In a company it is very important to have security policies that ensure the good work and work of the workers. In addition, only certain persons should be allowed access. In this article we will see how to design and implement security policies that allow us to ensure the privacy of the information that exists in our company.
First steps in the security of a company
First of all, let’s talk about an initial step that every company should carry out. They would be as follows:
This ensures that the person who is viewing a company resource has permissions to do so. It’s not a good idea that there are many people with permits that they shouldn’t have. Ideally, each department should have a shared folder on the network that can only be viewed by members of that department.
The more complex a system is, the more difficult it is to protect it. You should design the system in a simple way and get adequate results without overloading the system with redundant programs.
Network host-based security
Computer equipment on a network has services that they can use and that can allow attacks to spread if a computer has been compromised. Ideally, you should block ports and prevent certain services from starting. For the blocking of ports we must use a firewall.
This type of security is based on the use of physical firewalls. Access to (host) computers from the network is controlled and any unauthorized access is prevented.
It is a checkpoint. A computer or host through which the entire flow of information passes and checks for system anomalies.
Defense in depth
It is about employing all available technical and human means to ensure that our systems are ready and smooth.
Scope of security policy
To define the security policy of a company we must answer these 3 questions:
- What is there to protect?
- What should they be protected from?
- How far can we protect?
Once we have the three initial questions, we can proceed to the design of the security measures to be implemented.
Elements to be protected
They are divided into four categories:
- Hardware, are the physical elements of a computer system, what we see with our eyes.
- Software, logic applications deployed in the hardware.
- Data,information, the most important thing a company has. In this case we must protect against malware all hosts on the network. In addition we will have to make backups of those and finally, we will have to implement cryptographic mechanisms so that the data is confidential.
- Communications, information is not stored in isolation. It travels through the entire corporate network and therefore, it is vital to develop a communications protection plan.
Degree of protection
How much we must invest in protecting an element of the system will depend on its function. If it is a key computer, the network passes through it, we must invest a lot of time and money in having it ready and prepared for any evetualidad. If it is a mid/low position team, active protective measures may not be necessary.
The first steps in security analysis are based on identifying what threats the elements of the system are exposed to, analyzing what consequences you would have of breaching their security, and measuring the likelihood of these incidents occurring. Therefore, we want a security policy that allows us to minimize the impact of possible threats.
There are three types of tools that will act as security mechanisms:
- Preventive. They increase the security of a system while working on it. An example is the use of passwords and users.
- Detectors. They are those that are employed against security breach or attempts at it. In this case we would talk about antivirus, antimalware, anti-spyware, etc..
- Recovery. A compromised system is recovered again after loading a backup that we have made previously.
Security policies objectives
The objectives of security policies are four:
Confidentiality is based on the fact that only people who have permissions or authorized machines have access to certain information. It is based on three mechanisms:
- Authentication. Verifies the identity of a user or computer, usually by user and password in the first case and registration on the network in the second case.
- Authorization. Users will have different permissions on network information. These permissions are read (a user can read a document), modify (a user can read and modify a document), and execute (a user has all permissions on an item).
- Encryption. The information travels encrypted, so that if someone intercepts a communication they will not see the original information but an unintelligible text.
Users on a network can access documents normally if they have permissions to do so.
The data is stored as expected by the user and has not been altered without their consent.
A user cannot deny the validity of a document if it has been sent by himself. There may be identity thefts, but if someone sends an email from an email account associated with a person, the person cannot deny that the email was sent by him.