Home / Uncategorized / Network Policies & Best Practices | CompTIA Network+ N10-007 | 3.5

Network Policies & Best Practices | CompTIA Network+ N10-007 | 3.5

By on May 9, 2021

In this video you will learn about network policies & best practices such as: privileged user agreements, password policies, onboarding & off-boarding procedures, licensing restrictions, international export controls, data loss prevention, remote access policies, incident response policies, BYOD, AUP, NDA, system life cycles, and safety procedures & policies.

Privileged User Agreement (PUA)

A privileged user agreement enables an individual to take actions that may affect computing systems, network communication, or the accounts, files, data, or processes of other users.  Privileged access is typically granted to system administrators, network administrators, staff performing computing account administration or other such employees whose job duties require special privileges over a computing system or network.[1] A PUA agreement might stipulate the following:[2]

  • Privileged access should be granted only to authorized individuals who read & sign the agreement.
  • Privileged access may be used only to perform assigned job duties.
  • If methods other than using privileged access will accomplish an action, those other methods must be used unless the burden of time or other resources required clearly justifies using privileged access.
  • Privileged access may be used to perform standard system-related duties only on machines & networks whose responsibility is part of the assigned job duties.
  • Privileged access may be used to grant, change, or deny resources, access, or privilege to another individual only for authorized account management activities under exceptional circumstances.

Password Policy

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords & use them properly.  A password policy is often part of an organization’s official regulations and may be taught as part of security awareness training.  Either the password policy is merely advisory, or the computer systems force users to comply with it.  A strong password policy should include the following elements:[2]

  • Education for end users
  • Strong password requirements, such as:
    • Minimum password lengths
    • Restrictions on the use of proper names
    • Password expiration
    • No previously used passwords allowed
  • No words spelled out completely within the password
  • The use of characters from the following groups:
    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Special characters
  • Implementing the use of a password manager should also be considered
    • This software can store passwords for different resources & can even help users generate complex passwords across these resources.

On-boarding/Off-boarding Procedures

Employee onboarding is a series of tasks that help a chosen candidate become an integrated & functioning member of an organization.  Good employee onboarding goes beyond conventional paperwork.  It should provide the tools and resources new employees need to become satisfied & productive team members quickly.  A good employee onboarding program maximizes productivity by outlining job & organization expectations, reducing errors, and saving time and frustration.[3]  A standard employee onboarding might including the following:[2]

  • ID number & PIN assignment
  • Username & password assignment
  • ID card & access assignments
  • Email mailbox setup
  • Email client setup
  • Workstation setup
  • Workstation network access verification
  • IT security & best practices training
  • Phone & BYOD setup
  • Time management & other HR software training

Employee offboarding is the strategic process of disengaging an employee from your workforce.  In other words, it initiates the formal separation between the employer and the employee.  The process begins with an exit interview conducted by the HR team.  Although the HR team is the one that initiates the offboarding process, the IT department is the one who needs to see it through to prevent an outgoing employee from turning into a malicious insider.[3]

Licensing Restrictions

You may also need to provide training in the proper licensing & use of corporate hardware and software.  As networks have become more complex, so have licensing agreements.  It is important that your users remain in compliance with all existing licensing agreements and restrictions.[2]

International Export Controls

Another important best practice is to educate IT staff and end users on the international export rules your organization must observe.  Using the U.S. government as an example, specific agencies regulate the transfer of information, commodities, technology, and software considered to be strategically important to the U.S. in the interest of national security, economic, and/or foreign policy concerns.  Your management must understand that noncompliance with export controls can result in severe monetary and criminal penalties against both an individual in your company as well as the organization itself.[2]

Data Loss Prevention (DLP)

Data loss prevention software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring[4], detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage).[5]  Most DLP policies focus on the use of content-level scanning and deep content inspection to identify sensitive data and protect it.  The following actions should be considered when designing a DLP policy:[2]

  • Consider any risk assessments your company has performed.
  • Incorporate key members of management from the various departments of your organization.
  • Identify the most sensitive data of the organization.
  • Outline a phased implementation of DLP & incorporate guidelines for tracking success of the initiative.
  • Attempt to minimize any negative impacts on the business caused by the policy implementation.
  • Periodically review the DLP policy.
  • Include the appropriate event-monitoring specifics as they apply to the policy.

