Introduction Just as there are myriad threats to system and network security, there are many security solutions.

The solution runs the gamut from improved user education, through technology, to write bug free software.In the sense most security professional subscribes to the theory of defense in depth, which states that more layers of defense are better than fewer layers. This theory applies to any kind of security. Policies vary widely, but generally include a statement of what is being secured. For example , a policy might state that all outside accessible applications must have a code review before being deployed, or users should not share their passwords, or all connection points between a company and the outside must have port scans run every six months .Without a policy in place, it is impossible for users and administrators to know what is permissible , what is required , and what is not allowed .the policy is a road map to security, and if a site is trying to move secure, it needs a map to know how to get there. As computer networks become more complex and corporate resources become more distributed, the need to improve the information security is increasing. While most organizations begin by deploying a number of individual security technologies to counteract specific threats, the capturing of the Internet as the foundation for e-business has turned security into an enabling technology that is required for business success. At some point there becomes a clear need to tie together the techniques and technologies that both protect and enable your business through security policy a thoughtful and consistent management approach to security practices across the organization. Today, many multinational companies (MNC) have an Information Security Office in each region, which maintains some functions to develop their security related policy. These functions are 1) Development of information security policy to prevent the attack from outside or inside. 2) Administration of system access. 3) Conducting awareness, training and education.

4) Monitoring of Intrusion detection, investigation and response.

Need of the security policy The essence of security policy is to establish standards and guidelines for accessing your corporate information and application programs. Typically, organizations start with informal and undocumented security policies and procedures; but as your enterprise grows and your workforce becomes more mobile and more diverse, it becomes especially important even necessary for your security policies to be documented in writing. Doing so will help avoid misunderstandings and will ensure that employees and contractors know how to behave. Furthermore, a security policy facilitates internal discussion about security, and helps everyone become more aware of potential security threats and associated business risks. You will find that a written policy generally tends to enhance the performance of your security systems and the e-business applications they support.A deciding consideration is that having a written security policy may be required by law.Every company should have the physical aspect of security well taken care but if the staff are not educated on Information Security Policies (ISO), their lack of education, awareness and training would result in confidential information simply walking out the front door. So, it is very important that Information Security Policies be implemented and that all staff be educated and trained in these policies.

Security policy

Access control Users need a valid user ID and password to access to GDI network. CSM can choose to restrict access to stand-alone, non networked computers in a similar manner. Need good password (e.g. Six to ten characters, mixing upper and lower case, includes numbers, doesnt have any personal name or surname , doesnt consist of a unusable symbolic word etc.),

Only authorized security staff of GDI, administrators or IT staff should assign and maintain login accounts, email addresses, any authentication devices, digital certificates across a several of computer systems and networks. If customers will be allowed to access your computer systems and system network, CSM will need to define the conditions for their access. Remote access and telecommuting GDI company should define who will be permitted for accessing your computer network remotely. The security manager is usually responsible for authorizing remote access for telecommuting workers, sales person and others with a valid business need. When users walking away from their desks, they're logged on computer presents a network security risk. Many users has own personal computers. CSM should define the circumstances under which users are permitted to bring personal computers into the office. Its generally not a good concept to allow non-network communications between personal computers on system network. And especially not with computers outside of your company. Electronic mail. As a Company Security Manager recommends for specific e-mail encryption tools and techniques for recommendation, guidelines for managing public and private encryption keys. CSM should point out the employees that their email messages are on corporate information that they may be scrutinized by corporate management. Received e-mail messages stoop to accumulate and take valuable storage space. CSM may define rules for when users un-needed messages should be purged, and what are their responsibilities in this area. Old messages should be deleted automatically. It would be appropriate to define the corporate backup policies with respect to users messages.

Laptops, notebooks and Handhelds

All portable computers are required for both physical and electronic security precautions used by mobile professionals. We might want to suggest techniques like using a locking cable, an alarm and never leaving portable computers unattended for preventing theft. If portable devices are shared by multiple people we should define who will maintain the inventory records for these devices. Software security CSM require to know about the accessibility of the application software and its data, licensing issues, computer antivirus and software updates. Application software should be accessible to anyone on the network and need to ensure that employees understand and follow the terms of license agreements. Employees are not permitted to create copies of company created purchased software for their personal/professional use. Internet security To create new business opportunities and widespread desktop Internet connectivity by email, the Web and other services have associated security risks. Files are downloaded or received as an email attachments that need to be checked for computer viruses before use. CSM may want stricter control to downloaded application programs, perhaps required them first to be tested on unavailable networked computers to be sure they wont be deleted files , otherwise damage the machine which is involved. Users may attach sensitive information to e-mail messages that enter it into the web page forms or upload it to remote servers via FTP. Network security All connections from Internet to intranet company networks should be protected by firewall systems or by a router which deny services not explicitly permitted. In addition, CSM may decide to configure the firewall to only pass the services which can be offered securely. For example, security manager may want to permit DNS, TCP, mail and news feeds from specific news servers, but to block

