High Risk Systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would cause an extreme disruption in the business, cause major legal or financial ramifications, or threaten the health and safety of a person. The targeted system or data requires a moderate effort to restore or the restoration process is disruptive to the system. Medium Risk Systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would cause a moderate disruption in the business, minor legal or financial ramifications, or provide further access to other systems. The targeted system or data can be easily restored and does not permit further access of other systems. Low Risk Systems or data that if compromised (data viewed by unauthorized personnel, data corrupted, or data lost) would not disrupt the business or cause legal or financial ramifications. This helps maintain a workable balance between security and required network access.Īssign each network resource one of the following three risk levels: The intent of a risk analysis is to identify portions of your network, assign a threat rating to each portion, and apply an appropriate level of security. This doesn't mean you should identify every possible entry point to the network, nor every possible means of attack. Conduct a Risk AnalysisĪ risk analysis should identify the risks to your network, network resources, and data.
Make sure that administrator requirements listed in the acceptable use policy are reflected in training plans and performance evaluations. Check the policy against the partner acceptable use and the user acceptable use policy statements to ensure uniformity. If your company has specific policies concerning user passwords or subsequent handling of data, clearly present those policies as well. Lastly, create an administrator acceptable use statement to explain the procedures for user account administration, policy enforcement, and privilege review. You should clearly explain any specific acts that have been identified as security attacks and the punitive actions that will be taken should a security attack be detected. The next step is to create a partner acceptable use statement to provide partners with an understanding of the information that is available to them, the expected disposition of that information, as well as the conduct of the employees of your company.
#Review reason core security how to#
If your company has identified specific actions that could result in punitive or disciplinary actions against an employee, these actions and how to avoid them should be clearly articulated in this document. This document should provide the general user community with an understanding of the security policy, its purpose, guidelines for improving their security practices, and definitions of their security responsibilities. You can start with a general policy that covers all network systems and data within your company. We recommend creating usage policy statements that outline users' roles and responsibilities with regard to security. Prior to implementing a security policy, you must do the following: Let's look at each of these steps in detail. This document is divided into three areas: preparation, prevention, and response. Lastly, the review process modifies the existing policy and adapts to lessons learned. Continuation of the policy requires implementing a security change management practice and monitoring the network for security violations. The policy begins with assessing the risk to the network and building a team to respond. Without a security policy, the availability of your network can be compromised.
0 kommentar(er)
