Network Security and Management

Department of IT
I M. Sc IT
Arba Minch Institute of Technology

Course Handler : Dr. M. Azath Hussain

Chapter 1: Building a Secure Organization
 Contents
Introduction – Network Security
Trust, Weaknesses, Risk and Vulnerabilities
Threats
Mechanisms
Enterprise Security
Real threats that impact cyber security
A cyber security policy
 Introduction

A security policy defines what people can and can't do with network components and resources. In
Information Technology, Security is the protection of information assets through the use of technology,
processes, and training.
Security provides access into your network in the way you want to provide it, allowing people to work
together.
Network Security is a system comprising the provision and policies adopted by a network administrator
or an organization to prevent & monitor unauthorized access, misuse, modification, or denial of a
computer network & network Resources.
Computer networks that are involved in regular transactions and communication within the government,
individuals, or business require security.
 Network Security Overview

With the rapid growth of interest in the Internet, network security has become
more important. Currently, network administrators often spend more effort
protecting their networks than they spend on the actual setup.
They have to make the following determinations:
 Who will have access to data?
 What resources will users have access to?
 When will users access resources?

Some of these decisions depend on the particular organization you are serving
because some resources can be trusted more than others.
 Trust, Weaknesses, Risk and Vulnerabilities

Trust
It is the likelihood that people will act the way you expect them to act.
Often based on past experiences.
It can exist only between two individuals who know each other.
You can never trust a total stranger, but you can start to trust one over a certain
period of time.
Networking context - you might be willing to trust a stranger if you know that
someone you trust trusts him.
The basis for Secure Sockets Layer (SSL) and certificate exchange.
Trust..
Most trusted - internal servers, domain controllers, and storage devices attached to
the network. Only a limited number of well-known people should have access to
these devices.
Less trusted (not most trusted) - internal users and remote, authenticated users. An
organization has to trust its users, otherwise these users cannot perform their jobs.
Least trusted (un-trusted) - Internet servers and remote, unauthenticated users.
You can’t trust an Internet server because you are not sure what is behind it. The
reason for using digital certificates.

7
Trust..

Consider external and internal weaknesses and vulnerabilities.

External weaknesses include malware, spyware, hackers, crackers, and script
kiddies.
Malware is a group of destructive programs. Such as:
1.Virus - a piece of code, any action - from displaying a message to erasing
data.
2.Worm - replicate like virus - use email and network facilities to spread.
3. Spyware - gathers user info and send it to a central site.
4. Hoax - Doesn't contain any code instead relying on the gullibility of the
8
users to spread, often use emotional subjects.
Trust..
Hackers Vs Crackers
Hackers - a person who is prominent in using and creating computer software to
gain illegal access to information. Hacker is used to describe an individual who
attempts an unauthorized and malicious activity.
A crackers uses various tools and techniques to gain illegal access to various
computer platforms and networks with the intention of harming the system.
Script kiddies are a subclass of crackers. They use scripts made by others to
exploit a security flaw in a certain system.

9
 Trust..
A common security mistake is to assume that attacks always come from outside your
organization. Some of the potential threats from inside your organization:
1. Authenticated Users
2. Unauthorized Programs
3. Un-patched Software
Attackers strategically and deliberately choose their targets based on vulnerabilities
they have observed.
Attackers continue to benefit from certain tactical advantages (parameters). Time,
location, place, and method of attack.

10
Trust..

With the increasing popularity of the Internet, terrorist groups might seek to cause
damage by means of a cyber-attack.
They can exploit the Internet to:
1. Collect information and to recruit, command, and control their accomplices.
2. Raise funds for their activities
3. Expand their technical capabilities.
Targeting commercial and governmental computer-driven applications in order to
disturb financial networks.

11
2. THREATS
A threat, in the context of computer security, refers to anything that has the potential
to cause serious harm to a computer system.
A threat is something that may or may not happen, but has the potential to cause
serious damage. Threats can lead to attacks on computer systems, networks and more.
1. Eavesdropping
2. Tampering
3. Impersonation
4. Repudiation
5. Denial of service
6. Illegal Access

12
EAVESDROPPING

Eavesdropping is the unauthorized real-time interception of a private communication,

such as a phone call, instant message, videoconference or fax transmission.

