Sample Critical Infrastructure Protection Policy

Introduction

Protecting the network, physical and information systems infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across the XYZ organization. Network infrastructure contains of interconnected devices planned to transport communications essential for data, applications, services, and multi-media. Physical infrastructure contains how to preserve all the devices, servers, physical files.

Scope

This policy applies to all employees of XYZ organization as well as any other users of the network infrastructure, including independent contractors or others who may be given access on a temporary basis to organization’s systems. Information transferred or stored on XYZ organization’s resources is the property of the organization unless it is specifically identified as the property of other parties.

Policy

  • Organization reserves the right to remove any unauthorized cables, connections, and hardware.
  • Decide whether new payment products and emerging technologies pose increased risk due to the lack of maturity of the respective control environments.
  • To verify that the physical security procedures have been implemented and are working properly the organization should use third parties.
  • AII Network Infrastructure equipment within the organization network shall be owned and maintained by the organization.
  • Unencrypted remote admin protocols which are used to manage network infrastructure should be disabled.
  • Control the entrance and exit of employees from areas such as office buildings, data centers or rooms containing local area network servers.
  • Unnecessary services like discovery protocols, source routing, HTTP, SNMP, BOOTP should be disabled. 
  • Console, auxiliary, and VTY line access should be secured.
  • IT equipment and the servers, workstations that allow staff access to the applications must be secure and protected from unexpected damage or loss. Some physical controls should lock in rooms with restricted access.
  • Private Virtual LANs should be used to isolate a user from the rest of the broadcast domains.
  • Virtual Routing and Forwarding (VRF) technology must be used to segment network traffic over multiple routing tables concurrently on a solo router.
  • WLAN equipment should only can access by authorized persons.
  • Physically security controls such processes as fingerprint scanner, access controls should be protected.
  • Strong password policies should be used in all network devices.
  • Organization must develop or adopt a disaster recovery and emergency response plan covering its critical network infrastructure.
  • No unauthorized staff are allowed to access any Company systems in any location.
  • All present and new clients are instructed their security duties.
  • Access to communications infrastructure must be limited to suitable and accepted personnel. Where reasonable, communications equipment should be kept in devoted enclosures.
  • XYZ Organization must launch and continue a program to control its Internet Protocol (IP) network address space including both dynamic and static addressing.
  • Robust disaster recovery and business continuity procedures are in place.
  • Employees agree to never disclose their passwords to anyone, particularly to family members if business work is conducted from home
  • To correctly deal with risks such as failure, natural threats the hardware must be installed in an environment which agrees the organization.
  • Electronic filing systems and documentation are well maintained for all critical job functions to ensure continuity.
  • Physical access to information assets and roles by users should be limited.
  • Remote users using non Company network infrastructure to gain access to Company resources, must employ for their devices and related infrastructure a company approved personal firewall, VPN, and any other security measure deemed necessary by the IT Department
  • Named individuals are given authority to administrate specific computer systems according to their job function and role following the principle of least privilege.
  • It is the obligation of any representative who is interfacing with the organizational system to ensure that all components of his association stay as secure as his system access inside the workplace.

Comments

Post a Comment

Popular posts from this blog

Introduction to Encryption

Image
What is Encryption? Encryption is like sending secret messages between parties; if someone tries to pry without the proper keys, they won't be able to understand the message. In other words, it is the process of locking up information using cryptography (Cryptography is both the practice and the study of hiding information.) Definition:  ‘ The Process of converting plain text into cipher text, something that appears to be random and meaningless ’ is called as the encryption. Process of converting cipher text back into original text is called as decryption . Terminology Original message is called as plain text/clear text.   Encrypted message is called as cipher text/encrypted text.  A Key which is a secret like a password which is used to encrypt and decrypt information.  Ciphers are the specific algorithms which are used to encrypt and decrypt data. A cipher is series of well-defined steps that can be followed as a procedure to encrypt and decrypt m
Read more

Cross-Site Request Forgery protection in web applications via Double Submit Cookies Patterns

Image
Double submission of cookies is another well-known method to block CSRF. Similar to using unique tokens, random tokens are assigned to both a cookie and a request parameter. In double-submitted cookie pattern, two cookies (for the session and for the CSRF token) are stored in the browser. This pattern is also called as Stateless CSRF Defense since the server site does not have to save this value in any way, thus avoiding server side state. In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it. When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin
Read more

How to do a Phishing attack on Facebook?

Image
This is a Step by step tutorial to make an undetectable Facebook phishing site. Step 1: Download page source Go to https://www.facebook.com Right click on the blank area -> Click Save As When dialog box appears select ‘Webpage, complete’ as Save as type -> Click Save Step 2: Edit “Facebook - Log In or Sign Up.html” file and rename it. Open ‘Facebook - Log In or Sign Up.html’ file with notepad or Dreamweaver. Remove all the ajax codes. (You can download HTML file which removed all ajax codes form here https://github.com/nimeshikaranasinghe/Facebook-Phisihing.git   ) Search for login action (Press Ctrl + F -> type ‘ action= ’ -> Click Find Next) Replace the highlighted part (as in the following screenshot) with getDetails.php Save the file as index.html Step 3: Create getDetails.php Open a notepad. Type the following code <?php             $username = $_POS
Read more