ServicesReport IncidentsBest PracticesResources
Site search:
Report your Incident Report your Incident
Contact us Contact us
Related Links:
  Microsoft Baseline Security Analyzer
  Information Security Handbook: A guide for managers
  Sample of an Acceptable Use Policy by SANS Institute
  Information Security Policy by SANS Institute

Information for Managers

An organization needs to assess its risks in terms of the threats it faces and the vulnerabilities of its assets to these threats. It needs to adopt an approach to risk assessment that is suitable to its business environment and to invest in the management of risk.


  1. Why is it important to have an Information Security Policy
  2. Planning your Information Security Policy in 10 steps
  3. Implementing your Security Policy
  4. Ongoing review
  5. Security Risk Assessment
  6. Intrusion Detection Systems
  7. Wireless security
  8. Security threats from within
  9. Frequently Asked Questions on Internet firewalls

Why is it important to have an Information Security Policy
A comprehensive information security policy is vital for organisations and companies
that want to ensure adequate level of protection to their electronic systems.
This policy is important in providing the framework for managing information effectively. Information is essential to a business and it is important that we maintain the integrity and ensure its availability.
Read more

Planning your Information Security Policy in 10 steps

  1. Analyse your employees behaviour around their job roles so as to have the appropriate procedures and training at hand.
  2. Do a risk assessment of what you are trying to protect. Identify what you are trying to accomplish. Identify the vulnerabilities within your systems processes.
  3. Examine existing procedures and identify processes that could be causing a security risk such as data management.
  4. Have a clear log of each of your employee and department responsibilities.
    Find out who is accountable for what.
  5. Base your security policy around your company's risks and not around the technology available so that you do not change your policy around to technology.
  6. Create a plan of action to aleviate the flaws that you have identified.
  7. How do you deal with sensitive information, how do you store it, who handles it.
  8. Protect sensitive customer information with encryption and network security.
  9. Ensure cooperation among departments to find their role in goal setting and merge that into your policy.
  10. Identify the budget available to allocate it to the necessary training for the newly adopted standards that are going to be implemented.

There are a variety of tools that help implement a security policy taking into account various paremeters and are adjusted to any organisation or small business individually.

Implementing your Security Policy
A few problems arise when getting to the next step of implementing the security policy that you have already planned. Sometimes you do not anticipate the amount of training and re-adjusting that might be needed.
People need time to digest it and practice it themselves. It is also important that employees feel more appreciated when their efforts to comply with the policy are actually appreciated.
Read more

return to top

Ongoing review
A security policy, once implemented requires constant monitoring. Changes in technlogoy, the business environment and processes as well as threats need to be overviewed
and the policy adjusted and aligned with current technologies.

Security Risk Assessment
Our dependency, use and application of information are all pervasive but the risks to this information are a serious issue. Understanding what the risks are and assessing how these risks affect and impact busines are vital to being able to manage these risks effectively.
Managing the risks involves taking action and implementing controls to reduce or minimise these risks. It is important that an organization deals with information security at all levels to ensure business continuity, to reduce business risks and avoid any potential damage and impact to the business.
Creating a security risk assessment will help you determine the cost-justifiable controls that can be implemented into your organisation to mitigate the risks.
You need to:

  1. Understand the organisation and identify the people and assets at risk
    Assets include core business processes, information, networks, systems, telecommunications, people.
  2. Specify loss risk events/vulnerabilities
    Risks or threats likely to occur at a site. A loss risk event can be determined
    through a vulnerability analysis.
  3. Assess current security measures
    Analyse current security measures.
  4. Establish the probability of loss risk and freqency of events
    Frequency of events is the regularity of the loss event.
  5. Determine the impact of the events
    The financial, psychological costs related with the loss of an asset.
  6. Determine the level of risk
    The level of risk is determined by analyzing the values assigned to the likelihood
    of a threat occurence and the resulting impact of that threat.
  7. Develop options to mitigate risks
    Develop related security processes to mitigate risks.
  8. Study the feasibility of implementation of options
  9. Perform a cost/benefit analysis
  10. Identify security measures and finalize documentation
    Here you begin to identify security measures that can be used to reduce risk
    to a reasonable and appropirate level.

