CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [17]
2. Are there wireless access points on the network? Can a mobile user with a laptop configure their settings to join the network? What is the range of your access points? Are signals stopped at the perimeter, or can someone sitting in the parking lot access the network?
3. Are dial-in connections allowed? Can users call in from home? Can they call in from hotel rooms? Do you verify the number they are calling from or merely allow anyone in with a correct username/password combination?
4. Do you use Terminal Services? Are thin clients employed/allowed? Are entire sessions on the server run remotely? Is remote administration enabled?
5. Do your users have shares on their laptops that would potentially compromise the laptop’s data security?
6. What ports are open on your routers and firewalls (or on a user’s personal firewall solution)?
The issues that must be decided at the management and policy level affect the entire company and can greatly impact productivity, morale, and corporate culture. Policies also establish expectations about security-related issues. Security policies should be treated no differently than an organization’s vacation, sick leave, or termination policies. Most people can tell you exactly how many days of vacation they get per year; however, many can’t tell you what the company’s information usage or security policies are. This can be solved by posting such information on an intranet or including it in a manual issued to all employees (with a note in each employee’s personnel file indicating that they’ve received the manual).
A number of key policies are needed to secure a network. The following list identifies some broad areas that require thought and planning:
■ Administrative policies
■ Disaster recovery plans
■ Information policies
■ Security policies
■ Software design requirements
■ Usage policies
■ User management policies
Administrative Policies
Administrative policies lay out guidelines and expectations for upgrades, monitoring, backups, and audits. System administrators and maintenance staff use these policies to conduct business. The policies should clearly outline how often and when upgrades appear, when and how monitoring occurs, and how logs are reviewed. They should also identify—not by name, but by title—who is responsible for making decisions on these matters and how often decisions should be reviewed. Ideally, the policies should also include information about who wrote them, who signed off on them, and at what date they were mandated.
The policies must be specific enough to help the administrative staff keep focused on the business of running the systems and networks. At the same time, they must be flexible enough to allow for emergencies and unforeseen circumstances. This trade-off is common to most policies, and you always want to be careful to avoid leaving a gap too wide, making the policy virtually ineffective or unenforceable.
Disaster Recovery Plans
Disaster recovery plans (DRPs) are one of the biggest headaches that IT professionals face. The DRP is expensive to develop and to test, and it must be kept current.
Many large companies invest huge amounts of money in DRPs, including backup or hot sites. A hot site is a facility designed to provide immediate availability in the event of a system or network failure. These sites are expensive to maintain and sometimes hard to justify. The likelihood that an organization will need a hot site is relatively small, and the site may seem unimportant—right up to the point when you don’t have one and you need it.
A good DRP takes into consideration virtually every type of occurrence or failure possible. It may be as simple as a single system failing or as complicated as a large multinational company needing to recover