Security Policy

Previous page
Table of content
Next page

A security policy defines the roles and responsibilities related to information access, and the procedures governing how this access is monitored and maintained over time. It will be highly dependent on your existing business rules, but will be affected by the transition into the electronic space. Typically, an organization will evolve their security policy when mission-critical business components like client contacts, timesheets, and communication systems are integrated into their intranet. Decentralized offline access and administration processes become centralized and formalized when this happens.

Developing your intranet security policy can be a complex task, more so as the systems integrated within your intranet and user numbers increase. It may also be affected by your existing security infrastructure, IT policies, and actual deployment of your intranet in context with these. Some companies have security officers who handle all aspects of security. If your company doesn't have one, your IT team will be able to tell you more about this.

"Developing your intranet security policy can be a complex task, more so as the systems integrated within your intranet and user numbers increase."

The other things you need to consider are legal, social, and regulatory requirements that apply to your specific business, industry, and geographic location. Allowing private customer data to be obtained can constitute a breach of contract with customers, and can cause serious hassles for any organization. In more serious cases, some courts might view your company as being party to criminal activity. Compromised security can obviously have significant consequences in these instances.

Your security policy should be a written document that has been approved by senior management and the head of your IT department. It will typically be a document of much breadth and depth. Some of its major components should be:

  • A list of categorized user groups according to departments, groups, lines of business, and hierarchy (staff, management, senior management, executive, etc.). Note that this will make long-term maintenance much easier than defining access permissions for individual users.

  • Defined content types and functional areas. These should be cross-referenced with the user groups that will have access to them.

  • A maintenance procedure for adding, editing, and deleting user profiles when their roles change (applies to new employees, departing employees, promotions, changing responsibilities). In larger organizations, this should include a process for requisition, approval, implementation, and confirmation of changes.

  • A procedure for backing-up the intranet. This should include technical details, as well as handling responsibility and storage policies. If the data is backed up to tape and that tape can be carried outside in someone's back pocket, then there is a problem with the security policy. Remember that the intranet's entire security is only as strong as its weakest point.

  • A procedure for recovering the intranet from a backed-up copy when necessary. This should include information about what backup to use, how to manage the change, what the roles and responsibilities of the involved personnel will be, and the communication channel for informing the right stakeholders about what's going on.

  • A monitoring procedure for real-time tracking of system usage, and for regular auditing of log files. This may involve purchasing an Intrusion Detection System. Some leading vendors in this area are:

    • http://www.iss.net

    • http://www.intellitactics.com

    • http://www.tamos.com

    • http://www.nokia-intrusion-detection.com

    • http://www.gfisoftware.com

    • http://www.enterasys.com

  • Emergency response procedure for if and when the system's integrity is compromised. Detailing who should be contacted and what steps should be followed.

  • An improper use procedure for when a system administrator discovers the intranet is being abused by an employee.

  • Proper guidelines for using Instant Messenger applications (something that is not secure), and alternative solutions (internal deployments) for employees who do want to chat online in real time about sensitive matters.

  • Regulations for use of digital signatures using PKI (Public Key Infrastructure) and/or PGP (Pretty Good Privacy) and the storage of encrypted messages and keys.

  • Employee security policy education form. This should be a document that every employee signs upon implementation of the policy, or upon starting employment afterwards. It should clearly communicate what the security policy is, what acceptable use is, where ownership of intellectual property resides.

  • Guidelines for choosing appropriate passwords to prevent social engineering compromises (someone successfully guessing a password that is a husband's mother's maiden name) and handling procedures (nobody should affix Post-it notes to their monitors with their password on it).

