8.6. Detection and Security Policies
Intrusion Detection Systems
Intrusion Detection Systems (IDS) can be placed on the network for security purposes. An IDS does not add any additional security. Instead, it provides the capability to identify if the network is being attacked. An IDS can be configured to watch for specific types of activities and then alert security personnel if that activity occurs. An IDS also can log various types of traffic on the network for analysis later. It is an essential part of any good security system.
An organization can implement the best authentication scheme in the world, develop superior access control, and install firewalls and intrusion detection, but its security cannot be complete without implementation of physical security. Physical security is the protection of the actual hardware and networking components that store and transmit information resources. To implement physical security, an organization must identify all of the vulnerable resources and take measures to ensure that these resources cannot be physically tampered with or stolen. These measures include the following.
- Locked doors. It may seem obvious, but all the security in the world is useless if an intruder can simply walk in and physically remove a computing device. High value information assets should be secured in a location with limited access.
- Physical intrusion detection. High value information assets should be monitored through the use of security cameras and other means to detect unauthorized access to the physical locations where they exist.
- Secured equipment. Devices should be locked down to prevent them from being stolen. One employee’s hard drive could contain all of your customer information, so it is essential that it be secured.
- Environmental monitoring. An organization’s servers and other high value equipment should always be kept in a room that is monitored for temperature, humidity, and airflow. The risk of a server failure rises when these factors exceed acceptable ranges.
- Employee training. One of the most common ways thieves steal corporate information is the theft of employee laptops while employees are traveling. Employees should be trained to secure their equipment whenever they are away from the office.
Besides the technical controls listed above, organizations also need to implement security policies as a form of administrative control. In fact, these policies should really be a starting point in developing an overall security plan. A good information security policy lays out the guidelines for employee use of the information resources of the company and provides the company recourse in the event that an employee violates a policy. A security policy should also address any governmental or industry regulations that apply to the organization. The Canadian Centre for Cyber Security has outlined Baseline Cyber Security Controls for Small and Medium Organizations.
Acceptable Use Policy
Many organizations that provide technology services to a group of constituents or the public require agreement to an Acceptable Use Policy (AUP) before those services can be accessed. This policy outlines what is allowed and what is not allowed while someone is using the organization’s services. An everyday example of this is the terms of service that must be agreed to before using the public Wi-Fi at Starbucks, McDonald’s, or even a university. Here is an example of an acceptable use policy from Niagara College . Acceptable use policies vary from institution to institution and can include acceptable use guidelines for social media, email, and ethical computer use.
Just as with a code of ethics, these acceptable use policies specify what is allowed and what is not allowed. Again, while some of the items listed are obvious to most, others are not so obvious:
- “Borrowing” someone else’s login ID and password is prohibited.
- Using the provided access for commercial purposes, such as hosting your own business website, is not allowed.
- Sending out unsolicited email to a large group of people is prohibited.
As with codes of ethics, violations of these policies have various consequences. In most cases, such as with Wi-Fi, violating the acceptable use policy will mean that you will lose your access to the resource. While losing access to Wi-Fi at Starbucks may not have a lasting impact, a university student getting banned from the university’s Wi-Fi (or possibly all network resources) could have a large impact.
When looking to secure information resources, organizations must balance the need for security with users’ need to effectively access and use these resources. If a system’s security measures make it difficult to use, then users will find ways around the security, which may make the system more vulnerable than it would have been without the security measures. Consider password policies. If the organization requires an extremely long password with several special characters, an employee may resort to writing it down and putting it in a drawer since it will be impossible to memorize.