Business Network Security Plan: Risk, Policies & Recovery

Verified

Added on 2024/05/31

AI Summary

This document presents a comprehensive network security plan designed for business environments, emphasizing the critical role of network security in safeguarding data and maintaining operational integrity. It begins with an introduction to network security principles, highlighting its importance in protecting against both internal and external threats. The scope of the plan is defined, followed by clearly stated objectives, including resource protection, authentication, authorization, and data integrity. The document outlines key assumptions about potential security breaches and the need for proactive measures. A detailed risk analysis section identifies physical and non-physical assets, assesses potential risks, and summarizes vulnerabilities. Security policies are extensively covered, including acceptable use, email and communications, internet and network access, workstation, antivirus, DMZ, extranet, VPN and remote access, wireless and BYOD, firewall, intrusion detection, vulnerability scanning, internet, IP addressing, physical security, personnel, data, and system/hardware policies. The plan also addresses disaster recovery and business continuity, incorporating business impact analysis, insurance considerations, incident response team setup, physical safeguards, incident response procedures, restoration procedures, and forensics considerations. It concludes with security strategies, recommended controls, a list of residual risks, resource allocation, and a comprehensive list of references. This plan provides a structured approach to network security, aiming to minimize risks and ensure business resilience.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Network Security Plan
1

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Table of Contents
Introduction......................................................................................................................................5
Scope................................................................................................................................................6
Objectives........................................................................................................................................7
Assumptions....................................................................................................................................8
Risk Analysis...................................................................................................................................9
Asset Identification......................................................................................................................9
Physical and Non-Physical Assets:-......................................................................................12
Risks...........................................................................................................................................13
Individual Asset Risk Analysis:............................................................................................14
Risk Summary:.......................................................................................................................15
Threats, Challenges and Vulnerabilities....................................................................................16
Threats....................................................................................................................................16
Challenges...............................................................................................................................19
Vulnerabilities........................................................................................................................22
Security Policies............................................................................................................................23
Acceptable Use Policies:............................................................................................................23
Email and Communications Policy:.....................................................................................23
Internet and Network Access Policy:...................................................................................23
Workstation Policy:...............................................................................................................24
Network Security Policies:.........................................................................................................24
Antivirus Policy:.....................................................................................................................24
DMZ Policy:............................................................................................................................24
Extranet Policy:......................................................................................................................24
2

VPN and Remote Access Policy............................................................................................25
Wireless and BYOD Policy:..................................................................................................25
Firewall Policy:.......................................................................................................................26
Intrusion Detection Policy:....................................................................................................26
Vulnerability Scanning Policy:.............................................................................................26
Internet Policy:.......................................................................................................................27
IP addressed and documentation management policy.......................................................28
Physical Security Policies:.........................................................................................................28
External Protection:...............................................................................................................29
Internal Protection:................................................................................................................29
Personnel Policies:.....................................................................................................................30
Visitors Policy:...........................................................................................................................30
Employee Hiring and Termination Policy:................................................................................30
User training Policy:..................................................................................................................31
Data Policies:.................................................................................................................................32
Information Classification and Sensitivity Policy:....................................................................32
Encryption Policy:......................................................................................................................32
Backup Policy:........................................................................................................................32
Password Management and Complexity Policy:.......................................................................33
System and Hardware Policies:..................................................................................................33
Hardware Lifecycle and Disposal Policy:..................................................................................33
Workstation Policy:....................................................................................................................33
Switch and Router Policy:..........................................................................................................33
Server Security Policy:...............................................................................................................33
Logging Policy:..........................................................................................................................34
3

Disaster Recovery and Business Continuity:.................................................................................35
Business Impact Analysis..........................................................................................................36
Insurance Consideration:............................................................................................................36
Incident Response Team:...........................................................................................................37
Physical Safeguards:..................................................................................................................37
Incident Response Procedures:..................................................................................................37
Restoration Procedures:.............................................................................................................38
Forensics Considerations:..........................................................................................................39
Maintaining the Plan:.................................................................................................................39
Security Strategies and Recommended Controls...........................................................................40
Residual Risks...............................................................................................................................43
List of Residual Risks - that remain after all possible (cost-effective) mitigation or Treatment
of risks........................................................................................................................................43
Resources.......................................................................................................................................47
Conclusion:....................................................................................................................................49
References......................................................................................................................................50
4

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Introduction
Network security plan is important for both home and business field because at both the places
the internet connections are joint so it is just that it could be secure in this report will going to
study about the entire network security plan which is important for a wireless router so that they
can enjoy the network at home. Managing security implies understanding the dangers and
choosing how much risk are satisfactory. Distinctive levels of security are fitting for various
associations. No system is 100 percent secure, so don't go for that level of assurance. On the off
chance that you attempt to stay up-to-date on each new risk and each infection, you'll soon be a
trembling bundle of nervousness and stress.
Network security is important because it stands for a good neighbor policy. It is also important
for time and money policy the reason is it may secure the data from the virus and eliminate any
unwanted things which are not needed in an operating system.
The four fundamental security classes are as per the following:
1. Physical security (counting equipment)
2. Working framework level security
3. Interchanges security
4. Technical security
The popular networks are UUCP it stands for Unix to Unix copy. It can be used in many
networks like PC, apple, macs and many other operating systems. And if we talk about the
security purposes of the networks it is not easily connected to any host it needs user id and
passwords to connect to the network.
And the second one which is popular nowadays is an Internet. The Internet is the world's largest
network. The Internet is very easily connected to every device and the speed of this is also good.
5