Security Framework

A security framework is your organization's identity directory and access management system. It will serve as the architectural basis of your security policy. The framework should allow for flexible, intelligent growth of your intranet over time by providing a centralized authentication system for future systems to integrate with. Instead of synchronizing directories across multiple systems, or making them redundant, a single system can be used to increase the effectiveness and efficiency of your security policy. This system, a directory service that includes profiles of each user and their access privileges (defined by individual and group permission levels), would then be accessed by various components of your intranet (perhaps on multiple systems).

start sidebar
The Benefits of Security You Need to Know

The theory is that the cost of implementing a security policy is less than the cost of dealing with a security breach. The truth of the matter is that you don't ever want to really be in a position to disprove that theory. If you're an advocate of insurance for your car, your house, or your health, then you're likely to be an advocate of intranet security too. Some of the benefits to securing your intranet are:

  • Preventing malicious hackers from illegally accessing, destroying, or corrupting data

  • Preventing hackers from illegally accessing and stealing sensitive personal and corporate data

  • Prevent corporate intelligence-gathering (a nice way of phrasing corporate espionage) by hackers employed by rival companies

  • Reducing the risk of denial of service (DOS) attacks

  • Reducing performance problems and down-time caused by hackers and their processes

  • Reducing the risk of improper use of IT systems by internal users

  • Reducing the risk of privacy violations in regard to your clients and staff. This may be in accordance with fiduciary and other legal responsibilities in some jurisdictions.

  • Allowing users to access the intranet from outside the organization through Virtual Private Networking (VPN)

  • Preventing inappropriate use of system resources which may be inconsistent with business needs as they apply to some users

  • Preventing virus attacks in many cases (though this will largely rely on enterprise security issues)

end sidebar

What Level of Security do We Need?

Some level of security should always be in place, but there are situations where a lesser degree of implementation is acceptable. If your intranet is being deployed on a network that is not connected to the Internet and no sensitive data is being placed on it, then there is no need for more than a basic level of security. If all users can access all the data, then the only consideration to take into account is in regard to adding, editing, and deleting the information.

Sometimes users will unknowingly or consciously manipulate data on an intranet. To prevent this, have the system administrator set basic file/directory permissions to allow all users "read privileges" but only administrators "write privileges." This will ensure that the integrity of the data remains constant.

If the intranet will be on a network that is connected to the Internet and no specialized security precautions are taken, your intranet will only be as secure as the weakest point in your network. If a firewall is in use and improperly configured (a very common occurrence), then that would be the likeliest source of any possible trouble.

In a situation where the intranet is wide open, be very hesitant about placing sensitive information on it. In the event of a security breach, data loss would then not be as damaging. One option to consider is segregating your more valuable data on a separate machine that can only be accessed by a highly-secure connection from a pre-defined location (the IP address of an internal network machine, for example).

If the budget and schedule allow for it, define a security policy when implementing your intranet. Even if you don't build it out into a framework and start using it, this will provide a basis for future growth and development. When the time is right, there will then be a number of technology options for developing the framework.

Intranet Security Options

In a perfect world, you will have a properly configured firewall on either side of your intranet (for both internal users and external users coming in from the intranet via VPN) with a DMZ (literally, a "demilitarized zone" - a neutral computer or network between a company's private network and the outside public network) set up for good measure, a well-managed directory service, and a finely tuned server for hosting your site. The server would authenticate all incoming users and create a session that keeps track of who they are as they proceed through the intranet's content and functionality areas.

This tracking mechanism - a "session" which defines and tracks the relationship between the user's machine and the intranet server with identifying data stored in "session variables" - could also then be used to customize the intranet experience for the group(s) the user belongs to, and allow them to personalize some content and layout preferences. In situations where functional components reside on other servers, the user session could persist across servers on a network (allowing for a single sign-on, if that is part of corporate policy). Thus, a user signing on to the intranet will be able to access their e-mail, calendar, contacts, timesheets, personalized content, and customized applications in a single action.

click to expand

That being said, the world is not perfect and many organizations will choose other solutions. Speak with your IT department to get a clear understanding of what's in place now and what their intentions are in the future. Make them aware of your needs and bring them on board for the discussion (after all, they will be implementing whatever you decide on during this process). Keep in mind that there are numerous options to consider when selecting and developing your intranet security framework and implementing a technology solution. Some of these are:

  • None

  • Directory Permissions

  • Simple Authentication

  • Sophisticated Authentication

  • Single Sign-on

  • Application Service Providers

  • Public Key Identity Infrastructure Providers

The first option, none, is certainly not recommended. But what do each of the others offer?