The term eavesdrop derives from the practice of actually standing under the eaves of

a house, listening to conversations inside.

TAMPERING

Tampering is the unauthorized modification of data, for example as it flows over a

network between two computers.
An attacker modifies the data in a message in order to attack the client or the service.
IMPERSONATION

Impersonation is used to access resources on the same machine where the service code is
running.

15
REPUDIATION

A repudiation attack happens when an application or system does not adopt controls to
properly track and log users' actions, thus permitting malicious manipulation or forging
the identification of new actions.

16
DENIAL of SERVICE (DoS)

In computing, a denial-of-service attack (DoS attack) is a cyber-attack where the

perpetrator seeks to make a machine or network resource unavailable to its intended
users, such as to temporarily or indefinitely interrupt or suspend services of a host
connected to the Internet.

17
ILLEGAL ACCESS

A person commits the criminal offense of illegal access to a computer system

when he or she accesses the whole or any part of a computer system without
right.

18
3. MECHANISMS

A Mechanism that is designed to detect, prevent, or recover from a security attack.

A security service makes use of one or more security mechanisms.
1. Confidentiality
2. Integrity
3. Auditing
4. Authentication
5. Access control

19
CONFIDENTIALITY
Confidentiality is a set of rules that limits access to information.

Measures undertaken to ensure confidentiality are designed to prevent

sensitive information from reaching the wrong people, while making sure

that the right people can in fact get it.

Training can help familiarize authorized people with risk factors and how

to guard against them.

Further aspects of training can include strong passwords and password-

related best practices and information about social engineering

20 methods.
INTEGRITY

Integrity is the assurance that the information is trustworthy and accurate.

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data

over its entire life cycle.

Data must not be changed in transit, and steps must be taken to ensure that data

cannot be altered by unauthorized people (for example, in a breach of confidentiality).

This goal defines how we avoid our data from being altered. MiTM (Man in the

middle attacks) is the example threat for this goal.

21
 AUDITING

A network security audit is a means by which the ongoing level of performance of an

organization's network security can be monitored.
Various kinds of network security audit features exist in all modern computing
platforms, such as security event logs and journals of database activity.

22
AUTHENTICATION

Authentication is the process of determining whether someone or something is,

in fact, who or what it is declared to be.
Authentication precedes authorization (although they may often seem to be
combined).
The process of identifying an individual, usually based on a username and
password.

23
ACCESS CONTROL

Network Access Control (NAC) is an approach to computer security that attempts to

unify endpoint security technology (such as antivirus, host intrusion prevention, and
vulnerability assessment), user or system authentication and network security
enforcement.
Access control is a security technique that can be used to regulate who or what can view
or use resources in a computing environment.
There are two main types of access control: physical and logical.
 Physical access control limits access to campuses, buildings, rooms and physical IT

assets.
 Logical access limits connections to computer networks, system files
24 and data.
 Enterprise Security
Enterprise security is about building systems to remain dependable in the face of malice, error, or
mischance.
As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test
complete systems, and to adapt existing systems as their environment evolves.
Enterprise security requires cross-disciplinary expertise, ranging from cryptography and computer
security through hardware tamper-resistance and formal methods to a knowledge of economics, applied
psychology, organizations and the law.
Many security systems have critical assurance requirements.
Their failure may endanger human life and the environment (as with nuclear safety and control
systems), do serious damage to major economic infrastructure (cash machines and other bank systems),
endanger personal privacy (medical record systems), and facilitate crime (burglar and car alarms).
 Enterprise Security Analysis Framework

Good Enterprise security requires four things to come together.

