IT Security Framework

Page 1

Title

Description

Inventory Control (Hardware) Maintain an Asset Register

Create an asset register, recording details such as; serial number, MAC address, delegated owner, and date of use etc.

Asset Management Tool

Employ a tool that will automatically recognise devices connected on the network and flag new unidentified ones.

Network Access Control

Ensure a level of control on what devices can connect to the network by setting up and configuring port level access control.

Inventory Control (Software) Maintain a Software Register

Create a software register, recording details of all approved applications installed on the network and their intended use.

Software Management Tool

Employ a tool that will record the name, version and author of,all applications installed on the network that have been verified.

Administrative Privileges Maintain Accounts Register

Employ a tool that will record all accounts with administrative privleges and ensure they are for authorised personel only.

Password Security

Employ a password management tool that will create robust passwords for users with a predefined alphanumeric character set.

Two-Factor Authentication

Where possible, enable two-factor authentication for all adminstrative accounts.

End Devices Configuration

Keep an up to date set of security standards for all software approved on the network and how they should be configured.

Management Tool

Implement a management tool that will periodically scan the network and update configuration settings on devices if necessary.

Monitoring & Audit Audit Control

Enable automated logging on inter-connected network devices to ensure a clear audit trail.

Log Management

Implement a system that records and stores logs of unexpected changes available for ongoing review and monitoring.

Email & Web Domain Name System

Deploy a DNS service that will blacklist specific domains known to host malicious content.

URL Log

Maintain a log of all websites visted by users on all devices to monitor and identify activity that may pose a security risk.

Scripting Languages

Disable scripting languages such as JavaScript from automatically running within web browser and email clients by default.

File Types

Certain file types known to be a risk should automatically be blocked or flagged when entering the network through the email server.

Malware Anti-Malware Software

Ensure the company's anti-malware software receives uninterepted updates to its signature database.

Removable Devices

Automatically scan removable media when connected to a network workstation.

Appendix ii

Information Security Framework


Title

Description

Disable Auto-Run

Manage devices to prevent them from running content automatically such as removable media.

Network Services Scanning

Ensure vulnerable open ports on the network are automatically identified and flagged using a scanning tool used for detecting them.

Ports & Services

Ensure the system is configured to run only the necessary protocols, ports and services. Disabling those that cause a vulnerability.

Firewall

Configure default and custom rules on what traffic is permitted and what is not across various ports.

Data Recovery Data Backup

Ensure all system data is backed at regular intervals using automated software.

System Backup

Ensure key systems are backed fully to allow the recovery of an entire system.

Offline Backup

Ensure at least one offline backup location that is not connected or dependent to the network.

Network Devices Configuration of Network Devices

Maintain a set of configuration standards for authorised network devices.

Configuration Rules for Traffic

All configuration rules allowing traffic to access the network should be documented in a configuration manual.

Two-Factor Authentication

Manage all portable and personal network devices to ensure the use of two-factor authentication and data encryption .

Intrusion Detection IP Addresses

A database of trusted and untrusted IP addresses should be used to blacklist those not authorised to establish a communication.

Unauthorised Ports

Incoming traffic targetting vulnerable ports on the network should be detected and blocked at source.

Remote Login

Two-factor authentication should be required for all staff connecting to the network from a remote location.

Data Protection Cloud Storage

Ensure authorised cloud storage providers are verified and trusted before storing data on an third party platform.

Portable Devices

A register of portable devices should be in place to permit or deny the use of storage devices on the network.

Access Control Encryption

Ensure all private data being shared on the network is encrypted using a strong algorithm.

Access Control Register

Ensure access control lists are in place to limit the unautorised use of sensitive resources including applications, file repositories and system files.

Wireless Access Control

Appendix ii

Information Security Framework


Title

Description

Wireless Access Register

Maintain an inventory of authorised wireless access points connected to the wired network.

Encryption

Ensure all private data being shared on the network is encrypted using a strong algorithm such AES.

Separate Wireless Networks

Implement a dedicated wireless network for guest and personal use that allows clients to connect to while on site.

Account Monitoring Workstation Sessions

Configure devices to be locked automatically and require the user to login again to continue a session after an idle period.

Two-Factor Authentication

Enable two-factor authentication for all users accessing web-based accounts.

Inactive Accounts

Deactivate or terminate accounts of users no longer employed by the company.

Staff Training Programme Sensitive Data

Train staff on how to handle senstive data and ensure they are aware of the risks involved in not doing so.

Social Engineering

Prepare staff on how to recognise and defend against various phishing scams by phone, email, online and in person.

Security Awareness

Implement a risk awareness programme for all staff to undertake with content specific to their role in the organisation. To be completed and updated annualy to ensure staff have the relevant knowledge and understanding of the ongoing threats.

Application Security Firewall

Invest in a reputable web application firewall to help protect the network from various forms of attacks on the web server.

Software

Ensure all applications deployed on the network are up to date and receiving ongoing security fixes by the software developer.

Encryption

Use only industry standard and trusted encryption algorithms such as AES that offer the strongest level of security in protecting data .

Incident Management Planning

A system should be in place to identify roles of responsibilty and set out procedures of how incidents are to be reported/handled.

Penetration Testing Testing Programme

A programme should be introduced that demonstrates the threat of various kinds of network attacks and any relevant evasive action.

Testing Tools

Softwate tools should be used as a means of assessing vulnerabilituies on the network and help focus efforts on the findings.

Appendix ii

Information Security Framework


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.