Scope
The scope of the network security plans is very high according to the workplace the very
important factor of the network security is it contains a lot of risks which can be encountered by
the people in the organization. Some network security risk is small and managed easily by the
organization but now these risks are viewed as avenues which can easily attacks and cripple a
business if it is taken lightly.
A system security framework ordinarily depends on layers of assurance and comprises a few
systems including organizing observing and security programming notwithstanding equipment
and applications. All parts of the computer are organized in the way to build and increase the
large security of the computer network.
 The brief history of LAN evolution
 Wired LAN security threats: intern threats l external threats
 For closed networks home users and users in the small organization, it configures access
restrictions in the access points.
(Figure: 1)
(Source: By Author)
6

Objectives
When network security is created it definitely has some goals which they have to achieve in the
organization. Some objectives are given below which can be focused on the term network
security is given below:
Resource protection- resource protection have some kind of schemes which only authorized by
the users. Resources which are categorized differently by the users for assessing their system.
 Authentication-
Verification of the resources which are involved in human or machines. Authentication is
required in the case of using the networking but there are some security aspects which are
being used in network security. traditionally the systems are used by the user when they
put the correct username and password and in this simple process lots of things are
required like digital certificates, the correct password otherwise it may not get connected.
 Authorization-
The assurance that the individual or PC at the opposite end of the session has consent to
do the demand. Approval is the way toward figuring out who or what can get to
framework assets or play out specific exercises on a framework. Commonly, approval is
performed in the setting of verification.
 Integrity-
data integrity
a) Shield the information from being sniffed and deciphered, regularly by scrambling it.
b) Guarantee that the transmission has not been changed (information respectability).
c) Demonstrate that the transmission happened (non-repudiation). Later on, you may require
what might as well be called enlisted or affirmed mail.
7

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Assumptions
Each association with an online presence or an association with the Internet has turned into the
potential focus of interruption and robbery. PC programmers are particularly focusing on law
offices to take licensed innovation information and competitive innovations.
The first assumption is that the To start with, expect that your system is being subjected to visit
astute examining if not focused on assault. Take every single sensible measure to solidify the
system against the progressing endeavors to break in. In the event that an aggressor is effective
in picking up an underlying foothold (e.g., introducing a key-lumberjack on the PC of a
representative), take every single sensible measure to make it harder for the attacker to use that
foothold into an out and out observation of the system, bringing about the area and robbery of
private data.
The second assumption is accepted that your barriers will fall flat and that a gate crasher will
have the capacity to get inside your system to inspect or lay the basis to take and exfiltration
data. Take every sensible measure to attempt to recognize that interruption as ahead of schedule
as conceivable so it can be managed before private data is stolen.
The third assumption is expected that your interruption location measures will neglect to caution
you to the issue before a gate crasher prevails with regards to taking secret data. Have a reaction
design set up so you can respond rapidly and satisfactorily to the information rupture, limit the
harm to your data resources, and limit the danger of blow-back to your business and notoriety.
At last, expect that the absolute worst will happen, that very delicate data will be stolen, and that
you'll have to safeguard yourself against an administration examination or in common
prosecution. Have documentation prepared to demonstrate that you did in certainty take every
single sensible measure to shield yourself and that you responded legitimately when those
safeguards failed.
8

Risk Analysis
Risk Analysis is a process that analyzes those factors which may stop the success of the business.
Risk Analysis provides some techniques that use to protect the file from the distress file. FNU
assumes that risk analysis provides some supplementary facilities to enlarge expressly evaluate
risks. These are:-
 The Risk Analysis is not cost-effective.
 The estimates of the company devour the time in a large way.
 They decrease the estimates and assumptions because if they have a control, they don’t
need to determine the assumption.
 Their risks seem less without estimates.
(Figure: 2)
(Source: Risk Analysis, 2015)
Asset Identification
It is used to gather the information or diverse sets of the assets. It supply required formulating on
the basis of familiar descriptive, information and attributes.
9

There are two types of assets:-
 Current assets
 Non-current assets
 Current assets
It has three sub-classifications. They are following:-
a) Receiving of the Account
b) Get ready for the expenses
c) Having securities of the marketing substances
d) Gathers all the details of the cash transactions.
e) Make the description daily
 Non-current assets
Non- current assets has following 3 classifications:-
a) Always be in benevolence
b) Assets should be fixed in the tangible form.
c) Assets may also contain the fixed form of intangible.
When the topic comes about investments, the classification is not applicable. In this situations,
the assets use their types for the higher growth of the company.
These two assets are following:-
 Growth Assets
10

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

 Defensive Assets
 Growth Assets
 Growth Assets use to produce the capital for the owner or keeper from the
different ways such as the lease, charter, and premium.
 From this type of assets, the value of this capital arises in the higher amount and
then they return the earning amount to the keeper.
 Sometimes, it faces many challenges. Due to these challenges, they find some
risks. They do not find the valuation.
 To evaluate the Growth assets more easily. FNC provides three examples of the
growth assets.
a) Having the details of the property which are rented.
b) They have the same security level
c) They have the complete knowledge of the product such as their furniture,
art, and values etc.
 Defensive Assets
 These assets provide the capital from the investment to their owner.
 They analysis the growth and limit of the investments because their growth only
depends upon the investments.
 FNC analysis the defensive assets with their examples for understanding their
growth. They are
a) They firstly secure that there is no debt on the investor because they did
not make a customer who is in debt.
b) They check the details of the saving accounts of their customers.
11

c) They give the certification to the clients of their deposits.
Physical and Non-Physical Assets:-
“Physical Assets are the combination of the capital, exchanging the worth and trading business.
It is based upon the existence of the stuff. It is mostly used in the business for exchanging the
properties, capital, and stuff etc. It is also known as the "Tangible Assets".
(Figure: 3)
(Source: Maintenance Within Physical Asset Management, 2016)
12