There’s policy: what you’re supposed to achieve.
There’s mechanism: the ciphers, access controls, hardware tamper-resistance and other machinery
that you assemble in order to implement the policy.
There’s assurance: the amount of reliance you can place on each particular mechanism.
Finally, there’s incentive: the motive that the people guarding and maintaining the system have to
do their job properly, and also the motive that the attackers have to try to defeat your policy.
Eg: 9/11 Attack
 Enterprise System - Examples
1. A Bank
Banks operate a surprisingly large range of security-critical computer systems.
The core of a bank’s operations is usually a branch bookkeeping system. The main threat to this system is the

bank’s own staff; about one percent of bankers are fired each year, mostly for petty dishonesty (the average
theft is only a few thousand dollars).
 One public face of the bank is its automatic teller machines. Authenticating transactions based on a customer’s

card and personal identification number— in such a way as to defend against both outside and inside attack—
is harder than it looks!
Another public face is the bank’s website. Bank websites have come under heavy attack recently from phishing

— from bogus websites into which customers are invited to enter their passwords.
Behind the scenes are a number of high-value messaging systems.
The bank’s branches will often appear to be large, solid and prosperous, giving customers the psychological

message that their money is safe.

 Enterprise System - Examples
2. Military
Military systems have also been an important technology driver.
Some of the most sophisticated installations are the electronic warfare systems whose goals include trying to

jam enemy radars while preventing the enemy from jamming yours.
Military communication systems have some interesting requirements. It is often not sufficient to just encipher

messages: the enemy, on seeing traffic encrypted with somebody else’s keys, may simply locate the transmitter
and attack it.
Military organizations have some of the biggest systems for logistics and inventory management, which differ

from commercial systems in having a number of special assurance requirements.

The particular problems of protecting nuclear weapons have given rise over the last two generations to a lot of

interesting security technology, ranging from electronic authentication systems that prevent weapons being used
without the permission of the national command authority, through seals and alarm systems, to methods of
identifying people with a high degree of certainty using biometrics such as iris patterns.
 Enterprise System - Examples
3. A Hospital
Hospitals have a number of interesting protection requirements mostly to do with patient
safety and privacy.
Patient record systems should not let all the staff see every patient’s record, or privacy

violations can be expected.

 Patient records are often anonymized for use in research, but this is hard to do well.
Web-based technologies present interesting new assurance problems in healthcare.
 New technology can introduce risks that are just not understood. Hospital

administrators understand the need for backup procedures to deal with outages of
power, telephone service and so on; but medical practice is rapidly coming to depend on
the net in ways that are often not documented.
Canada’s Student Snooping
 Building a Secure Organization
It seems logical that any business, whether a commercial enterprise or a not-for-profit business,
would understand that building a secure organization is important to long term success.
When a business implements and maintains a strong security posture, it can take advantage of
numerous benefits.
A secure organization can use its security program as a marketing tool, demonstrating to clients
that it values their business so much that it takes a very aggressive stance on protecting their
information.
Security breaches can cost an organization significantly through a tarnished reputation, lost
business, and legal fees.
Despite the benefits of maintaining a secure organization and the potentially devastating
consequences of not doing so, many organizations have poor security mechanisms, implementations,
policies, and culture.
 OBSTACLES TO SECURITY
In attempting to build a secure organization, we should take a close look at the obstacles that make it
challenging to build a totally secure organization.
1. Security Is Inconvenient
Security, by its very nature, is inconvenient, and the more robust the security mechanisms, the

more inconvenient the process becomes.

 Employees in an organization have a job to do; they want to get to work right away.

To gain a full appreciation of the frustration caused by security measures, we have only to watch

the Transportation Security Administration (TSA) security lines at any airport. Simply watch the
frustration build as a particular item is run through the scanner for a third time while a passenger
is running late to board his flight.
When we implement any security mechanism, it should be placed on the scale where the level of

