
internet access, just a small list of websites are allowed, and now extra services are allowed
in computers to be installed and logs are maintained for every user.
Acceptance User Policy − This policy regulates the behavior of the users towards a system or
network or even a webpage, so it is explicitly said what a user can do and cannot in a
system. Like are they allowed to share access codes, can they share resources, etc.
User Account Policy − This policy defines what a user should do in order to have or maintain
another user in a specific system. For example, accessing an e-commerce webpage. To
create this policy, you should answer some questions such as −
o Should the password be complex or not?
o What age should the users have?
o Maximum allowed tries or fails to log in?
o When the user should be deleted, activated, blocked?
Information Protection Policy − This policy is to regulate access to information, hot to
process information, how to store and how it should be transferred.
Remote Access Policy − This policy is mainly for big companies where the user and their
branches are outside their headquarters. It tells what should the users access, when they
can work and on which software like SSH, VPN, RDP.
� Firewall Management Policy − This policy has explicitly to do with its management, which
ports should be blocked, what updates should be taken, how to make changes in the
firewall, how long should be the logs be kept.
Special Access Policy − This policy is intended to keep people under control and monitor the
special privileges in their systems and the purpose as to why they have it. These employees
can be team leaders, managers, senior managers, system administrators, and such high
designation based people.
Network Policy − This policy is to restrict the access of anyone towards the network
resource and make clear who all will access the network. It will also ensure whether that
person should be authenticated or not. This policy also includes other aspects like, who will
authorize the new devices that will be connected with network? The documentation of
network changes. Web filters and the levels of access. Who should have wireless connection
and the type of authentication, validity of connection session?
Email Usage Policy − This is one of the most important policies that should be done because
many users use the work email for personal purposes as well. As a result information can
leak outside. Some of the key points of this policy are the employees should know the
importance of this system that they have the privilege to use. They should not open any
attachments that look suspicious. Private and confidential data should not be sent via any
encrypted email.
Software Security Policy − This policy has to do with the software’s installed in the user
computer and what they should have. Some of the key points of this policy are Software of
the company should not be given to third parties. Only the white list of software’s should be
allowed, no other software’s should be installed in the computer. Warez and pirated
software’s should not be allowed.