all ping queries and non-authenticated Telnet log-ins. Network security policy should define who has the responsibility for maintaining and configuring your networks routers and firewalls, emphasizing the need for strict access control for these systems. When connecting separate company LANs or WANs, you may want to also require the use of firewalls to isolate them and make their information available only to certain employees on a need to know basis. Also, any virtual private network (VPN) connections by the insecure Internet should be utilized by the encryption insuring the information privacy and integrity. Physical security To develop the security system manager may want to consider methods, that are cables, locks, bolts used to attach the equipment to desktops preventing the users from removing computer workstations and corresponding peripherals. Web servers and Workgroup should be isolated that made accessible only to system administrators and it should be appropriate IT staff. Depended on the nature of the information that stored on the system servers, it may be appropriate for locating the server in a locked room. Auditing and monitoring GDI should maintain an audit trail of user activity at firewalls and on Web application servers. If unauthorized activity has taken place , audit trail log files should be examined on a regular basis by security staff to determine; these log files should typically be archived for a year or so. Network monitoring software tools can be used for sound alarms to alert the security staff when suspicious activity occurs. Copies of backup media should be stored without login that far enough away to be minimizing the risk of damage from the same natural or unnatural disaster. Off-site storage facilities used in appropriate industry and it should provide adequate environmental for good system. Wireless security

This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to any diet network. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by the Director of EIS are approved for connectivity to DoITs networks. This policy covers all wireless data communication devices physically connected to any of DoITs internal networks , it includes any form of wireless communication device capable of transmitting packet data. The wireless devices and networks without connecting to DoITs networks do not fall under the purview of this policy.All wireless Access Points / Base Stations connected to the network must be registered and approved by DoIT. Therefore, all approved Access Points / Base Stations are subject to periodic penetration tests and audits.

Real-time Threat Management

The objective of real-time risk management is to proactively harden IT assets to protect them from all types of attacks including APTs. For Instance, APTs may persuade organizations to turn on advanced features in endpoint security software or more closely monitor activities around storing and copying sensitive data. This is no longer enough. Risk management and incident preventions should remain top priorities, CIOs, CISOs, executive managers should work under the assumption that their organizations will be compromised. This means RTRM must be complemented with the right processes and tools for emergency response. Remember that the primary objective of any emergency response effort is fairly simple. Minimize the impact of a security attack. To get this goal, large organizations need to be able to detect sophisticated, targeted attacks as quickly as possible. This claim an obvious question: How can the security team detect these attacks when APTs are designed for undetectable low-and-slow attacks? ESG believes that defending against APT-like attacks is difficult, but not impossible. Accomplishing this, RTRM must be aligned with a new complementary service: Real-time Threat Management (RTTM). RTTM goes

beyond basic situational awareness about vulnerabilities and traditional malware threats. Improved network monitoring. RTTM is designed with APTs in mind and carrying specific filtering rules and correlation engines. Network traffic is analyzed in a multitude of ways, looking for specific behavior that may be indicative of a sophisticated threat. (a) Visibility across extended networks:- CSM cant protect what the CSM cant see and new, extended networks exacerbate the problem. Sourcefires FireSIGHT technology gives us total visibility into everything on your network physical and virtual hosts, operating systems, users, content, applications, network behavior, services, protocols, as well as network attacks and malware. With total visibility GDI gain contextual awareness to be correlated extensive amounts of data related to IT environments to make more informed security decisions. For instance, before an attack (b) Keep pace despite resource constraints:- CSM need to work smarter, but not harder. Not only does Sourcefires intelligent automation enhance security, but it also lowers GDI total cost of ownership. For the purpose of awareness fuels, intelligent security automation so CSM can optimize defenses, resolve security and compliance events more quickly and easily with automated protection policy updates. (c) Dynamic protection for changing environments:- Sourcefire provides a vast library of rules to speed deployment and protection. GDI rules can be automatically recommended according to the unique environment, but CSM also has the power to create new rules and signatures that modify existing rules and leverage third-party rules. The collective security intelligence of a vast community of users that significant research and development and a large pool of security experts gives you broad, up-to-the-minute protections to stay ahead of the latest threats. (d) Reduce risk with application control:- Todays dynamic cloud or web-based applications circumvent traditional defenses and evade existing protections. Control of application is a critical component of threat prevention before an

attack. Sourcefire's solutions improve visibility and control, enforce mobile security policies, neutralize social media threats and reclaim bandwidth so you can balance access with protection.