security and ease of use match the acceptable level of risk for the organization.
 OBSTACLES TO SECURITY
2. Computers Are Powerful and Complex
Home computers have become storehouses of personal materials. Our computers now
contain wedding videos, scanned family photos, music libraries, movie collections, and
financial and medical records.
Because computers contain such familiar objects, we have forgotten that computers are very
powerful and complex devices.
Most people are unfamiliar with the way computers truly function and what goes on “
behind the scenes. ” Things such as the Windows Registry, ports, and services are completely
unknown to most users and poorly understood by many computer industry professionals.
For example, many individuals still believe that a Windows login password protects data on
a computer.
 OBSTACLES TO SECURITY
3. Computer Users Are Unsophisticated
Many computer users believe that because they are skilled at generating spreadsheets, word
processing documents, and presentations, they “ know everything about computers.
The “ bad guys ” people who want to steal information from or wreak havoc on computers systems
— have also identified that the average user is a weak link in the security chain.
As companies began investing more money in perimeter defenses, attackers look to the path of
least resistance. They send malware as attachments to email, asking recipients to open the
attachment.
Despite being told not to open attachments from unknown senders or simply not to open
attachments at all, employees consistently violate this policy, wreaking havoc on their networks.
The “ I Love You Virus ” spread very rapidly in this manner. More recently, phishing scams have
been very effective in convincing individuals to provide their personal online banking and credit-
card information.
 OBSTACLES TO SECURITY
4. Current Trend Is to Share, Not Protect
Even now, despite the stories of compromised data, people still want to share
their data with everyone.
And Web-based applications are making this easier to do than simply attaching
a file to an email. Social networking sites such as SixApart provide the ability to
share material: “ Send messages, files, links, and events to your friends.
Create a network of friends and share stuff.
These sites can allow proprietary data to leave an organization by bypassing
security mechanisms.
 OBSTACLES TO SECURITY
5. Data Accessible from Anywhere
To be productive, employees now request access to data and contact information on
their laptops, desktops, home computers, and mobile devices. Therefore, IT
departments must now provide the ability to sync data with numerous devices.
Previously mentioned online storage sites can be accessed from both the home and
office or anywhere there is an Internet connection.
For many, Google’s free email service Gmail is a great tool that provides a very robust
service for free. What few people realize is that Gmail provides more than 7 GB of
storage that can also be used to store files, not just email.
 OBSTACLES TO SECURITY
6. The Bad Guys Are Very Sophisticated
At one time the computer hacker was portrayed as a lone teenager with poor social skills who would
break into systems, often for nothing more than bragging rights. As ecommerce has evolved, however,
so has the profile of the hacker.
Now that there are vast collections of credit-card numbers and intellectual property that can be
harvested, organized hacker groups have been formed to operate as businesses.
A document released in 2008 spells it out clearly: “ Cybercrime companies that work much like real-
world companies are starting to appear and are steadily growing, thanks to the profits they turn.
Forget individual hackers or groups of hackers with common goals. Hierarchical cybercrime
organizations where each cybercriminal has his or her own role and reward system is what you and
your company should be worried about. Now that organizations are being attacked by highly
motivated and skilled groups of hackers, creating a secure infrastructure is mandatory.
 OBSTACLES TO SECURITY
7.Management Sees Security as a Drain on the Bottom Line
Organizations don’t want to spend the money on it, but the risks of not making the purchase
outweigh the costs. Because of this attitude, it is extremely challenging to create a secure organization.
The attitude is enforced because requests for security tools are often supported by documents
providing the average cost of a security incident instead of showing more concrete benefits of a strong
security posture. The problem is exacerbated by the fact that IT professionals speak a different
language than management. IT professionals are generally focused on technology, period.
Management is focused on revenue.
Learning these concepts is beneficial to the organization because the technical infrastructure can be
implemented in a cost-effective manner, and they are beneficial from a career development
perspective for IT professionals. “ business skills for IT professionals ” will identify numerous
educational programs that might prove helpful. For those who do not have the time or the inclination
to attend a class, some very useful materials can be found online.
 What is “cyber security?”
According to the U.S. Dept of Commerce:
The protection of information against unauthorized disclosure, transfer, modification,

or destruction, whether accidental or intentional.