Directory Permissions

The first option is to use directory permissions on a central system that restricts read/write/execute access to users with the correct (universal) password. This can be used to access the entire system or its various parts. This does not take into account who the user is or what group or groups they belong to. The most significant flaws in this scheme are that staff turnover will necessitate enterprise-wide password updates and that there is no way to effectively trace security violations.

Simple Authentication

Simple user authentication and management will provide individual users with unique login IDs and passwords that allow them to access the entire intranet or major portions of it. The unique information can be stored and managed in a variety of ways to be mentioned below, but will typically exist in some type of directory provisioning system, simple database, or user identity management product.

This solution will provide restrictions on intranet access to authorized users, but is only effective for small organizations. Without defining group privileges, an administrator will need to update all user profiles whenever the system or business rules change. As the number of users, content areas, and functional components (possibly across servers) change, this data will need to be manually updated in each required instance and possibly done redundantly (if the user database resides on multiple servers and is not synchronized automatically).

Sophisticated Authentication

Sophisticated authentication and user management systems allow administrators to assign individual users to larger groups of users with group access privileges, organization access privileges, or role-based access privileges. This depends on their position within the company, what line of business they belong to, and what their responsibilities are. In essence, this is a fully fledged and fully featured user management system.

Some users will have administrative access to a functional component, regular access to five of six content areas, and be restricted from accessing the sixth content area and all other functional components. These privileges will be due to either their individual or group settings, and can only be changed by an administrator of the directory service.

The directory service would typically be a proprietary application or one of the pre-eminent solutions available in today's market: Novell's eDirectory (http://www.novell.com/products/edirectory/); Microsoft's Active Directory (http://www.microsoft.com/windows2000/technologies/directory/); and Sun ONE Directory Server - formerly iPlanet (http://wwws.sun.com/software/products/directory_srvr/home_directory.html). In any case, the directory service should include compliance with one of the two leading standards: either the Lightweight Directory Access Protocol (LDAP); or the Directory Service Markup Language (DSML). Also very worth investigating, depending on your budget and development strategy, is OpenLDAP (http://www.openldap.org), an open source implementation of LDAP

This type of system allows administrators to manage user access to a large intranet in a more efficient manner now and in the future. It would not necessarily by default extend across systems (if you have distinct areas of your intranet running on multiple servers), but it could be made to do so, allowing for single sign-on privileges for application users. The issue of single sign-on is significant

Single Sign-On

Single Sign-On (SSO) is a popular system used by organizations considering allowing all enterprise users to access all their systems with a single username and password. This would allow a user to log in to disparate systems on a Local Area Network (LAN), Wide Area Network (WAN), and across the Internet with a single login. The advantages of this are obvious: a user only needs to remember a single set of credentials, and an administrator can edit all of a user's permissions in a single location. It also reduces the support time required for administrators to reset passwords and remind users of what they are when they are lost or forgotten (something that happens frequently in companies where there are two or more passwords needed for various systems that users must access). These three factors are normally enough to sell an organization on this approach - one that is currently very much in vogue.

The Gartner Group (http://www.gartner.com) published an analysis of help desk calls and found that users forgetting passwords not only experience costly downtime because they can't get to critical systems, but also overwhelm help desks with support calls. They reported that it costs a $14-25 for each of the 50% of total calls due to lost or forgotten passwords. This is not only expensive, but also wastes valuable IT resources. Additionally, help desks experience high employee turnover, and when these former employees leave their jobs they take with them important access information that also jeopardizes an organization's security.

