19 Jun Network Security Begins With an Acceptable Use Policy!
Most folks seem to understand what a firewall is and why it is so very important. They intuitively understand that they need something between the “trusted” internal computer network and the wild west we call the Internet! The installation of a firewall is generally something all business do, from the wireless network at the local coffee shop, to the medium size law firm and the giant multinational distributed enterprise. The barbarians are at the door, but with a firewall we all feel protected! The largest percentage of cyber security risks, however, do not come through the front door and your firewall will never see them enter. The largest risk to the security of your network comes from the employees and guests allowed, either connected by wire or wireless, to attach to your corporate network.
As a CISCO Certified Security Professional, we do a great deal of work in the area of computer network security. When called on to do a “Security audit”, “voice readiness” or “network assessment”, the first question we ask executive management is where is your AUP? After all we can tell you what protocols are running around on your network and even which user is consuming the most bandwidth. We can not, however, tell you if they are allowed to use that bandwidth! The creation of an “acceptable use” policy (i.e. AUP) is an essential first step in network security. The AUP communicates to all network users what is supported and what applications are allowed on the network. It describes what is acceptable regarding personal email, blogging, file sharing, web hosting, instant messaging, music and video streaming. It defines what is activity is strictly prohibited on the network and clearly outlines what constitutes “excessive use”. The computer network is a valuable corporate asset and as such it needs to be valued, protected and secured.
Does your company have a network access and authentication policy? What is the “password” policy? Do you even need a “password” to use the company network? Can anyone just come in and plug whatever phone, pad or computer device they happen to have into the company network? What is the data storage and retention policy? Do you allow VPN tunnels that extend your company network to a home office or coffee shop? Do you allow your users to connect third party provided equipment to your network? Is it acceptable that Bob just added a hub to his office network connection so he can plug in his own printer? How do we feel if Bob plugs in his own wireless access point? Do we have a “guest” network and do we let those folks know what is acceptable on your network?
What are the legal ramifications and liabilities you are exposed to if you are providing a computer network as part of a lease agreement? Are you liable for damages if your computer network is unavailable or “down for any reason? If Home Land Security shows up because your company’s public IP address was traced as originating a terrorist treat, do you have the user agreements in place to mitigate the costs you are about to incur defending your good name and reputation?
Computer network security is more than a firewall. A computer with an Ebola virus, Adware or nefarious RAT (remote access terminal) will infect all computers on your network, threaten your corporate data and render your firewall as useless as a screen door on a submarine. If your company has taken the prudent step of providing a Human Resource or employee manual that spells out the company’s position on work force violence, sexual harassment, vacation day accrual and drugs in the workplace, why don’t you have a manual that defines the acceptable use of your most vital corporate assess, the computer network?