Risks
A risk is associated with the working on the system. The operator has to identify the risk and sort
out the problem. The various process associate to recover the risk is
(Figure- 4: risk management process)
(Source: Watkins consulting)
 Risk identification: In this process, a various risk associated with a network is to be
determined, this involves asset management, governance of the data flow, risk
assessment, business environment, risk management strategy.
 Protect the data: in this process, data is protected by implementing various security
technique, this involves providing access control to operators, implement data security,
13

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

information procedure and protection, awareness and training, maintenance and
protective technology.
 Detect the security breach: in this process detection of the breach in the network is
determined this is done by proper monitoring the system of potential threat, anomalies, an
event associated with the risk and detection of the threat process
 Respond to the network disaster: In this process, various procedures are being taken
place to respond to the network disaster. This involves analysis, communication, response
planning, improvement and mitigation
 Recover the data: in this process data is being recovered from the data recovery
procedure, this process involves proper recovery planning, communication, and
improvement of the networking structure.
Individual Asset Risk Analysis:
individual asset risk analysis deal with the risk associated with the asset of networking structure.
The main task in the risk management of the asset is to identify the risk associated with the asset
of networking and then to solve the issue associated with the risk
Various factors will affect the individual asset risk analysis
Asset life cycle: asset lifecycle determine the phases of the lifecycle of the asset. There is a cost
associated with the repairing of the asset of networking which decreases the asset value. The
systems of the First national university are updated from time to time to provide the better
working condition for the operator.
Asset vulnerability: it is defined venerability of the asset to get affected by the networking
disaster. As the vulnerability increases the cost associated with providing the security increases.
The system of the First national university is highly venerable as the data contained in the system
is huge and require proper monitoring.
A cost associated with the asset: the cost associated with the asset defines its importance in the
networking as the damage associated with high-cost asset will lead to high expenditure on its
restoration.
14

Risk Summary:
Risk management plays an important role in the system networking as it protects the system
from the external threat. There were several risks which were noninvertible but some of the risks
can be recovered by proper strategy. There were several strategies to be followed to protect the
system from the threats.
 Proper monitoring: monitoring of the system is to be done from time to time to keep the
check on the risk which can cause damage to the system. We have to take care of the
residual risk associated with the system.
 Data backup: backup of the data is to be made from time to time to decrease the risk of
loss of the data. Some of the It solution company also provide the data recovery platform
to protect the data of the user
 Keep the data structure simple: simplified data can easily be recovered as we don’t have
to waste time in searching of the data and the simplified data also occupy less space in
the system.
 Provide data security: security also plays an essential role in protecting the data from the
external threat. It also restricts the use of the system by the unknown user
 Provide system access: provide proper system access to the operator to protect the system
from the intervention of an unknown user. Only some portion of the data is to be
accessible by the public user.
 Provide power backup: providing the power backup will help the system to provide extra
time to save the data when there is a power shortage.
 Physical protection: protect the system from the physical threat of lightning, moisture,
temperature, short circuit, temperature and excess heat.
 Disable auto update: auto-updating also create the problem within the system to protect
the data from this intervention the operator can disable the auto-update.
15

Threats, Challenges, and Vulnerabilities
Threats
Threat refers to dander in the regarding of computer security. It can be happened by anything
such as international, coincidental, aleatory and organic tragedy etc.
 The word “international” defines this threat can be developed by any hacker. This
hacker may be offender, culprit and individual person.
 The word "coincidental" interpret that the development of threat can be faulted. It
is not created by anyone. It is defective and bug.
 Organic Tragedy is the disaster which is produced by natural resources such as an
earthquake, floods, tsunamis, and hurricanes.
 Sometimes it can be happened by the action, activity, events, circumstances, and
capability.
(Figure: 5)
(Source: Understanding Hybrid Threats)
16

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Threats Model
A threat has the main purpose to destroy the computers. There are following 3 ways:-
 Threats always affect computer system and their software.
 It is always brought by a creator.
 Threats influence goods, properties, estate, and resources.
Types of Threats:
There are several ways to destroy the securities of the computer, called “types of threats”. These
are following:
 The Damage that occurs in Physical Resources such as pollution, blaze, and floods etc.
 Natural events are also the part of threats like climate and atmosphere.
 It defenses the necessary resources like telecommunication, air conditioning, and
electrical kinds of stuff.
 It also creates the information in short details. It always creates problems in giving full
information and details.
 Due to these threats, software fails in various ways.
 A function does not work properly.
They have also multiple purposes of the threats. They are:-
 Deliberate
 Observe or Glimpse
 The way of data process in the illegal form.
17