The problem with SSO is that it might not actually be all that great an idea. Should one single credential give anyone access to everything? Back to the analogy from earlier in the chapter, would you make a master key to every door and cabinet in your offices and give someone the theoretical opportunity to obtain it? While SSO reduces requirements for technical support, a bit of social engineering can compromise a password that might allow a malicious hacker to destroy the integrity of all the data in an enterprise. This single point of failure (compromising one system or one user's credentials) should be strongly considered before moving in this direction.

Application Service Providers

Integrating your systems with a dependable third-party Application Service Provider's (ASP) identity and access management product can be a good way to save development costs and obtain a high degree of intranet security. These products offer all the management capabilities that would be included in a sophisticated internal system and allow you to realize all the benefits of outsourcing the learning, maintenance, and 24-7 network vigilance that could otherwise be quite expensive.

The tradeoff for this, however, is that you won't be able to extensively customize (or perhaps even slightly customize) existing enterprise solutions if you attempt to integrate them with the new ASP solution. As many companies are considering outsourcing parts or their entire intranets, more ASP providers are starting to develop products to suit their needs. Some of the leading identity and access management products available today are:

  • http://www.rsasecurity.com/solutions/idmgt/

  • http://www.caldera.com/products/volutionmanager/

  • http://www.diasoft.net/securitymaster.asp

  • http://www.opennetwork.com/products/directorysmart/

Public Key Identity Infrastructure Providers

Public Key Identity (PKI) Infrastructure Providers are global directory services that allow electronic devices to authenticate the identity of people trying to use them. They function by prompting a user to enter their private key (like a password, pass phrase, or biometric input) into an interface and then comparing that input with a key that is part of their registration profile in the directory. If the keys match, then they will be authenticated as the person they profess to be. Once that happens, their access privileges on the electronic device can be retrieved from the PKI Infrastructure Provider (the less likely scenario) or defined by a separate directory service (local on the device or remote on another network). There are two primary points that need to be considered when even thinking about PKI Infrastructure Providers: technical ability and trust.

Technical ability is certainly a huge concern. With hundreds of millions of Internet users online today, what company or organization would have the resources to manage a directory service for even a small share of them? Surprisingly - to some - there are numerous answers to that question.

America Online and Microsoft, for example, authenticate tens of millions of people every day. When users attempt to access any of their systems (web mail, instant messenger, online dating, chat, etc.), the chosen system requests a password (a private key) and matches it with their respective central registries. This is something very similar to what thousands of other web sites do every day, but significantly, in many cases exponentially, on a far greater scale.

Note

Note that PKI is actually more complex than this, but the particulars aren't relevant for the purposes of this section.

The sheer size of these market giants' registries has led them to identify becoming PKI Infrastructure Providers as a new business opportunity. They have both surpassed critical mass in respect to market share and feel their base of registered users will be attractive to any large or medium-sized web site that wants to realize all the cost savings identified in the Single Sign-on section above. This is a new business in an emerging market that's changing rapidly, but it does look as though it will be here to stay. This rationale is based on eBay's recent decision to start using Microsoft's Passport system for user authorization.

There are several significant initiatives underway to develop a global directory service that other companies can access to authenticate and manage their own network users on a massive global scale. Some of them are: Microsoft (Passport); Sun Microsystems (Liberty Alliance); AOL (Magic Carpet); and a number of other major software manufacturers.

The most significant issue that remains is trust. Would you rely on any of these aforementioned companies to decide whether people logging onto your system are who they say they are? Do you trust their security processes and procedures enough to "take their word for it" and let people into your enterprise systems based on them? What if the PKI Infrastructure Provider were a government that ties their passport or national ID card system into their electronic system? What if it were a Non-Governmental Organization run by the UN?

The issues of trust and technology are being debated more loudly as the business opportunity becomes more apparent. Using a Public Key Identity Infrastructure Provider may not be practical at the time of this book's publication, but it will be shortly thereafter.

This type of service would allow a company to have a user authenticated by a remote system and have their local security policy applied by a local system. The local system would then pass an "approval token" to the user's browser, which would grant the user's web browser permission to access content areas and functional components on the intranet.