Structure of security policy The GDI security signed by the CEO and defines the lines of authority and the division of work. These are the two principal characteristics that determine the responsibilities for each individual member of the GDI. An organization is a composite structure made up of organizations that can themselves also be divided into even smaller units. (1) Roles based on supervision (a) Seniority (2) Roles based on function (a) Qualification (b) Function (c) Work-process (3) Roles based on the market (a) Market/Customer/Client (b) Product/Service (c) Location (d) Time GDI will log all security-relevant events or exceptions. IT will be responsible for maintaining event logs and that will be retained for at least one year with at least 3 months of on-line retention. CSM will monitor event logs at periodic intervals, not to exceed weekly and automated log analysis and alerting will suffice for this provision.

Event logs will contain: (a) User IDs used in log on (b) Dates and times for logon and logoff for each user (c) Terminal identity (system name and network address) (d) Successful and rejected access attempts (e) Any access to Member data (Account numbers) Monitoring System Use, the use of information processing facilities to detect unauthorized activities, and ensure that users are only performing the functions and gaining access to information to which they are authorized. Areas eligible for monitoring include: (a) Authorized access: (1) User IDs (2) Date and time of key events (3) Types of events (4) Files accessed (b) Privileged operations: (1) Use of supervisor accounts (2) Use of other privileged accounts (i.e. Administrator) (3) System start-up and stop (4) Devise attachment and removal (c) Unauthorized attempts: (1) Failed attempts to access (2) Access the policy violations and notifications for network gateways and firewalls (d) System alerts or failures: (1) Console alerts or messages (2) System logs exceptions

(3) Network management alarms Event and security logs must be protected in order to assure their accuracy and to protect them against tampering or misuse by third party. All original logs must be kept unaltered. Extracted log events shall be kept separately from the original logs. Clock Synchronization GDI company will use a common method to ensure that all system clocks are synchronized. This will ensure the accuracy of the audit logs, and protect the integrity and credibility of any logs that might need to be used as future evidence. Email, and Internet Access Monitoring : - E-mail, and Internet access systems are to be used primarily for company business. GDI company reserves the right to access e-mail systems at any time with or without advance notice or consent of the employee. Employes of GDI should not have an expectation of privacy in their e-mail messages, or in computers or computer storage devices. All Internet data that is composed, transmitted or received by GDI computer communications systems is considered to be part of the GDI official record and, as such, may be subject to disclosure to third parties.

IMPLEMENT THE SECURITY POLICY Communicate the policy: - CSM has written the security policy, system needs to put it in place within your organization. It will need to ensure that all contractors , employees, and other personnel who can access company computer network that doesn't only understand the policy. As with any good market communicating program, the system needs to articulate the benefits of the company created product. So, in this case, your product is security that also keeps in mind that the system security policy will be evolved and changed which will pay to devise standard ways of communicating this policy that changes to the organization, like regular security meetings and company newsletter articles or written security update policy. Additionally, the policy becomes easier to identify individual responsibilities which in turn usually to enforce the policy become easier. An underlying objective of all of this recurring communication is aware that making

sure that everyone is thinking about system, computer security in VPN and to understand its role in keeping your business to be successful. Enforce the policy: -Administering the security policy, it may require to allocate additional human resources. IT or security staff of CEO will likely have new responsibilities for accessing the control and authentication. They will need to manage user accounts, passwords, digital certificates and two-factor authentication devices. They will need to install and use network security tools to watch for suspicious activity. Such tools will help them in proactively testing and verify servers, firewalls , routers to identify the security holes .

References:(1) A Frost & Sullivan White Paper Sponsored by Postini [Analisist and Auther: Terrence Brewton] (2) Information Security Policy [Produced by UNINETT led working group on security, Auther Kenneth Hostland] (3) SANS Security Policy Project (http://www.sans.org/securityresources/policies/) (4) Operating System [Peter B. Galvin , Greg Gagne , Abranam Silberschatz]