"Security is a process, not a product."
"Security is a journey, not a destination."
SECURING THE ENVIRONMENT
How do we go about securing things?
To secure our information assets, we need to think, and act, at multiple
levels.
PERIMETER SECURITY:
Secure the building, introduce a network DMZ
SECURITY POLICY:
A common basis for information management security.
A security policy must be a living document - not a "Set & Forget" proposition.
ASSET CLASSIFICATION:
what is to be secured?
What level of security? (Classified, Top-secrect, Public.)
How should information be treated within the various classifications?
PHYSICAL SECURITY:
Secure the environment, secure the computer, secure the components.
SOLUTIONS TO REDUCE RISK:
OK so our information assets are always going to be at risk,
how can we minimise the risk that they are exposed to?
FIREWALL:
Install and use firewalls in strategic places in the network.
Note: an out of date firewall is a larger risk than no firewall at all.
- eg. WatchGuard Firebox (Firewall)
ANTI-VIRUS:
Anti-Virus/Trojan/Malicious software detection for Workstations and Servers.
See the AntiVirus pages.
VPN (Virtual Private Networks):
A VPN uses encryption and authentication services to
provide a secure connection through an otherwise insecure network such as the Internet.
VPNs are usually cheaper than private networks using private leased lines.
STRONG USER AUTHENTICATION:
Strong User Authentication
ENCRYPTED NETWORK PROTOCOL:
Using protocols with an encrypted network protocol/layer eg. SCP
(encrypted pass) rather than FTP (clear text pass),
SLL (to secure the data as well as the login).
DATA ENCRYPTION:
Data Encryption and signing eg. PGP
PHYSICAL SECURITY:
Physical Security (I) : keyed access, authorized access areas, alarms.
Physical Security (II) : securing the computer and components.
see Physical Security
SOLUTIONS TO MINIMIZE DAMAGE:
If someone does puncture the defences, how can we make sure
that minimal damage occurs?
- Firewall Reconfig
- Intrusion Detection: ongoing monitoring of systems access
- Clear Incident Reporting: including formal review of all
security incidents.
- Adequate Backups (with tested restore from Backups!)
- Planned Disaster Recovery procedures and priority.
- Redundant/Mirror Facilities
- Security Policy: Regular compliance checks
- Tiger Team checks: using common tools from the internet.
INSURANCE:
Departmental Excess on Insurance Claims Involving Computers
Personal Property Warning
Equipment being taken “Off Campus” - advice form [PDF]
Risk Management Office - Insurance Information
|