The authentication system would be widely distributed (global in nature), extremely flexible and highly secure (when used in conjunction with certificates sent over SSL) to the degree that documents could be digitally signed by authenticated users.

There would probably be an initial licensing fee and recurring subscription fee for this service; unless a public domain, distributed system wins the day (which is unlikely). Watch the market space to see how it evolves in the future.

Authentication Methods

Once an intranet security option has been chosen, a decision needs to be made in regard to the authentication method. To prove who you are to a computer, you need to state who you are (your username) and provide a key (typically your password) that is an exact match to whatever data is stored in your profile. This key can be:

  • A word

  • A phrase

  • A digital certificate

  • A number from a smart card or token

  • A scan of your iris

  • A thumbprint

  • Or a voice analysis

Whatever it is, as long as it matches the key in your profile, you will be approved.

Username & Password

A username and password is a normal, well-recognized, and quite acceptable method for determining the authenticity of a user. The problem with it is that most username and password combinations are sent by HTTP to an intranet web server for lookup in a directory. HTTP (the standard protocol for sending and receiving web documents) just transmits the text as it has been entered and, unfortunately, there are a vast number of network management tools that can sniff these passwords out from regular data traffic and intercept them. As such, regular HTTP user authentication represents a significant potential security issue.

The best way to resolve this is to create an encrypted communication channel between users' web browsers and the authentication server with a Secure Sockets Layer (SSL) connection. SSL over HTTPS is a variation of HTTP that adds the secure 's' to the prefix of a URL string. Use of "https://" before a URL instead of "http://' will indicate that SSL is in use on a web server. Using SSL of the correct level to encrypt passwords renders useless all known network-sniffing software.

Public Key Infrastructure (PKI)

PKI is essentially the use of a digital certificate-based solution to authenticate users and their communications. It involves planning, developing, and implementing the hardware, people, and processes necessary to provide publicly available encryption keys used for the secure, positive conveyance of confidential data to designated parties.

Using Public Key Infrastructure (PKI) to manage your intranet's security can be a very good idea. Essentially, it uses a digital certificate-based solution to verify that users and the computers they're using to access your network are who they represent themselves to be.

Every intranet user could obtain a certificate for their computer by using their web browser to access the corporate certificate authority (Verisign - http://www.verisign.com, RSA - http://www.rsa.com, a trusted certificate authority your company does business with - many banks now offer this service - or a network machine) and registering for one. The registration process would involve filling in a form and submitting it electronically to the web site via SSL. This registration submission would automatically do the following:

  • generate a private/public key set

  • store the private key in an encrypted format on the user's computer

  • and store the public key in an encrypted format with the certification authority

Users wishing to use their certificate would just need to enter the password or pass phrase they used when registering in order to log on to the system and "digitally sign" documents. Also, because of the higher degree of security used in the PKI method, digital signatures in some jurisdictions are legally binding. This would allow users to sign e-mail messages, documents, and form submissions (that are encrypted with SSL) to conduct electronic business within an organization. The cost savings in paper alone by allowing people to file expenses and various requisitions online could be significant.

Another option for companies that want to implement PKI but have limited budgets is to configure a Certificate Authority on your own network. The CA providers mentioned above will have software that can be installed on network machines.

Note

Note that a delegated PKI implies some mechanism for individuals to reach out of a corporate network or "intranet" to an external host, and return information from that host to a location within the corporate network. The presence of a path from the internal network to an external entity may be deemed a generic security risk. Accomplishing the necessary communications may require the opening of specific ports on firewalls, or the admission of certain external IP addresses into the network that would otherwise not be so permitted.

Smart Card

Smart Cards identify a user when they insert a credit card-shaped badge into a reader connected to their computer by a USB port. The corresponding software then prompts the user to enter their password on the screen. A user can then simply log off the network or lock their computer by removing their card.

The advantage of a smart card is that it integrates a physical item with a user password, making it twice as difficult to compromise a password.

