IT security policies (including network security policies) are the foundation, the bottom line, of information security within an organization. Blue Bookstore intends to provide a comprehensive and complete set of policies that cover our areas of business functions. A basic framework of the polices that will be implemented based on our Security program and plan are as follows:

   The Internet revolution has opened the door to millions of end users, exposing Web sites, valuable corporate information, mission-critical business applications, and consumers' private information to more risk than ever before. In the current future Blue Book will expand the e-commerce and intensify the use of the Internet to allow for more efficient business processes, so it will become increasingly vulnerable to malicious attacks.

   To protect the company's network against data loss/theft and network downtime, we need to install a range of network security products. Besides a firewall, the store will need an intrusion detection tool, content filtering of email, web and FTP, and security scanning and reporting of the network.

Policy
   Centrally provided virus protection software will be run on all bookstore computers and on all computers connected to the blue bookstore network.

IT Responsibilities

• Acquire the licenses for anti-virus software

• Procure software and updates from the vendor, as they are made available. 

• Provide documentation for users.

   Firewall compromise would be potentially disastrous to the bookstore security. For this reason, users, as far as is practical, adhere to the below listed stipulations when configuring and using firewalls:

• Limit firewall accounts to only those absolutely necessary, such as the administrator. If practical, disable network logins.

• Remove compilers, editors, and other program development tools from the firewall system(s) that could enable a cracker to install Trojan horse software or backdoors

• Consider not using the e-mail gateway commands (EXPN and VFRY), which can be used by crackers to probe for user addresses.

• Disable any feature of the firewall that is not needed, including other network access, user shells, applications, and so forth.

• Turn on full-logging at the firewall and read the logs weekly at a minimum.

Every router must meet the following configuration standards:

• No local user accounts are configured on the router. Routers must use TACACS+ for all user authentications.

• The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router's support organization.

• Disallow the following:                                                 

  • IP directed broadcasts

  • TCP small services

  • UDP small services

  • All source routing

  • Use corporate standardized SNMP community strings

  • Each router must have the following statement posted in clear view  "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED”.

   Blue Book infrastructure provides access to its computer systems and networked resources for individuals who accept responsibility for the use of these systems. By using Blue Book store computer systems users are acknowledging their responsibility to follow all organizational practices.

   Authentication of users is by password. The password is confidential and it is the responsibility of the user to guard their password in the same way they would guard a personal bank account pin.

   Passwords are the primary method of authenticating users of the information technology system and hence securing and protecting the store information technology resources. Blue Book store policy is intended to ensure:

• Users are aware of their responsibilities regarding password security.

• Users have relevant information to implement and maintain secure passwords.

• System Administrator follows the processes and practices to maintain password integrity.

Blue Book store should maintain the level of security represented by the following security policies. The store will have a Systems Administrator who will be responsible for implementing these policies.

Physically secure, reliable, and up-to-date system backups are the single most important security task. With a good system backup, the store can recover from any system problems with minimal loss. The SA will document the backup policy and include information regarding:

• How often backups will be made

• What types of backups (system, data, or incremental) will be made

• How backup tapes will be verified

• How backup tapes will be stored

   Identification and authentication establish the identity for every user. The user is required to log in to the system.  They will supply their user name and a password, if the account has one (in a secure system, all accounts should either have passwords or be invalidated). If the password is correct, they are logged in to that account; they acquire the access rights and privilege of the account.

   Because the password is the only protection for an account, it is important that every user selects and guards the password carefully.  The operating system provides significant password protection by storing user passwords separately from other user information. The encrypted passwords and other security-relevant data for users are stored in the /etc/security/password file. This file should be accessible only by the root user. With this restricted access to the encrypted passwords, an attacker cannot decipher the password with a program that simply cycles through all possible or likely passwords.