Cyber Security Tutorial

Cyber Security Overview Cyber Security Introduction Cyber Crime Cyber Space Cyber Criminals Cyber Law Cyber Attackers Types of Hackers Functions of Cyber Security Method to Improve Data Security Cyber security frameworks Importance of Cyber Security Types of Cyber Security Cyber Security Fundamentals Applications of cyber security Cyber security in education sector Cyber security in health care industry Cyber security tools Cyber security policies Types of security policies Characteristics of cyber security policies Digital signature Cyber Security Standards NIST- National Institute of Standard and technology Information Technology Act ISO - International Standard for Organization ISO certification PCI DSS Standard FINRA Difference between Information Security and Cyber Security Cyber Security Vulnerability Elements of vulnerability management Social Engineering Vulnerability Assessment Vulnerability management Types of cyber security vulnerabilities Identification of security vulnerability Types of social engineering attacks Penetration Testing Penetration Testing Tools Types of penetration testing Process of Penetration Testing What is Phishing Elements of cyber security Difference between Spoofing and Phishing Difference between Network Security and Cyber Security Difference between Ethical Hacking & Cyber Security Role of artificial engineering in cyber security Cyber Forensics Definition Cyber Security job qualifications Cyber Security Prerequisites Cyber Security Identity and Access Management What is Cyber Forensics Different Types of Cybercrime Different types of cybercrime Tunneling Techniques in Cyber Security

Types of security policies
2022-06-05 00:00:25

Types of security policies

Policies act as a protection field for the business, organization, and individual users to allow them and protect their rights. Security policies are meant to provide security for the technology infrastructure to everyone. Security policies are divided based on purpose, scope, and need. Primary they are classified into two categories:-

User policies
Designed and written especially for the user to bound the user toward the computer resources in a workplace. They permit the user regarding the installation of software, what website should be visited, and which removable devices should be used.

IT policies
These policies are specially designed for securing the procedures and functions of IT fields in the IT department. Such policies are:

Backup policiesThese policies are designed to secure individual and organization data. It keeps a record of backup data, what should be the backup, who is handling the data, where it should be stored, the frequency of the backup, and how long data should be kept at stored places. 
Server policiesDesigned to protect the network servers, who should access the network with certain rights. It manages the level of internet access, which software should be installed, and their regulation updation at an interval of time.
General policiesGeneral policies are made for staff or employees to protect their rights and access level to the system. In case of any disaster, these are standby policies and are even included in the communication protocol.
VPN policiesThese policies are designed to work with firewall policies and users with VPN access with some rights. It defines the access level of the partner to the network for site-to-site connection with partners and the type of set encryption.   
Configuration policies and firewall accessThese policies are defined to handle the access to the firewall by a user and what type of access includes rule change and monitoring. Which software suites the configuration and allowance of ports and services (it should be outbound or inbound)?  

Security policies are divided into three types based on the purpose and scope.

  • System-specific policy
    This type of security policy focus on the information security policies of a system or a network. This specification includes payroll systems, Data archive systems, policies for customer-facing applications, and system-specific security policies that articulate the operational security rules and objectives to support them.
  • Organizational policy
    Organizational security policy is a commitment to information security that consists of the whole organization's security objectives. The organizational security policy often informs organizations' compliance goals. Other security policies are derived from this primary document as it is a master blueprint of the entire organization's security program.     
  • Issue-specific policy
    This type of policy consists of guidelines for a particular threat or categories of threats that focus on general email security or phishing attacks. It targets certain aspects of the larger organizational policy.
  • Prudent policy
    This policy restricts internet access by blocking everything and only allowing valid and small lists of websites. It logs network and system activities, and the administrator permits safe and necessary services. In this policy, extra services are allowed in computers to be installed.
  • Promiscuous policy
    This policy doesn’t allow any restriction on net access and usage of system resources. Here users can access any website without condition, access a laptop or a network from a foreign location, and transfer any application. It is really helpful for the companies and employees as they can conduct work from home, branch offices, traveling, and outside the office. Due to free network access, users can access viruses, structure networks, several malware, and Trojan threats. While selecting this kind of policy, all the network directors keep themselves aware of threats.         
  • Permissive policy
    This policy provides wide-open network access but blocks the well-known dangerous attacks and services or behaviors. In this permissive policy, proverbial attacks and exploits are blocked while the bulk of net traffic is accepted. This policy is updated timely and is effective for directors to catch up with new attacks and exploits.
  • Paranoid policy
    This policy forbids everything and restricts all company computers, whether they work on the network. Rather there is no net association or severely restricted net usage but restrict faults and notice ways around them.

Security policy is the written document plan prepared by a company to protect its data assets from known and unknown threats. These policies are designed to maintain the CIA triad of data. Some other policies used by organizations worldwide to secure their vital resources and assets are as follows:-