Some of the leading developers of smart cards today are:

  • http://www.cryptocard.com

  • http://www.datacard.com

  • http://www.rsasecurity.com/products/securid/

  • http://www.smartcards.net/infosec/

  • http://www.raaktechnologies.com

Biometrics

Biometric security refers to any type of authentication process that uses a unique genetic key to determine user authorization to access digital systems. The most-deployed biometric access devices in use today are fingerprint scanners - principally thumb scanners. These devices are manufactured by a wide variety of companies and are available for a few hundred dollars each. This low cost (considerably less than other biometric options) makes it an attractive solution for companies that worry about keys and passwords being compromised, but trust in the integrity of their users' biology.

Fingerprint scanners are now starting to be used in portable equipment like laptops (IBM is one of the first companies to provide this with their products).

The other biometric security devices available today are: speech recognition; face recognition; vein pattern recognition; iris scanning; keystroke verification; and lip movement recognition. Typically such systems are expensive.

Note

For more information on different biometric devices and current development, visit the US government's biometric consortium web site at: http://www.biometrics.org/html/examples.html.

Some of the leading biometric authentication device manufacturers today are:

  • http://www.ringdale.com

  • http://www.biopassword.com

  • http://www.imagistechnologies.com

  • http://www.biometricgroup.com

A Brief Note About Firewalls

A firewall protects a network from unauthorized traffic that attempts to get inside for a variety of reasons. Sometimes they are put in place to simply keep search engine spiders from crawling and indexing intranet content, and keeping curious people with FTP clients from accessing any internal documentation. Other times, they are implemented to explicitly keep malicious hackers, crackers, and script kiddies (these are all terms used to describe people trying to gain unauthorized access to your networks) from getting inside to cause damage.

The fact is that firewalls are the cornerstones of our ability to separate our network into private and public segments. Firewalls work by limiting the types of traffic that are allowed through a pipe. A firewall program (or programs), located at our network gateway, works to protect the resources of our private network from users from other networks by examining each network packet and determining, based on a set of pre-defined rules, if to ignore or forward the network packet to a requested server. They also work by masking the identity of a computer (its IP address) when it is retrieving a web page from the Internet by acting as a proxy. This prevents people outside the network from learning anything about its internal structure and learning ways to potentially take advantage of it.

click to expand

There are many obvious benefits to corporate security by having a firewall situated between an internal network and the Internet. In regard to the intranet specifically, it prevents unauthorized users from attempting to access it and stealing, destroying, or compromising information. But what if you have people inside your organization who have similar intentions? As mentioned earlier, your security is only as strong as its weakest point. Something worth considering is implementing a firewall between your internal users and your intranet, too.

If someone doesn't need - or perhaps even shouldn't have - access to parts of the internal network, then they should be explicitly restricted from accessing them. One concern that will probably occur as the scope and scale of your intranet grows is the emerging need for access to the intranet from outside the firewall. People in other offices or who are traveling will need access to vital content areas and functional components, and your firewall won't let them through (because it's meant to only let web and e-mail traffic in).

The easy solution would be to allow them to dial-up directly into the intranet server, but that would go against basic security principles - if someone obtained the dial-in information, the entire system would be compromised. Instead, implementing a Virtual Private Network (VPN) is a recommended course of action.

Some leading firewall vendors are:

  • http://www.novell.com

  • http://www.evidian.com

  • http://www.cisco.com

  • http://www.cyberguard.com

  • http://www.intrusion.com

  • http://www.lucent.com

Virtual Private Networks

A VPN uses software or hardware to encrypt Internet traffic between two points. If the software is properly configured on both the users' computers and the intranet, then the secure connection can take place over the intranet and through the firewall. Speak to your IT team about whether they will implement it as this may have an effect on broader corporate security issues. Also, encourage users who install VPN on their laptops and home computers to practice safe security behavior and not post their passwords on sticky notes on the sides of their computer.