 Environmental
 Apparatus become the failure.
 A system does not work accurately.
 Accidental
 Power goes in the form of decreasing.
 Natural happening
Classification of Threats:
The classification of threat is created by the Microsoft. It classified in the following two forms.
 Stride Form
 Dread Form
A. Stride Form
In the view of classification, they have following six parts
a) Repudiation
b) Tampering
c) Denial of Service – it is a type of cyber attack.
d) Data Leak – When we reveal the information. It is also known as the privacy
breach.
e) Burlesque of the user identity.
B. Dread Form
In the form of dread, it is based upon the heights of the risks. It is called the “Risk
Assessment model”. These classifications are following:-
18

a) Damage- It defines the height of harms
b) Exploitability- it defines the broad area of risks.
c) Affected Users- It defines the list of persons that are affected by them.
d) Reproducibility- It defines the capacity of their production
e) Discoverability- It defines the place where the threat hides
Challenges
It is a type of security firm. It creates lots of facing technical situations to the computer network.
They have various challenges which they face in the securities. They are:-
 Malware With Warm Capabilities
It defines how fast malware attack in the securities and the working of their
effects.
 Getting Back to Their Basics
Here “basic” defines the endpoints, hygienic and patching etc.
 The Compulsion of mobile carriers
It analysis the malware is working fast from the facilities of these networking
carriers.
 Stop Shattering the workers With Notice
Security always provides the alerts to their users. But due to this malware, they
did not show their alarms and file is ruined.
 Adapting to protect the new threats
19

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

The evaluation of protecting the pieces of stuff is not completed. Malware has a
very great range and they are very strong. So they create a new malware easily
and gain their numbers which is not a good sign for the computers.
 Monitoring cloud Security
It is very difficult to save our data during the working of malware, inciting form
of the malware. They try to provide the securities before because the effect of
malware is very dander to the securities.
(Figure: 6)
(Source: Network Security Essential)
20

 Their Higher Effects
It defines all those things which the user faces. They do not find their important
and secure data. Sometimes they don't have any backup. They find very trouble
in finding the things. Hence, the securities provide the antivirus data which is
very functional to stop the virus and malware. But sometimes it fails because
some malware is very strong. They did not stop in any form. So a user is
instructed that they did not open any unknown file because it can be harmed by
your securities.
21

Vulnerabilities
It is a weakness for the computer securities. They can only be made for making our
system fragile so that they can easily enter into our systems and do their work. Hence, our
system and data are destroyed.
(Figure: 7)
(Source: Vulnerability & Cyber Security Assessments)
22

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Security Policies
Security policies of a network system are a mechanism to protect a network from threats and
assets. For secure a network system these policies implemented are as follows:
Acceptable Use Policies:
This policy configures the only acceptable use of computers and networks like websites, network
administration, and services which provides security. Acceptable use of network security only
accepts computer equipment and not accepts illegal activities. Because it includes risks such as
viruses, compromise in network security and legal problems.
Email and Communications Policy:
Email is a way of communication or can say electronic communication by using internet or
Ethernet. The email policy use equipment such as email, computers, internet and
telecommunication service etc. This policy requires personal data and information to secure a
network because it prevents from hacking the personal data and messages. E-mail and
communication policies invent many security resources to hide information and save data. Email
is the very official way of communication but sometimes it creates problem while accessing. It is
an effective medium of protection from legal activities, damages and security costs.
Internet and Network Access Policy:
It includes blocking that website automatically which contain any kind of illegal activity like
social media. It is based on which kind of activity happened which can identify through a
network for controlling them. The internet has its own network topology that connects with
different servers and prevents from illegal issues. A computer network prohibits some activities
such as personal information, socialization, commercial activities. (Hamed, H. and Al-Shaer, E.,
2006)
23

Workstation Policy:
This policy gives security of workstations for FNU with the guarantee of security of network
system. The faculty, students, and contractors of a university must be following this policy for
maintaining and saving information through a system. It includes security system, server system,
Desktop layout and login-logout system.
Network Security Policies:
The NSP or network security policy comprises access to the computer network and layers of the
architecture of a network security system. It is a kind of document that written by a specific
committee. It is introduced in first national university to check the network security environment.
(Mathenge,2011).
Antivirus Policy:
All networks of computers in a university should have supported the anti-virus software and run
properly. Also, the software should be updated at the time to time and configures the system on
the regular basis by software constructor. This policy helps to prevent data loss through any kind
of viruses present in the system and antiviruses also keep system safe.
DMZ Policy:
The DMZ policy introduced in organizations for configuration of security that meets
requirements such as security, management and operational. The word DMZ is the acronym of
the demilitarized zone and a kind of equipment i.e. known as DMZ equipment. This internet
equipment used by the server and trusted networks and these are separated by a firewall of a
trusted network of the internet. This policy is introduced to protect data in organizations and
define device requirements that control by DMZ equipment.
Extranet Policy:
This policy describes the organization in which how that party allows connection with an
organizational network when it is required. It ensures that connections are secured that given by
24

the third party. This policy gives connection by using VPN, ISDN, telephone and other
connection techniques.
VPN and Remote Access Policy:
VPN is a virtual private network technology that allows accessing servers, network systems and
security systems of a company. With the rise in the number of remote access technology, the
security models introduced.
Remote access policy describes the methods in which users can access the control or can connect
by remote such as VPN. This policy is introduced to prevent damage to system or networks of a
computer in organizations. It includes security risks associated with technology and can help to
implement the remote access VPN because it has direct access to clients. (Hamed, H., Al-Shaer,
E., and Marrero, W., 2005)
(Figure- 8: VPN and remote access control)
(Source: www.nevisnetworks.com)
Wireless and BYOD Policy:
BYOD is a wireless network technology which includes laptops, mobile phones, and
other wireless equipment. This policy gives wireless connection to its users on their own
device that why it is also known as Bring your own device policy. BYOD policy
increased rapidly among business. Benefits of this policy are as follows:
• It is low-cost technology.
25

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

• It is flexible and gives reliable connections.
• It is very secured by using VPN
• It is not required for the installation of client software.
Firewall Policy:
firewall is a combination of hardware and software or can say a designed software in which the
flow of internet protocol traffic can be controlled. This policy used to define the network traffic
in an organization. This policy configures security in a network to enforce traffic rules. Here
some best practices that define effective firewall policy to optimize and use the best policy:
 Segment rationally
 Use service and address set
 Network time protocol should be used
 The specific place in a firewall
 Check usage of memory
Intrusion Detection Policy:
This policy is established to monitor the security to prevent data on the network of an
organization and also for detection of any kind of interruption. It gives information about
implementation in networks and also provides guidelines. The purpose of this policy is to protect
data and information on a mobile computer that can be infected from any kind of virus.
Vulnerability Scanning Policy:
There some points include in this as follows:
o It identifies cooperated systems in a campus network.
o It scans viruses and identifies machines.
26

o It configures the vulnerable system that attached to a network.
o Investigate security incidents.
Internet Policy:
The internet policy is very essential for any organization and it provides guidelines and rules for
the appropriate use of the internet. These policies protect the employees and aware them about
different cites which can be used in downloading. There are some rules for accessing the internet
that prevents them from illegal sites and saves them. (Stallings, W., Brown, L., Bauer, M.D. and
Bhattacharjee, A.K., 2012)
1). Provide internet access to all employees.
2). Employees should always follow the rules and policies.
3). Training should be provided.
4). Control the misuse of the internet.
5). Restrict those sites that are not for visit.
6). Downloading should be from legal sites.
(Figure- 9: Internet policy)
(Source: www.template.net)
27

IP addressed and documentation management policy:
An Internet protocol (IP) is an address of each network allotted such as computer, mobile phone,
servers etc. Every system or network has its own IP address to find the location of that system.
This policy gives management of IP addresses for different allocation and distribution of
networks. Every network needs an IP address that assign to routers, switches and other devices.
There are some rules to manage IP address of each network of system in organizations. This
policy finds the location of each system that helps to manage documentation and IP addresses of
different organizations. It is a document in written type that manages the IP address of each
network. This policy includes some addresses that are as follows:
 Public address
 Data centers
 Desktop subnets
 Network connections (Router- to- Router link)
 Private address
Physical Security Policies:
The physical security policy defines techniques which are used to protect physically a network
system or a computer system and that person is responsible that implement these techniques.
This policy helps to ensure that the system is protected physically or not. It uses physical
resources and apply them in organization s. this policy has no expiry date because it contains
many copies related to information.
28

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

(Figure- 10: Physical security)
(Source: www.techgenix.com)
External Protection:
It is important that information should have physical resources to access data and that network
or system has external protection to prevent loss. This policy has some areas given below:
 To protect data and information area must be secured.
 Access the physical management to protect information
 Access the server rooms
 Equipment cannot be removed for physical control
 Only host computers should be permitted with registered terminals.
 Check security background.
Internal Protection:
The internal protection of network helps in internet access through internal attacks such as
viruses. If any internal threat founds in a system then company tends to loss of data. Internal
protection includes some resources such as operated, owned, controlled and maintained and
29

devices include routers, switches, firewalls and other network devices. Servers include Physical
and virtual servers and operating systems etc. These are caused to create internal threats in a
network and policies are described to control these issues.
Personnel Policies:
Some policies are introduced at the organizational level to guide and train the employees about
their work and plan. This policy is one of them where a company tells their employees how to
work with a system and how useful it is. Personal policies can either be administrative part or
can be the technical part. This also provides appropriate protection to the employees.
Visitors Policy:
This policy includes the timing slots such as entry and exit time, log in to a system, log out and
record of data & information of employees. Some points are described as follows:
 Visitors must be signed in at offices and companies where they visit.
 A visitor’s pass must be issued for sign in and out
 An unauthorized visitor pass is not permitted.
 Delivery of any kind of material should be permitted.
This policy protected by any external activities, territories access inside the company, fire
security and network issues occurred in an organization. It contains significant data related to
visitor information.
Employee Hiring and Termination Policy:
This policy believes in hiring and termination of employees of individuals that contain
information about hiring the qualified candidate. The hiring policy defines how can hire new
people for an organization where termination describes the procedure related to terminating an
employee.
Hiring policy includes some procedure such as:
30

o Posting-Posting refers how many positions available and timing required to hire new
employees.
o Requests–It is an important factor that searches how much requests are in a queue.
o Advertising- It is necessary to advertise about recruitment through a newspaper, journals,
online sites, and organizations.
o Candidate lakes- The consistency in hiring policy must be ensured to develop recruiting
strategy.
Termination policy will help to increase the standard process of employers in both kinds of
termination i.e. voluntary and involuntary and such kind of policies decrease the risk of the
lawsuit by employees. Some definition includes in this policy as follows:
o Nonstop service
o The actual date of termination
o Contract-based employment
o Permanent employee
o Notice period
o Termination with or without cause
User training Policy:
This policy defines the users should be trained about network system before hiring and also
should aware of threats occur in the computer network. This policy applied only to
employees for access regulated data. Basically, this aimed to prevent network of
organizational sources and give training about network security of an organization.
31

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Data Policies:
The data policies in the security policies deal with the data security of the system. The data of the
First national university (FNU) deals with the educational data, personal data of students,
faculties, workers and other educational related data. The main aim of the data policy is to secure
the system from a breach and provide privacy to the system. Governments have set up rules and
regulation to stop data breach, the laws came in the cybersecurity.
The data policies contain several other policies like
Information Classification and Sensitivity Policy:
it deals with the classification of information. First national universities study various data of
students and faculty and classify the information which could be shared publically and the
information which must be kept private. For an example, the personal information of students
and faculty must be kept private and the information regarding the facility provided by the
institution are share among peoples.
Encryption Policy:
through this policy, the firm gives access to some of its data to its working staff, clients,
consumer and other users. This gives a secure platform for data accessing to each individual. The
information which could be shared by the First national university is an attendance of the student
and faculty. Marks scored by the students and other personal records of student and faculty.
Backup Policy:
Back up policy deals with providing data back up to the system. It is one of the essential policies
as it provides a chance of data recovery for the system. There were several occasion when the
data of the institution lost due to a failure of a system. The data of First nation university is quite
sensitive as it contains personal and educational data of a lot of students and if the data of the
university loses in any mishap then the university will face a lot of financial losses and recovery
of those data seems quite difficult.
32

Password Management and Complexity Policy:
password protection provides a security to the system many of the official websites provide the
password protection for security purpose. The First national university also requires the
password protection so that only some of the official member gets a chance to change the data of
the system
System and Hardware Policies:
The system and hardware policies deal with the policies which should be considered while
installing the hardware and software. The First national university has many systems operated by
the faculty, student and managing directors, some of the systems has more access to the data of
the university than other. These systems were operated by higher managing authority. The
system and hardware policies include various other policies like
Hardware Lifecycle and Disposal Policy:
It decides the fix time period after which every system have to be replaced in the university. The
advancement in computation will lead to improvement of systems and improve the working
condition of the system.
Workstation Policy:
It deals with the arrangement and connectivity of the system at the workstation for better
performance. Generally, at large institution, most of the systems are interconnected so as to make
it cost effective. So the institute designs the layout of the workstation.
Switch and Router Policy:
It deals with the connectivity of the system with the network and also deals with the
interconnectivity of the system in the organization.
Server Security Policy:
the Server is controlled by the mainframe system which holds and controls the data flow within
the system in an organization. The server system requires maximum security as it is the main
33

element in the workstation and if the system server gets down then the whole system in the
organization faces problem due to that.
Logging Policy:
the logging policies deal with logging information, every system have a logging data which are
accessed and then deleted from the system to protect from the security breach, the logging
policies deal with the live activity, The various information came under this policy are
• Change in password
• An action of password attempted
• Policies of the access
34

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Disaster Recovery and Business Continuity:
It shows the ability of the institution to recover from any disaster and to safeguard it from the
future mishap. The institution can face various disasters which could lead to system failure. The
various system related problem faces by the systems are
 Server issue: it occurs when there is a lot of pressure on the system which leads to system
crash. It is a big problem for the instruction like the First national university as during
several occasion the server faces overloading and lead to a crash of the system.
 Power outrage: to protect the system from the power outrage, organization use power
backup system as power outrage can lead to complete loss of the data.
 Human error: sometimes the system operator faces the problem like an unexpected
removal of a file by accident, logging problem due to the wrong password etc. these
problems lead to the delaying of work.
Figure: 11: Disaster Recovery and Business Continuity
(Source: BNB technology, 2018)
35

 Server weather: system also faces problem in wireless connectivity due to bad weather
condition and operator faces a lot of problems to connect to the cloud which delays the
work.
 Fire damage: The system is composed of a lot of electronic systems and we have to make
proper caution to protect the system from the short circuit. It leads to complete damage of
data of the system.
 Unexpected Update: updating a system requires a lot of time and some of the updates
create the problem in the system which causes a loss of time.
Business Impact Analysis:
It is the detailed analysis of the effect of the disaster on the institution operates. Various steps
come under Business impact analysis are
 Information gathering: in this process, all the disaster-related data is collected. The data
contain information on a type of disaster, its impact of a disaster on the business,
recovery technique etc.
 Evaluate the data: in this process, the data is studied completely and a suitable
conclusion is made out of the data.
 Prepare the report: in this process report is made on the element of disaster using the data
collected.
 Present presentation: in this process, a presentation is present in front of the higher
official and explains them about the disaster.
Insurance Consideration:
It is the analysis of insurance forecasting requires the organization for its system security.
Insurance is a deal in which a customer pays a significant amount of money in advance to the
insurance company for insuring his property and the insurance company claims the recovery of
that property in case of damage in the future.
36

Incident Response Team:
every organization establishes an emergency response team who has the responsibility to take
any action in case of the mishap in the organization due to disaster. The First national university
also set up the incident response team to take action against any mishap. The objective to
establish incident response team is
 To take quick action against the disaster
 To encounter and estimate the residual risk
 Analyze the security in the system
 Report the breach in the security to higher official
Physical Safeguards:
physical safeguard deal with the protection of the system using physical infrastructure, appliance,
and other equipment. The various physical appliance uses to protect the system are
 Power backup system: power back up system is used to provide the power to the system
in case of power failure
 Air conditioning: air cooling system is installed in the workplace so that the system does
not face a problem of overheating
 Fire safety equipment: to protect the system from fire, fire safety equipment is installed in
the workplace.
 Repairing equipment: various repairing equipment were kept for repairing purpose in the
workplace
Incident Response Procedures:
the various procedure which could be involved in responding to the disaster incident.
 Deal with the issue and allocate roles to the department
37

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

 Involve the relevant department in the incident
 Identify the cause of the incident
 Test the data and system for the residual risk
 Go through the plan for disaster recovery
 Determine the information of the disaster, information like the amount of impact, type of
disaster, recovery possibility etc.
 Implement the strategy for recovery.
 Go through the whole system again and again to find potential damage.
Figure- 12: Data recovery
(Source: Advance business solution)
Restoration Procedures:
data is very essential for the organization. In case of disaster, the institute performs several steps
for data recovery these steps are
38

