Definition of an intranet: A standards-based infrastructure and Internet technologies to support information sharing within a well defined and limited.
Problem: Although an intranet is a private network in which the groups have well-defined and limited is not exempt from attacks that could endanger the information handled, since most of these are caused by their users.
Background: Most of the safety statistics calculated indicate that about 80% of computer-related fraud from internal users, why intranets are most vulnerable to such attacks.
According to the CSI (Computer Security Institute) in San Francisco for 90% of companies surveyed detected attacks on their computers, reported that 70% were the most common viruses, laptop theft and abuse of attacks on the network for its employees.
Model Solution:
1. Security Policy
2. Access Control
3. Secure Transactions
4. Virus
5. Implement Security Number
Presentation of the solution.
6. Security Policy
What are security policies?
Security policies are the documents that describe, mainly, the right way to use the resources of a computer system, the responsibilities and rights of both users and administrators, describing what is to protect and what they're trying to protect these documents are the first step in building effective firewalls. Policies are an essential part of any effective security plan.
How to establish security policies to an intranet.
2. Methodology Development
An outline of security policies must take certain steps to ensure its functionality and stay in the institution. Our proposal is to follow the steps below:
Preparation - It is the collection of all materials related to security issues in the organization:
What I want to protect? Resources: Staff, information, hardware, software, documentation, consumables, etc..
Ask questions related to the external use, for example:
Do you need the protection from external access intranet?
Is granted to authorized users remote access?
How is the unauthorized access to occur soon?
Are there restrictions on access to information important? Etc.
Ask questions related to internal use: for example
What groups, departments or users are restricted in their access to inside information?
What constitutes a breach of internal security?
The security system prevents productivity?
What determines when access happened?
Ask questions concerning the administration
Are plans to implement different levels of access?
Who is authorized to make decisions about security?
Is there a reliable tracking system installed?
Is encryption used? Is it appropriate? Etc.
Who needs to protect? Anyone who poses a threat, whether internal or external to any of these items:
Unauthorized access or to use computer resources without authorization
or damage to information: Amendment or deletion of information in the system
or theft of information: Access to certain information without prior authorization
or dissemination of information: Post details of the system, such as passwords, trade secrets, research, etc..
or denial of service: Forcing the system to deny resources to legitimate users
How many resources am I willing to invest?
How can / should I protect it?
In general, one must ensure that security policies comply with all security services:
Authentication
Confidentiality
Integrity
Non-repudiation
Resources are available to authorized persons
Access Control
Writing - Writing policies in a clear, concise and structured. Requires the work of a team participating in the lawyers, managers, users and administrators.
Edition - Play the policies could be subject to formal review and approval
Adoption - Probably the most difficult part of the process, as it is common for people affected by policies are reluctant to accept. At this stage it is essential to have the support of managers.
Dissemination - To publicize policies to all employees of the organization through video projections, web pages, email, commitment letters, memos, banners, etc..
Review - Policies are subject to review by a committee, to discuss the comments made by those involved.
Implementation - It is worse to have to implement policies and not devoid of them. A policy that cannot be implemented or enforced, has no utility. Must lead by example.
Update-In the required time, policies should be revised and updated to respond to changing circumstances. The ideal time is just after the occurrence of a security incident.
While the policies indicate the "what", the procedures indicate "how". The procedures are allowing us to carry out policies. Examples that require the creation of a procedure are:
Give an account
To register a user
Connect a computer to the network
Locate a computer
Update your operating system
Install software locally or via network
Critical Update software
Export file system
Support and restore information
Manage a security incident