Some leading VPN vendors are:

  • http://www.secgo.com

  • http://www.cisco.com

  • http://www.netsentron.com

  • http://www.checkpoint.com

  • http://www.lucent.com

  • http://www.nortelnetworks.com

  • http://www.sonicwall.com

Security Audits

Many consulting companies are available to provide Security Audits or "Security Vulnerability Assessments" on your network. They would conduct a thorough examination of the existing IT infrastructure and security policies to determine what flaws, if any, exist, and make recommendations for your organization to move forward. If your intranet's functional components (as defined in Chapter 5) include numerous mission-critical applications, then you should consider investing in a professional audit.

A security audit will also:

  • Allow you to be proactive about preventing corporate litigation (in case private customer data is compromised)

  • Reduce performance problems that may arise during a hack attack

  • Allow you to be proactive about preventing Denial of Service (DOS) attacks

  • Test your Intrusion Detection System

  • Qualify for Information Protection Insurance

  • Gain confidence in your security systems

Even if you use firewalls (internal and external), an Intrusion Detection System, SSL, VPN, and a rock-solid authentication system with biometric security, a security assessment can help determine if your current configurations contain any unknown, and potentially unauthorized, network "goodies" left by previous developers or technicians. Creating backdoors are an infamous favorite of many nefarious computer villains, for situations where they depart companies on unfavorable terms and want revenge.

In addition, note that one of the most important reasons for having a Security Vulnerability Assessment performed is to enable corrective action. How can you know what to secure if you don't know what is insecure?

Take care at this stage, if you're going to put forth an initiative like this, to get written permission before you start poking around for security holes. The case of Randal Schwartz (http://www.stonehenge.com/merlyn/) versus Intel (http://www.intel.com) should serve as sufficient warning in this regard.

Information Protection Insurance

If you're really concerned about all the "what if" scenarios and the potential financial impact on your organization should one of them unfortunately come true, you may want to consider purchasing Information Protection Insurance. In the late 1990's, after the Lovebug virus and first few rounds of Denial of Service attacks crippled the e-commerce sites of many large online retailers, the insurance industry responded with options for companies that wanted to be covered in case it happened to them.

The options, while expensive, were and still are fairly comprehensive. If you choose, you can be covered for:

  • Internal violations (criminal acts by employees)

  • Hackers

  • Viruses

  • Media liability (defamation, libel, and copyright violations)

  • Privacy violations

  • Inadequate crisis management

  • Cyber extortion

  • Crisis management

  • Global risks

To find out more about Information Protection Insurance, contact your corporate insurance broker.

Network Security Software

Generally speaking, your IT team will have your network security as tight as they can make it, and will be on top of all the latest news, software, and software updates. If you need to know what they're doing to proactively secure your intranet from possibly security issues, the best thing to do is talk to them about it.

Just so you're aware, however, these are some of the steps that an organization can take to optimize their chances for a long-term hacker-free existence:

  • Make sure the Employee security policy education form has been read, understood, and signed by all employees. Walk around from time to time to watch what people do when they log on to the network. Are they looking somewhere for their password or do they know it? Take a walk around the office and see if you find any yellow sticky notes on the sides of monitors with passwords written on them...

  • If you can see someone enter their password as you walk by their desk, other people can, too. That includes other office workers, clients, and maintenance staff with dark streaks.

  • Each operating system has its own inherent vulnerabilities, many of which have to do with file sharing and administrative permissions. In addition, many individual software packages have identified security vulnerabilities. It's important that all your software subscriptions are up-to-date, and that current anti-virus updates, system software patches, and security updates are implemented on a regular basis, as they are released by the publishers.



Previous page
Table of content
Next page
Practical Intranet Development
Practical Intranet Development
ISBN: 190415123X
EAN: 2147483647
Year: 2006
Pages: 124
Authors: John Colby, Inigo Surguy, Rudiger Voigt, Jeffrey Haas, Frank C. Pappas
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Inside Network Security Assessment: Guarding Your IT Infrastructure
Lotus Notes and Domino 6 Development (2nd Edition)
Network Security Architectures
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy