Jump to content

Computer security policy

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 80.3.64.7 (talk) at 00:10, 20 September 2004. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Computer security is an ongoing process - 24/7/365 days a year. Developing and maintaing an effective computer policy involves dealing with the causes of security breaches and not the symptoms.

Computer Security is not –

  • Something provided by a product.
  • Denying access to services on your computer or network.

Computer Security is –

  • Measuring productivity against limiting the functionality of your computer or network.
  • Developing and maintaining a dynamic and ongoing security policy.
  • Knowing the “weakest link” of your system or network.
  • Assessing and maintaining a risk management policy for your hardware, software and the people who use it.
  • Researching new security issues and adapting your policies without degrading the performance of your computer or network.
  • Managing physical access to your PC or laptop.
  • Doing all of the above, without causing disruption and inconvenience to those who rely on your network.


Overview

Your security policy should include, but not be limited to, regularly checking for software updates and security patches, installing them where and when appropriate and maintaining a firewall and anti-virus policy. NOTE: Firewall and anti-virus products can lend a false sense of security. Your management of risks and your weakest links will minimise security breaches while maximising productivity and performance. The most effective methodology in computer security is to assert and maintain an intelligent policy to risk manage your workstation use and functionality without inflicting a denial-of-service to the people who rely on access to your computer or network.

Example of an internal security issue

During the Sasser worm outbreak in Spring 2004, “Sampo”, Finland’s third largest bank, closed 130 of its branches and offices on the grounds that their network might be vulnerable to the virus. Most security issues are internal, and in this case, the bank self-inflicted a denial-of-service to its customers and staff based on mass-hysteria. Do not react to security issues by self-damaging your company/home network functionality and productivity.

The majority of software from the Internet is safe, since vendors would not risk their reputation by bundling their products with malware. You should however, endeavour to question the purpose of software before installing it. Do you really need the program and how often will you use it? Will the software degrade the performance of your computer?

Sometimes software can contain a non-Microsoft certificated device driver, which can damage your system by over-writing existing drivers. Windows XP will notify you if you attempt to install non-compatible drivers. Damage to operating systems owing to bad drivers can lead to data corruption and system-wide failure.

Most computer viruses are propagated by email. The view that commercially available software and software downloaded from newsgroups contains viruses is false (occasionally, it may contain adware, however). Email is an efficient way to spread viruses. You should not open email attachments ending with the following extensions: .exe; .pif; .zip; .com; .cab; .scr; .vbs or any other extension relating to executables. Some email viruses have a double extension; e.g., mpeg.exe or jpeg.zip to trick you into thinking the attachment is a movie or picture.

Users of your company or home workstation or network should read and abide by the following:

  • I will not download computer games, freeware and shareware without first risk assessing the content of the software installer file. I will read the editor’s and user’s reviews of the software when visiting http://www.download.com to check for adware and spyware before installing the software on my computer. Note: It is highly unlikely the software will contain viruses. It is important to understand the difference between viruses and other types of malware, since the two are often confused. It was once believed that freeware and shareware were major boot sector viral vectors. However, there is wide disagreement among virus experts, since boot sector viruses do not tend to spread easily.
  • I will not open email attachments from unknown or untrustworthy sources. I understand that the authors of viruses use social engineering to encourage users to open attachments, thus installing backdoor components of your machine. You should always question the source and purpose of emails containing attachments. I will disable the preview pane in Outlook and/or Outlook Express and stop the auto-execution of attachments. I will not open emails matching this description. I will delete them immediately.
  • I will ask my postmaster to filter the SMTP gateway [port 25] for viruses.
  • I accept that firewalls and anti-virus software will not necessarily prevent viruses, adware and spyware from affecting my workstation. Once malware is discovered, it is too late and the damage is already done. I understand that only risk management will keep my workstation free of malware.
  • I will not allow anyone to visit pornographic websites using my workstation or network. Such websites often force users to download adware, spyware and premium rate dialer(s), even if the download is cancelled. I understand the reputation of my employer could be put at risk, if pornographic material were to be discovered on their machines and/or servers. See Work porn risk for businesses - BBC News
  • I will not open links embedded in SPAM emails nor will I hit the “reply” button. You could be notifying the spammer that your email address is active. The spammer may sell your email address to third parties, resulting in even more SPAM. I will delete all emails matching this description.
  • I will not open links in SPAM emails that purport to unsubscribe you from their mailing list. By opening the link, you are telling the spammer that your address is in use. I will delete all emails matching this description.
  • I will not forward hoaxes, chain-letters, SPAM, special offers and fake business deals. I will delete all emails matching this description.
  • I will not give out confidential information to third parties under the following circumstances: 1. In response to any emails purporting to be sent by a bank or company requesting passwords, PIN numbers, telephone numbers, addresses and other confidential information. Banks already have this information and would never ask for it under any circumstances in an email. 2. When submitting information to websites, I will read the privacy policy of websites before submitting information, including my email address. 3. Accidentally sending an email to the wrong recipient(s).
  • I will create regular back-ups of data and system critical files.
  • I will set up passwords for access to the accounts stored on my computer and manage physical access to machines.
  • I will not restrict the functionality of my computer or access to the machine under circumstances including, but not limited to; potential viral infection, potential hacking, media hysteria, the factoids of false authorities, and any other misinformation designed to create fear, uncertainty and doubt (FUD).

FAQ:

Q. Why do spyware, adware and viruses keep affecting my PC? Surely, it is impossible for these programs to get past the firewall and anti-virus software.

A. Not so. You need to control your Internet surfing habits in order to prevent reoccurrences of this nature. You should also manage your email policy and not blindly open attachments.

Q. I still get viruses and spyware, even with anti-virus software installed.

A. If you do not keep your virus definitions up-to-date, then your anti-virus software will fail to do it’s job. If you do not enforce a security policy, viruses may compromise your machine, even if virus definitions are up-to-date. Only risk management will prevent security compromises. You must tackle the causes and not the symptoms.

Q. Why do I need to back-up my files?

A. Good security practice is to back-up your data, program files and system files in case of a system-wide failure.


"The truth about computer security hysteria"

Site devoted to debunking media security charlatans

Retrieved from "https://en.wikipedia.org/w/index.php?title=Computer_security_policy&oldid=6013305"