  • Access management policy
    Access management policy protects the company structure resources and permits an organization to trace its sets. It defines the rules that management accesses.
  • Firewall management policy
    It's a protection policy that blocks the ports, how to make changes in the firewall, how long the logs should be kept, and what updates should be taken.
    It has a standard to handle application traffic (email or net) and manage, protect, monitor, and update firewalls within the organization. It defines vulnerabilities related to the application and creates an application-traffic matrix showing protection strategies and network applications.
  • Remote access policy
    A remote access policy is designed to handle an organization's remote access functionality, i.e., who will have remote access, security controls, and access medium.
    These rules define authorized connection when geographically unfolded networks and employees work from home.
    This is best suitable for the big companies which working is remote based. It defines how a user uses the access, what can be accessed, when the user can work, and which software like RDP, SSH, or VPN. This policy is highly recommendable during the Covid-19 situation where organizations were bound to do remote work. This policy is implemented by an organization that defines and outlines procedures to remotely access the organization's internal work and protect systems working in dispersed network/ unsecured networks location like coffee shops and home networks.   
  • Network connection policy
    Every organization uses a network connection policy defining rules that protect against unprotected and unauthorized connections that allow attackers to breach the security and enter into the organization's network and affect the system and data integrity.
    This policy includes policy related to private networks, configuration standards regarding the extension of any part of the network, and detailed information about the devices attached to the network.
    Here only authorized devices and persons are allowed to connect to the network, approve the installation of new devices, document network changes, and define who can install new resources on the internet. The communication takes place through the network only, so network connectivity must be secured.
  • Software security policy
    This policy deals with the software installation in any device such as official and personal systems, mobile phones, laptops, tabs, etc. Installation permission should be given to the allowlist software instead of warez and pirated software. Unknown and unwanted software couldn't be downloaded without permission, and company software shouldn't be given to a third party. 
  • Email usage policy
    Email is the most important communication medium for personal and professional work; therefore, protection is mandatory.
    So email usage policy is implemented to prevent information from leaking outside.
    This policy-aware all the employees not to open unwanted and suspicious attachments and understand the importance of the system. By using encrypted mail, private and confidential data should not be sent.
  • Information protection policy
    This policy consist of rules and regulations regarding the handling of information in the organization like:
    • Regulation of access to information
    • How to store the information
    • How to process the information
    • How the information should be transferred
  • Password creation policy
    Everyone has to use a password while working with the internet at home or to access secure information, and hacked passwords are the most common cause of data breaches because people set weak passwords like '12345' & ‘Password’.
    Organizations should mitigate this threat by creating a password policy consisting password creation outline and guidelines for a strong password. Some of the instructions are in creating a strong password:
    • Using special character such as !, @, #, $, %, &,* etc.
    • Using a letter in caps lock.
    • Using numeric values with the alphabet.
    • Password should be a combination of 8 letters.
    • Employees must use mnemonics, including numbers, punctuation, first letter, etc. For example T&E3467
  • Virus and spyware protection policy
    This policy defines the protection method of devices from viruses and spyware. It helps in the following:
    • Detecting Side effects of the virus and also removing and repairing them.
    • Find security risks by using signatures.
    • Detection of threats in the file
    • Suspicious behavior of file detected by using SONAR heuristics and reputation data.     
    • Prevent users from downloading threats which they try to download reputation data from download inside.
  • User account policy
    This policy defines the rules regarding using another account by the user in the same system. It tells what a user should do to have or maintain another account in the specific system.
    For example, some questions should be answered: the user's age, whether the password should be complex, how many times a user can log in or fails, and whether the user should be activated, blocked and deactivated.     
  • Live update policy
    This policy is sectioned into two parts: LiveUpdate content policy and LiveUpdate setting policy. It decides when and how the client computer downloads the content update from LiveUpdate.
    It also defines when and how clients contact the computer to check for updates and schedule them.
  • Exception policy
    This policy scans the system searching for viruses and spyware detection and can exclude the processes and applications consisting of the virus.
  • Host integrity policy
    Host integrity policy protects the network from the client system by defining, restoring, and enforcing the security of the client computer system for keeping enterprise data and network security.
    The client computer that accesses the company network must be protected and compliant with companies' security policies that require antivirus in the client system.
  • Password management policy
    Password remains password until it is not shared with someone, remains written on paper, selecting 'remembering password' on a public computer, or letting it in the wrong hands.
    The strong password remains strong and secure until its integrity remains intact. Suppose a user uses the same password for different accounts.
    It increases the chances of hacking as once the database is hacked and criminals find the credential of personal email accounts with other accounts. Organizations must include a password management policy that instructs employees not to share passwords, not use the same password for multiple accounts and never write them anywhere.
  • Portable media policy
    Portable media is one of the sources with which cybercriminals can easily organization system by planting malware on a removable device; then, this device is plugged into company computers.
    Many companies face this kind of problem and counteract it by banning removable devices, depending on the cloud or transferring of information and use of email.
    Some companies give their own devices to employees for work and keep track of websites and portable devices used for work to prevent the leaking of confidential information.
  • Acceptable use policy(AUP)
    This policy is specially designed for the employee to specify their restrictions and practices of using IT organization assets.
    They must take permission to access the corporate network or system. Before granting a network ID to the employee, they must read and sign the AUP as it is standard onboarding policy for the employees.
  • Data breach response policy
    The data breach response policy defines the role and responsibilities of staff in handling an incident of a data breach, incident reporting, standards and metrics, remediation efforts, and feedback mechanisms.
    It manages the incident by describing the process of handling an incident and remediating its impact on customers and business operations.
  • Disaster recovery plan
    This is an organization's disaster recovery plan as part of a large business continuity plan designed to manage an incident through the data breach response policy.
    The data recovery plan includes both cyber security and IT teams recommendations.
  • Business continuity plan
    A business continuity plan (BCP) is designed to handle emergency operations and coordination efforts.
    It also works with a disaster recovery plan to restore hardware, data, and application considered important for business continuity.

Conclusion

There can be many more policies designed by cyber security to protect and maintain the confidentiality, integrity, and availability of data individually or in an organization. Designing and documentation of policies can take time and lots of effort. However, they are still the best to deal with the cyber security issues in the IT industry and ISO certified policies.