Distinguishing a remote access policy from a portable computing protection policy

BROWSE BY TAG Expert Archive: Security Management,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Expert Archive: Security Management What is the GISP certification and how does it compare to the CISSP certification? Using a QSA to write up a PCI DSS report on compliance (ROC) How can gap analysis be applied to the security SDLC? Comparing cheap security products and appliances to costly appliances What are some tips on protecting my security budget in a poor economy? What value do research firms provide to their subscribing enterprises? What certificate offers the best ROI for an IT project manager? Is insider activity or outsider activity a bigger enterprise threat? How does information security prevent fraud in the enterprise? Differences between an SAS 70 data center and a Tier III data center Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

These two policies have very distinct focuses.

A remote access policy should address the following items and concepts:

• Standardize remote connectivity for:
  • Any system type, whether it is company owned or personally owned computers, PDAs, smart phones, laptops, Blackberries, etc.
  • User type (employee, vendor, contractors, partners, etc.)
  • Connectivity type, as in dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.
• Remote access should only be allowed to carry out company-related functions
• Reduce potential unauthorized use of company resources
• Connectivity and encryption requirements:
  • VPN, SSL, SSH and encryption needs for sensitive data
• Employee is responsible for ensuring:
  • Family members do not violate any company policies
  • Antivirus signatures, hot fixes and patches are up to date
  • Personal firewall is installed and properly configured
  • Authentication credentials are not shared
  • System is not connected to another network that is not owned by the company or employee
  • No use of non-company e-mail accounts are used
  • Non-approved hardware configurations are not used
• Authentication type that is allowed
  • Passwords, passphrases, one-time passwords, private key, etc.
• Enforcement
  • Disciplinary actions, termination, prosecution

While a portable computing protection policy should address the following items and concepts:

• Standardize connectivity and configurations for:
  • Notebook computers, Tablet PCs, Palm Pilots, Microsoft Pocket PCs using Windows CE, text pagers, smart phones, FireWire devices, USB drives, etc.
  • User type (employee, vendor, contractors, partners, etc.)
  • Connectivity type, as in remote, LAN, WAN, wireless, etc.
• Allowable usage
  • Smart phones with cameras may be banned in sensitive areas for example
• Classified data needs to be encrypted during transfer or synchronization steps
• Roles that are allowed to use certain portable devices:
  • Only executives may be able to use and connect Blackberry devices to the network
• Specific types of security software may be required for specific types of devices
  • Additional security software may need to be installed and properly configured
• Asset management
  • Company owned portable devices must be properly tagged and documented
  • User must register device with company before attempting to connect it to the network
• Portable devices should not be left unattended in public areas
• Public network may be setup to allow only Internet accessibility for portable devices
• Prior to transfer of ownership or disposal of portable device, all sensitive data must be properly destroyed
• Access should only be allowed to carry out company related functions
• Reduce potential unauthorized use of company resources
• Connectivity and encryption requirements:
  • VPN, SSL, SSH and encryption needs for sensitive data
• Employee is responsible for ensuring:
  • Antivirus signatures, hot fixes and patches are up to date if applicable
  • Personal firewall is installed and properly configured if applicable
  • Authentication credentials are not shared
  • System is not connected to another network that is not owned by the company or employee
  • No use of non-company e-mail accounts are used
  • Non-approved hardware configurations are not used
• Authentication type that is allowed:
  • Passwords, passphrases, one-time passwords, private key, etc.
• Enforcement
  • Disciplinary actions, termination, prosecution