According to H.R. 4246 “Cyber Security Information Act”:
Cyber Security: “The vulnerability of any computing system, software program, or

critical infrastructure to, or their ability to resist, intentional interference, compromise,

or incapacitation through the misuse of, or by unauthorized means of, the Internet,
public or private telecommunications systems or other similar conduct that violates
Federal, State, or international law, that harms interstate commerce of the United
States, or that threatens public health or safety.”
 What is “cyber security?”
One way to think about it
Cyber security = security of cyberspace

What is cyberspace?
 Information Systems and Networks.

One way to think about it

Cyber security = security of information systems and networks.

Cyber security = security of information systems and networks with the goal of

protecting operations and assets.

Cyber security = security of information systems and networks in the face of

attacks, accidents and failures with the goal of protecting operations and assets
 What is “cyber security?”
Cyber Security = availability, integrity and secrecy of information systems and networks in the face of attacks,
accidents and failures with the goal of protecting operations and assets
Corporate cyber security = availability, integrity and secrecy of information systems and networks in the face of
attacks, accidents and failures with the goal of protecting a corporation’s operations and assets.
National cyber security = availability, integrity and secrecy of the information systems and networks in the face
of attacks, accidents and failures with the goal of protecting a nation’s operations and assets.
Cyber security as a Discipline
How to achieve cyber security “success”?
How to overcome the cyber security problem?
Must understand four factors that play into the cyber security equation:
Technology
Economics (of stakeholders and incentives)
Social Influences (e.g. Big Brother fears)
Public Policy
 What is “cyber security?”
According to “Cyber security Research and Education Act of 2002”:
Cyber security: “information assurance, including scientific, technical, management, or any other relevant

disciplines required to ensure computer and network security, including, but not limited to, a discipline related
to the following functions:
(A) Secure System and network administration and operations.
(B) Systems security engineering.
(C) Information assurance systems and product acquisition.
(D) Cryptography.
(E) Threat and vulnerability assessment, including risk management.
(F) Web security.
(G) Operations of computer emergency response teams.
(H) Cybersecurity training, education, and management.
(I) Computer forensics.
(J) Defensive information operations.
 Impacts of cyber security
Case 1: Internet Under Siege
February 7 - 9, 2000

Yahoo!, Amazon, Buy.com, CNN.com, eBay, E*Trade, ZDNet websites hit with massive DOS.
Attacks received the attention of president Clinton and Attorney General Janet Reno.
“A 15-year-old kid could launch these attacks, it doesn’t take a great deal of sophistication to do” – Ron Dick,

Director NIPC, February 9.

U.S. Federal Bureau of Investigation (FBI) officials have estimated the attacks caused $1.7 billion in damage

Case 2: Slammer Worm

January 2003, Infects 90% of vulnerable computers within 10 minutes.
Effect of the Worm- Interference with elections ; Cancelled airline flights; 911 emergency systems affected in

Seattle ; 13,000 Bank of America ATMs failed.

Estimated ~$1 Billion in productivity loss
 Impacts of cyber security
Case 3: WorldCom
July 2002

WorldCom declares bankruptcy

Problem WorldCom carries 13% - 50% of global internet traffic. About 40% of Internet traffic uses

WorldCom’s network at some point

October 2002

Outage affecting only 20% of WorldCom users snarls traffic around the globe
Congressional Hearings

Congress considers, but rejects, extension of FCC regulatory powers to prevent WorldCom
shutdown
Case 4: September 11
Wireless Tower on Top of Trade Center Destroyed
Rescue efforts hampered
 Impacts of cyber security
Case 5: It’s a Jungle Out There
The Internet is highly, globally connected.
Viruses/worms are legion on the Internet and continue to scan for vulnerable

hosts.
 Hackers scan looking for easy targets to attack.