 The data is sorted out on the basis of risk assessment.
 The recovery and backup data and process is noted down annually by each institution
 Physical assess controls are set up to protect physical media backup
 Backup data must be protected from the security code
 Backup data must be created at regular interval
 The data store in the system of the vendors must be recalled from time to time
 Claim the recovered data from the data backup
Forensics Considerations:
digital forensics is done to investigate the cybercrime. Every digital data has a digital footprint
which is attached to it for years. This footprint is used to track the information. Through
forensics consideration, the root of the security breach could be found. This is done to protect the
system from cybercrime.
Maintaining the Plan:
The expansion of data and new website design require maintaining the plan for the security
purpose, the data is updated from time to time and the system gain new data so maintaining
process play a critical role for data security
39

Security Strategies and Recommended Controls
Following an organized arrangement of steps when creating and executing system security will
enable you to address the shifted worries that have an influence on the security plan. Numerous
security systems have been produced indiscriminately and have neglected to really secure
resources and to meet a client's essential objectives for security. Separating the procedure of
security outline into the accompanying advances will help you adequately design and execute a
security technique:
a) Distinguish arrange resources.
b) Examine security dangers.
c) Examine security necessities and trade-offs.
d) Build up a security design.
e) Characterize a security arrangement.
f) Create strategies for applying security arrangements.
g) Build up a specialized execution system.
h) Accomplish purchase in from clients, administrators, and specialized staff.
i) Prepare clients, administrators, and specialized staff.
j) Actualize the specialized system and security techniques.
k) Test the security and refresh it if any issues are found.
l) Look after security.
40

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

(Figure:13)
(Source: By author)
A security design should reference the system topology and incorporate a rundown of system
benefits that will be given (for instance, FTP, web, email, et cetera). This rundown ought to
indicate who gives the administrations, who approaches the administrations, how to get to is
given, and who regulates the administrations. (Densham, 2015).
 An entrance strategy that characterizes get to rights and benefits. The entrance strategy
ought to give rules to interfacing outside systems, associating gadgets to a system, and
adding new programming to frameworks. An entrance approach may likewise address
how information is sorted (for instance, private, inside, and top mystery).
 A responsibility arrangement that characterizes the duties of clients, tasks staff, and
administration. The responsibility strategy ought to determine a reviewability and give
episode dealing with rules that indicate what to do and whom to contact if a conceivable
interruption is recognized.
41

 A confirmation strategy that builds up trust through a viable secret word approach and
sets up rules for remote-area validation.
 A security strategy that characterizes sensible desires for protection with respect to the
checking of electronic mail, logging of keystrokes, and access to clients' documents.
 PC innovation obtaining rules that indicate the prerequisites for gaining, arranging, and
inspecting PC frameworks and systems for consistency with the strategy.
Risk controls are the exercises executed to moderate dangers. Controls can endeavor to
keep away from the hazard completely. Or on the other hand, the control might be
intended to keep the hazard from happening. Much of the time, the hazard may endeavor
to decrease the misfortunes related with a movement.
42

Residual Risks
List of Residual Risks - that remain after all possible (cost-effective) mitigation or
Treatment of risks
Residual risk measurement: If a leftover hazard continues even after treatment, a choice ought to
be taken about whether to hold this hazard or to rehash the hazard treatment process. For
remaining dangers that are regarded to be high, data ought to be gathered about the cost of
executing further alleviation techniques.
Risk treatment monitoring: in outlining reaction activities, it is imperative that the controls set up
are relative to the dangers. Hazard investigation helps such a procedure by distinguishing those
dangers requiring consideration by the administration. Hazard control activities will be organized
as far as their capability to profit the association. Adequacy of inward control is controlled by
how much the hazard will be either dispensed with or lessened by the control measures proposed.
(Bignozzi and Tsanakas, 2012).
Types of risk treatment
A risk treatment means a step is taken to control a risk. In risk management process it includes
all the actions which can help in identify, evaluates then treatment of that risk. The steps are as
follows:
 Prevention
The organization has not to take that risk if they think that it will never affect our
organization either we are doing it or not the organization has to avoid the risk as
possible. Means if someone doesn't know how to swim or it's dangerous so it's better than
to avoid it by not swimming.
 Reduction
43

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

A reduction is something that reduces the chances of risk involved in the business like if
someone is trying something new then they don't have ever done so it's better to take
some kind of mitigations that can reduce that chance of risk.
 Relocation
It is also one type of residual risk if they think that some actions are in the work cannot
be handled by a person so they can transfer it someone else who can do it better. Two
types of transfers are outsourcing and insurance transfer.
 Acceptance
Risk acknowledgment, it is also called chance maintenance, is confronting a hazard. As a
rule, it is difficult to benefit in business or appreciate a dynamic existence without going
out on a limb. For instance, a financial specialist may acknowledge the hazard that an
organization will go bankrupt when they buy its bonds.
 Sharing
Risk sharing is kind of distribution of risk in the organization to the multiple individuals.
 Residual risk
After all the risk treatments it cannot be zero ever but it remains in some amount that is
called residual risk.
44