Intrusion Detection Systems
Intrusion Detection Systems (IDS) are used to monitor networks for and computers
for unusual activities. There are different types of IDS but they have some baseline functions that are found in all. They give early warnings of security problems
so that when an incident happens it can be dealt with quicker than usual.
If an IDS is not configured properly it can generate many alerts and missing important ones.

There are network-based IDS that detect attempts on breaching a network.
They examine network packets and compare them against rules that are designed
to distinguish unusual activities. Those rules need to be updated regurarly, exactly
like we do for anti-virus systems. One such example is Snort. It can detect a variety
of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts. Read more
Host-based IDS are usuful on critoreical servers as they take a snapshot of the files
in a computer and they generate alerts when there are any unexpected changes
to the permissions, ownership or content of critical files. One such example is Tripwire. Read more
Another type of IDS collects information about network flows. All that information is stored in a database and can be queried or used to generate alerts for suspicious flows. One such example is NetFlow Sensor or NfSen. Read more

Wireless security
A wireless network is not a continuation of a wired Local Area Network. On a wireless network, everyone can sniff on everyone else from the inside so tehre are problems of privacy and accountability of this services. Those networks use radio broadcasts that enables anyone with a wireless receiver to hear the communications on that network. Virtual Private Networks (VPNs) and Secure Sockets Layer (SSL) are popular choices for protected information over a wireless network.
All wireless LANs need some level of authentication (depending on the risks involved) to ensure that only the signed and known users are accessing the network. Read more

return to top

Security threats from within
Internal threats are a problem that many businesses seem to dismiss. They usually focus on how to safeguard their company from intrusions coming from the outside.
Internal threats usually come from people who know the weaknesses that are either software vulnerabilities, or limited physical security to premises. They could also come from people who cause problems without realising it, like simply opening email attachments that contain viruses. Most of the times its the company's fault that
they might allow easy access to restricted areas without the need of having password-protected areas where condidential information is involved.
Read more

Frequently Asked Questions on Internet Firewalls
What does an Internet firewall do?

A firewall implements an access control policy between networks. What it does is that
it either blocks or permits traffic. When configuring a firewall, you can put more emphasis on your application to block traffic rather than allow and vice versa depending
on your demands. It can be the embodiment of your corporate policy.

What can/cannot it protect you from?
A firewall can protect your network against incoming attacks. They are configured
to protect you against unauthenticated logins from the outside world. It also keeps a log file of all attempts against your network so they are very useful for auditing purposes. When suitably configured they can provide the network administrator with summaries about the amount and the type of traffic that passed through it.
A firewall cannot protect you from attacks that do not go through it. That means proprietary data that can be stored in magnetic tapes, discs, flash drives etc.
It cannot protect you from inside attacks, meaning people within your network.

Types of firewalls
There are three types of firewalls that we are going to give a short explanation on each.
However, they are not very different with one another or better or worse.
As with everything, it depends on what you want to protect and your needs.
Network layer Firewall: The one we have just explained its usage.
Application layer Firewall: They provide more detailed audit reports than network layer firewalls. They can be used as Network Address Translators. Generally it is a host using various forms of proxy servers to proxy traffic instead of routing it. As it works on the application layer, it may inspect the contents of the traffic, blocking what the firewall administrator views as inappropriate content, such as certain websites, viruses, attempts to exploit known logical flaws in client software, and so forth. They do not permit any traffic directly between networks.
Hybrid Firewall: Combines both what a network layer and application layer firewall does. Most firewalls nowadays do networking filtering as well as some application inspection too. The amount changes depending on the vendor or the version but the basics
are the same.

return to top




FORTH Logo