Case 6 : On 15/03/2017
Almost 500 million yahoo accounts were affected!!! US charges Russian Spies.
 Real threats that impact cyber security
Wild threats
(standard internet viruses, spam botnets etc)

Competitors
(for espionage, damage etc)

Insiders
(current or former employees, contractors, vendors)

Organized criminals
(for black mail, revenge etc)

Terrorists and activist groups

(environmental groups etc)

Foreign states
(as acts of war, espionage etc)
 Real threats that impact cyber security

Common cyber threats include:

Phishing

Malicious code
Weak and default passwords
Unpatched or outdated software vulnerabilities
Removable media
 1. Phishing
The Threat
Phishing is a high-tech scam that uses e-mail to deceive you into disclosing personal information. It puts your personal
information and your organization’s information at risk.
Indicators
The following are suspicious indicators related to phishing :
 Uses e-mail
 May include bad grammar, misspellings, and/or generic greetings
 May include maliciously-crafted attachments with varying file extension or links to a malicious website
 May appear to be from a position of authority or legitimate company:
 Your employer

 Bank or credit card company

 Online payment provider
 Government organization
 Asks you to update or validate information or click on a link
 Threatens dire consequence or promises reward

 Appears to direct you to a web site that looks real

 1. Phishing
Countermeasures
The following countermeasures can be taken to guard against phishing :
 Delete suspicious e-mails
 Contact your system security point of contact with any questions
 Report any potential incidents
 Look for digital signatures
 Configure Intrusion Detection Systems (IDS) to block malicious domains / IP addresses
 Ensure anti-virus software and definitions are up to date

Do not:
 Open suspicious e-mails
 Click on suspicious links or attachments in e-mails
 Call telephone numbers provided in suspicious e-mails
 Disclose any information

If you suspect you may have been a target of phishing, report it to your Facility Security Officer (FSO) or security point of
contact.
 2. Malicious Code
The Threat
Malicious code is software that does damage and/or creates unwanted behaviors.
Malicious code includes:
Viruses
Trojan horses
Worms
Keyloggers
Spyware
Rootkits
Backdoors
Indicators
The following are suspicious indicators related to malicious code; malicious code may be distributed via:
E-mail attachments
 Downloading files
Visiting an infected website
Removable media
Effects include, but are not limited to:
• Corrupt files and destroyed or modified information
• Compromise and loss of information
• Hacker access and sabotaged systems
 2. Malicious Code
Countermeasures
The following countermeasures can be taken to guard against malicious code.
 To guard against malicious code in email:
 View e-mail messages in plain text
 Do not view e-mail using the preview pane
 Use caution when opening e-mail
 Scan all attachments
 Delete e-mail from senders you do not know
 Turn off automatic downloading
To guard against malicious code in websites:
 Block malicious links / IP addresses
 Block all unnecessary ports at the Firewall and Host
 Disable unused protocols and services
 Stay current with all operating system service packs and software patches
 3. Weak and Default Passwords
The Threat
The use of weak and default passwords creates easily exploitable system vulnerabilities.
Indicators
The following are indicators of weak passwords; weak passwords include those that use:
 Words found in the dictionary
 Readily available information significant to you (names, dates, cities, etc.)
 Lack of character diversity (e.g., all lower case letters)
Effects include, but are not limited to, hackers:
 Exploiting users’ habit of repeating passwords across sites and systems
 Cracking passwords to less secure sites
 Accessing your and your organization’s information
Countermeasures
The following countermeasures can be taken to guard against password compromise, when creating a password:
 Combine letters, numbers, special characters
 Do not use personal information
 Do not use common phrases or words
 Do not write down your password, memorize it
 Change password according to your organization’s policy
 Enforce account lockout for end-user accounts after a set number of retry attempts
 Do not save your passwords or login credentials in your browser
 NEVER share your password
 4. Unpatched or Outdated Software Vulnerabilities
The Threat
Unpatched or outdated software provide vulnerabilities and opportunities for adversaries to access information systems.