Figure: 14
Source: By Author
Figure: 15
Source: By Author
45

Mitigation risk, it is that type of risk which can reduce the identified risk. Some methods are
largely dependent upon the types of risk all we discuss above (Olson and Swenseth, 2014).
 Audits:
Audits are used to record all the transactions of accounting errors or and try to solve it
before they get maximized. This is also used as the proof if any financial fraud happens
in the organization.
 Backups:
Backing up of all the data to secure it for future if it may lose in any circumstances
 Communication:
Communication of any kind of risk is important because if any problems happened or any
kind of fraud done so there is witness communication is there for the recheck.
 Contingency plan
Planning is very important before taking a risk if any kind of accident happened so that
they can be recoverable.
 Modification
A modification is important in many categories in an organization so that it may help in
reducing risk.
 Redundancy
Redundancy refers to eliminating the risk with an alternative.
 Verification
Verification of the situations is important because it is the only way someone can assume
what will be going to happen next and how someone can reduce risk from that.
46

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Resources
Resources are the methods for help or anything a man or a nation uses to take care or bolster him
or the country. Resources are characterized as a wellspring of the plausibility of assistance or
methods for fund-raising to help oneself. It could be any type of human and regular examination,
which differs extra time and space. Be that as it may, a resource alludes to the aggregate of riches
or wellsprings of an abundance of a man or nation.
According to the above definition of resources, the resources are categorized into two parts
natural resources or human resources. Nowadays in this increasing population, the resources are
utilized very much and other factors are technology levels, demand, policies of the government
and so on.
 Natural resources
Natural resources are those which a human can never provide with their skills. Natural resources
are water, air, and living organisms, the natural resources which are excessively utilized by the
population nowadays are petroleum, diesel, oil, coal. It directly affects the environment if it is
used in an excessive manner and that is why the resources are reduced on the earth.
 Human resources
Human resources are those resources that can't be contacted or felt, rather they are found in the
human inventiveness of the populace yet this is maybe the most critical kind of assets for the
powerful working and coordination of a nation. Human resources are the most imperative and
essential for the financial improvement, they are the specialist of advancement. They go about as
an advantage for organizing different assets because of the wide learning.
 Environment resources
Environment resources are those which are gifted by nature. It can be an organic or inorganic
type of material plants. Like plants are the natural resources and they give food and other living
things which are used by the human beings and create an environment so it is known as
environmental resources.
47

 Vegetation resources
Vegetation assets are those things, which are gotten from the timberland, and savannah
vegetation and are of drench critical to man, creatures, and plants, it is a key part of a biological
community and, in that capacity, is associated with the control of different biogeochemical
cycles, e.g. water, carbon, nitrogen.
48

Conclusion:
This report covers the whole conclusion of "Network security plan" It is a template design based
on case study of ‘First national university'. This template concludes that security of any
organization or company is very important and it contains network security system used in an
organization. This report explains how network system works and how the employee should
interact with a system; Such as risk related to a network system, threats and challenges occurred,
different security policies relevant to network security. It also describes disaster recovery and
business continuity in a network system of an organization. Security strategies should also
implement for network security management. It also contains residual risks occurred during
operate a network and analysis of risk assessment gives the brief idea about a system of
organizations. The case study also helps to introduce new strategies and policies of network
security in FNU and define scope in relevant areas. This template is an overall conclusion of
network security of systems and plan of network security in organizations.
49

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

References
 Budish, R.H., Burkert, H. and Gasser, U., 2018. Encryption Policy and Its International
Impacts: A Framework for Understanding Extraterritorial Ripple Effects.
 Industrial Network Security. (2015). Network Security, 2015(3), p.4.
 The Practice of Network Security Monitoring. 2014. Network Security, 2014(10), p.4.
 Densham, B. 2015. Three cyber-security strategies to mitigate the impact of a data
breach. Network Security, 2015(1), pp.5-8.
 Bignozzi, V. and Tsanakas, A. 2012.Residual Estimation Risk.SSRN Electronic Journal.
 Olson, D. and Swenseth, S. 2014. Trade-offs in Supply Chain System Risk
Mitigation.Systems Research and Behavioral Science, 31(4), pp.565-579.
 Resources Editorial Office 2015.Acknowledgment to Reviewers of Resources in
2014.Resources, 4(1), pp.1-2.
 Alfaro, J.G., Boulahia-Coppens, N. and Coppens, F., 2008. The complete analysis of
configuration rules to guarantee reliable network security policies. International Journal
of Information Security, 7(2), pp.103-122.
 Hamed, H. and Al-Shaer, E., 2006.Taxonomy of conflicts in network security
policies.IEEE Communications Magazine, 44(3), pp.134-141.
 Hamed, H., Al-Shaer, E. and Marrero, W., 2005, November.Modeling and verification of
IPSec and VPN security policies. In Network Protocols, 2005.ICNP 2005.13th IEEE
International Conference on (pp. 10-pp).IEEE.
 Kaldor, M., 2018.Global security cultures.John Wiley & Sons.
50

 Rey, J., Kronander, K., Farshidian, F., Buchli, J. and Billard, A., 2018. Learning motions
from demonstrations and rewards with time-invariant dynamical systems based policies.
Autonomous Robots, 42(1), pp.45-64.
 Rey, J., Kronander, K., Farshidian, F., Buchli, J. and Billard, A., 2018. Learning motions
from demonstrations and rewards with time-invariant dynamical systems based policies.
Autonomous Robots, 42(1), pp.45-64.
 Siponen, M. and Vance, A., 2010. Neutralization: new insights into the problem of
employee information systems security policy violations. MIS quarterly, pp.487-502.
 Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., 2012. Computer security:
principles and practice (pp. 978-0). Pearson Education.
 Tryggestad, T.L., 2018. Negotiations at the UN: The Case of UN Security Council
Resolution 1325 on Women, Peace, and Security. In Gendering Diplomacy and
International Negotiation (pp. 239-258). Palgrave Macmillan, Cham.
51