Because public ip addresses are accessible by the public, hackers have easier access to servers or computers within corporations’ networks. Network address translation provides private ip addresses behind a public ip address to help protect a company’s network infrastructure. This ip address manipulation allows for many servers and workstations to hide behind proxy servers or firewalls. The only fallacy to this is some servers may need public ip address to be seen from the outside.
Working hand in hand with firewalls, public ip addresses can stand behind the DMZ (demilitarized zone) section of the firewalls.
As stated in the previous article, training
of personnel helps corporations protect their valuable assets and their clients’ assets. Training of personnel should take place at a minimum of twice annually.
Companies spread across a metropolitan network or a wide area network often unintentionally neglect branch offices or outlying offices. CIOs and IT mangers need to focus on the entire corporation as a whole. Neglect of branch offices can result in infiltration into a vulnerable section causing an infiltration throughout the entire network.
Policy and procedures should cover these issues so that these areas are not overlooked. A copy of the policy and procedures should be kept at each location with scenarios for disaster recovery.
The overall strategy for the initial phase of protection involves the publishing of Policy and Procedures. The publication of Policy and Procedures includes the hierarchal structure of the information technology department and all tasks associated with it. The following approach is used to monitor the updating of the Policy and procedures:• Document changes to existing Policy and Procedures.• Identify weaknesses• Test disaster recover portion of Policy and Procedures• Test auditing procedures• Rewrite when significant amount of changes takes place• On going training
This strategy is being used by all of the companies in this research article. Each of the companies uses primarily the same software, but has different database backends that keep the entire mission critical and protected demographic data. Each of the companies uses different virus protection, but has the same update policies in place for this malicious activity.
These companies use their policy and procedures to look at backup strategies for their data. This form of security is one of the most important aspects of Computer and Network Security. Companies use backup DLT tapes and rotation schedules for the tapes to ensure tapes are carried offsite daily. Many companies are looking for and some are using offsite backup strategies through third party companies. This action alone can be a risk if a thorough background check of the company is not performed and if the company does not follow internal policies of security.
Training is in place from the lowest level of help desk to the Information Technology manager and CIO. Training update are given to all employees outside of the IT department so that security can be maintained throughout the company. These companies use the following training methods:o Memos to all staff on new viruseso Memos to IT Personnel on new viruseso Memos to IT Personnel on opportunities to train at seminarso Seminars (Mandatory)o Seminars (Voluntary)o Webcasts/Podcastso In house training by security personnelo In house training by outside resourceso College reimbursemento New product training o Policy and procedure reviewo Proper use of the interneto Proper use of email and best practices
Memos provide a written form of communication for IT professionals. Whether in email format or in written document format, memos provide a backbone for communication in information technology security.
Email memos can be used with a collaboration of emails used in software programs such as Microsoft Outlook and used in conjunction with the calendar feature. This feature allows for reminders to be set and the collaboration allows for all team members to see the reminders.
Seminars are an excellent resource for learning security and new product features and updates. With Microsoft Technet briefings quarterly in many major cities in the United States, this allows the IT professional to network with Microsoft’s professionals. This networking allows for audience reaction and discussion on issues found in industry today.
Setting seminars as voluntary allows team members the freedom of attending these events as they choose while mandatory insures the members gather information that can be used in the organizations. This selection should be both voluntary and mandatory to insure the IT professional achieves a diverse knowledge of areas needed for the true protection of networks.
Webcasts/Podcasts provides the training of organizations on-site and is offered by large organizations and software vendors. Webcasts can be prerecorded or live. These forms of training allow the IT manager or CIO to be present to answer questions for junior IT professionals or help desk personnel.
In-house training allows for security directors or outside industry leading experts to come on site and educate personnel on topics involving security. This form of training ensures personnel are present and communication gets through to all in-house personnel.
Outside experts coming into facilities allows for a variety of topics and a third party view of what security practices are being used by other industries.
College reimbursement provides motivation for employees to educate themselves. This allows employees to gain higher education at no or little cost. This becomes a valuable tool for not just the employee but for the company or corporation. The payoff of reimbursement becomes the knowledge of the employee.
Because the technology field in the world of computers changes at the drop of a hat; new products are introduced at a record breaking pace. This introduction is not only for totally new products to the industry but can be for updates or version changes on software. It is very important for CIOs to have this training for new products available to all levels of information technology.
With policy and procedures being one of the largest keys in the solution of protecting a network, the introduction of all aspects of network management change daily. Once these items are put into place, it cannot be stressed enough to review and update these assets of your company as often as possible. Communication of these updates falls back to written and email memos to peers as mentioned in this article.
With IT personnel trained in security it becomes very important to have other members of an organization to be aware of Internet and email use policies to cut off problems before they occur.
These articles presented the methodology and detailed plan of the Allen, Neill, Taylor companies and a higher education facility. From these discussions, it is evident that each of these companies has distinct policy and procedures
in place with an overall approach of the following keypoints:
- Employ certified and experienced personnel- All are focused on standards set by CERT.ORG and other security industry leaders- Strong Policy and Procedures in place- Communications among internal company and internal information systems.- Committees and Sub-committees in place for compliance issues