Indicators
The following is a list of suspicious indicators related to unpatched and outdated software:
 Unauthorized system access attempts
 Unauthorized system access to or disclosure of information
 Unauthorized data storage or transmission
 Unauthorized hardware and software modifications

Effects include, but are not limited to:

 Corrupt files and destroyed or modified information
 Hard drive erasure and loss of information
 Hacker access and sabotaged systems

Countermeasures
The following countermeasures can be taken to guard against software vulnerabilities:
 Comply with the measures in your organization’s policies, including the Technology Control Plan (TCP)
 Stay current with patches and updates
 Conduct frequent computer audits - Ideally: Daily
 At minimum: Weekly
 Do not rely on firewalls to protect against all attacks
 Report intrusion attempts
 Disconnect computer system temporarily in the event of a severe attack
 5.Removable Media
The Threat
Removable media is any type of storage device that can be added to and removed from a computer while the system
is running. Adversaries may use removable media to gain access to your system. Examples of removable media
include:
Thumb drives
Flash drives
CDs
DVDs
External hard drives
Indicators
The following is a list of suspicious indicators related to removable media. Adversaries and hackers may:
Leave removable media, such as thumb drives, at locations for personnel to pick up
Send removable media to personnel under the guise of a prize or free product trial
Countermeasures
The following countermeasures can be taken to guard against removable media vulnerabilities.
DoD personnel:
Do not use flash media unless operationally necessary and government-owned
Do not use any personally owned/non-Government removable flash media on DoD systems
Do not use Government removable flash media on non-DoD/personal systems
Encrypt all data stored on removable media
Encrypt in accordance with the data's classification or sensitivity level
Use only removable media approved by your organization
 A Cyber Security Policy
The cyber security policy is a developing mission that caters to the entire field of Information and
Communication Technology (ICT) users and providers. It includes −
Home users
Small, medium, and large Enterprises
Government and non-government entities
It serves as an authority framework that defines and guides the activities associated with the security of
cyberspace. It allows all sectors and organizations in designing suitable cybersecurity policies to meet their
requirements. The policy provides an outline to effectively protect information, information systems and
networks.
It gives an understanding into the Government’s approach and strategy for security of cyber space in the
country. It also sketches some pointers to allow collaborative working across the public and private sectors
to safeguard information and information systems. Therefore, the aim of this policy is to create a
cybersecurity framework, which leads to detailed actions and programs to increase the security carriage of
 A Cyber Security Policy
Organization Policy
A well-thought-out cyber security policy outlines which systems should be in place to guard critical data against attacks.
These systems, or the infrastructure, tell IT and other administrative staff how they will protect the company’s data (which controls
will be used) and who will be responsible for protecting it.
Your cyber security policy should include information on controls such as:
 Which security programs will be implemented (Example: In a layered security environment, endpoints will be protected with

antivirus, firewall, anti-malware, and anti-exploit software.)

 How updates and patches will be applied in order to limit the attack surface and plug up application vulnerabilities (Example:

Set frequency for browser, OS, and other Internet-facing application updates.)
 How data will be backed up (Example: Automated backup to an encrypted cloud server with multi-factor authentication.)

In addition, your policy should clearly identify roles and responsibilities. That includes:
 Who issued the policy and who is responsible for its maintenance
 Who is responsible for enforcing the policy
 Who will train users on security awareness
 Who responds to and resolves security incidents and how
 Which users have which admin rights and controls
 A Cyber Security Policy
Employees Policy
The most critical step in establishing a successful cyber security policy is documenting and distributing the
acceptable use conditions for employees.
Why? No matter how strong defenses are, users can introduce threats to your company’s networks by falling for
phishing scams, posting secure information on social media, or giving away credentials.
According to the 2014 IBM Cyber Security Intelligence Index, over 95% of all threat incidents investigated involved
human error.
Your cyber security policy should clearly communicate best practices for users in order to limit the potential for
attacks and ameliorate damage.
They should also allow employees the appropriate degree of freedom they need to be productive.
Banning all Internet and social media usage, for example, would certainly help keep your company safe from online
attacks but would (obviously) be counterproductive.
Acceptable use guidelines might include:
How to detect social engineering tactics and other scams
What is acceptable Internet usage
How remote workers should access the network
How social media use will be regulated
What password management systems might be utilized
How to report security incidents
In addition, the employee policy should also cover what happens when users fail to comply with guidelines. For
example, an employee found to be responsible for a breach might be required to repeat training if it was due to
negligence, or terminated if the breach was an inside job.
Thank You!!!