Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next LEGAL ISSUES The security of computer systems and networks must address two separate concerns: •  The need to protect personal information about employees that is stored in computer systems. •  The need to ensure that employees are complying with company and security policies. Because information processing is often decentralized, monitoring of all information-processing activities is difficult, if not impossible. The policy must thereby address both the role of users in ensuring the proper business use of all computing resources and the unauthorized use of computing resources. A policy that ensures explicit access controls and encryption of sensitive data addresses the first issue. A policy that clearly prohibits unauthorized use of company computing resources sets the proper tone for addressing the company’s stand on privacy. Privacy in the workplace, especially that concerning employee E-mail, is a hotly contested issue. A strong policy statement should inform the user community of the level of privacy that can be expected in the workplace. These statements may take one of two directions: Neither the company nor its representatives may monitor or read any E-mail sent by or between employees; or all information in company systems, including E-mail, is company property and subject to monitoring at any time. Regardless of the stance, the legal community and security experts agree that the policy should be published and address all employees. Log-On Banners. Log-on banners, also referred to as warning banners, were originally intended to alert hackers that a system is private and that unauthorized use can be grounds for prosecution. If operationally feasible, it is recommended that the warning appear prior to network connection. The message should declare that the system is private and to be used only by authorized personnel. As shown in this sample log-on banner, the message might also address the issue of monitoring: This computer system is the property of COMPANY NAME. Unauthorized access and improper use are prohibited. Any activity on the system is subject to monitoring by the company at any time. Anyone who uses the system consents to such monitoring and agrees that the company may use the results of such monitoring without limitation. COMPUTER EMERGENCY RESPONSE TEAM With the increasing connectivity to the outside world and the Internet, organizations must be diligent about identifying and responding to any unauthorized network activity. Network managers and security practitioners must be able to respond in a timely and effective manner to assess the risk and minimize the threat of disasters. The communications policy should specify the establishment of a corporate computer emergency response team (CERT). A CERT is a multifunctional team, typically drawing its membership from security, communications, and other affected groups, whose purpose is to respond in a timely, efficient, and effective manner to a network disaster. The CERT’s objectives should include: •  Coordinating incident reporting. •  Analyzing incident response by type (e.g., network intrusion or virus). •  Providing direct technical assistance as needed. •  Performing training and security awareness. •  Serving as a repository for relevant computer security information. •  Broadcasting relevant information to appropriate functions. •  Developing and distributing security tools. •  Consulting with vendors to respond to system-related problems (i.e., weak operating system security options). ENFORCING AND MAINTAINING THE POLICY To ensure that computing operations are run efficiently and in compliance with appropriate regulations, most companies employ both an internal auditing function and an external auditing organization. Network audits can be as complex as the network itself. In many instances, the internal audit staff relies heavily on policy and procedures outlined by the security organization. Without a communications policy, the organization would lack consistent and uniform controls among business units and the audit staff would have nothing substantial to audit against. In many instances, baseline controls in the form of checklists can be used by both the computing organization and the audit staff to ensure appropriate controls and policy compliance. To ensure that the policy is acted on by employees, users must be made aware of their security responsibilities while within the network. The security policy should therefore promote an aggressive security awareness campaign. FUTURE ISSUES With the growing number of notebooks and laptops that are in the hands of nomadic professionals, information that was not allowed out of the data center just a few years ago is now out on the open road and subject to many more potential breaches of security. An increased dependence on such technologies as shared carriers, switched multimegabit data service (SMDS), and frame relay will reduce an individual company’s control over its own information as organizations’ data is transported among that of other organizations. Currently, there are no established business practices or legal precedents for protecting data transmitted in these modes. In instances in which control is not totally in the hands of the company, the communications policy should be extended to clearly define the relationship between the network supplier and its customers. These agreements should reflect the legal and contractual network supplier/customer relationship. For example, the network supplier must provide an adequate level of security to prevent unauthorized access or disclosure of the company’s data. SUMMARY Network integration enables new ways of working across organizations with new organizational models for teamwork. Global business operations are creating more of a demand for people to share information. The migration to distributed processing depends on the effective and secure use of communications resources for sharing information. Worldwide network access across multiple platforms, with multiple protocols, means new challenges to reliability, assurance, accuracy, and confidentiality. Organizations must adopt strong and specific measures to ensure the security of their information. These measures include strong authentication and access controls, host administration baselines, network filtering guidelines, data encryption when warranted, and a communications security policy that ties it all together. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.