Remote Access Policies

A remote access policy is a document which outlines and defines acceptable methods of remotely connecting to the internal network.  It is essential in large organizations where networks are geographically dispersed and extend into insecure network locations such as public networks or unmanaged home networks.  It should cover all available methods to remotely access internal resources such as:[6]

  • Dial-in
  • ISDN/Frame Relay
  • Telnet access from the Internet
  • Cable modem

Other remote access policy to consider:[2]

  • The scope of the policy should be clear & may include applicable targets, such as employees, contractors, vendors, & agents with company-owned or personally owned computers or workstations used to connect to the corporate network.
  • Clearly detailed requirements of the policy itself, which might include encryption and security standards as well as the acceptable areas of network access.
  • Section regarding compliance, which could include exceptions to the policy, the measurements for compliance, and the consequences of noncompliance.
  • A section that indicates what other security policies for the network closely relate to this policy.

Incident Response Policies

An incident, as defined in the National Institute of Standards and Technology (NIST), is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.  An incident response capability is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.[7]  Because security issues are inevitable for a network, it is critical to prepare a comprehensive incident response policy.  Such a policy might outline various phases of an incident response plan, including the following:[2]

  • Prepare:  Involves being able to identify the start of an incident, preparing a recovery plan, how to get everything back to normal, & creating established security policies.
  • Identify:  Identifying the actual security incident.
  • Contain:  Involves protecting & keeping available critical computing resources and determining the operational status of the infected computer, system, or network.  The goal is to limit the security incident from spreading.
  • Eradicate:  Deals with the removal of the attack or infection.
  • Recover:  Involves service restoration as well as recertification of network devices & systems.
  • Review:  All phases should be analyzed in the review to gauge their effectiveness and modify the incident response policy as needed for the future.

BYOD (Bring Your Own Device)

BYOD refers to being allowed to use one’s personally owned device, rather than being required to use an officially provided device.  There are 2 major contexts in which this term is used.  One is in the mobile phone industry, where it refers to carriers allowing customers to activate their existing phone on the network, rather than being forced to buy a new device from the carrier.  The other is in the workplace, where it refers to a policy of permitting employees to bring personally owned devices (laptops, tablets, smartphones, etc) to work, and to use those devices to access privileged company information and applications..[8]  A BYOD policy should incorporate the following:[2]

  • An explicit & detailed list of what devices are actually permitted.
  • An explicit security policy for each device or device category.
  • The appropriate corporate support policy for each device or device category.
  • A clear delineation of what applications and data are owned by the corporation versus that owned by the user and/or employee.
  • An explicit list of applications permitted in the BYOD environment.
  • An integration of the BYOD policy with the acceptable use policy (AUP).
  • A detailed presentation of the exit policies for employees as they relate to BYOD.

AUP (Acceptable Use Policy)

An AUP is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers, and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.  An AUP should be the following:[2]

  • Clear
  • Concise
  • Detailed regarding acceptable & unacceptable use of the network
  • Congruent with the associated overall security policies of the organization
  • Concrete regarding consequences of AUP violations
  • Also, it should be updated & reviewed regularly

NDA (Non-Disclosure Agreement)

An NDA is a legal contract or part of a contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to.  In other words, it is a contract through which the parties agree not to disclose any information covered by the agreement.  An NDA creates a confidential relationships between the parties, typically to protect any type of confidential and proprietary information or trade secrets.[9]  NDAs are quite common for employees to sign during the onboarding process.

System Life Cycle

A system life cycle, also referred to as the application development life cycle, is a process for planning, creating, testing, and deploying an information system.[10]  The systems development life cycle concept applies to a range of hardware and software configurations, as a system can be composed of hardware only, software only, or a combination of both.[11]  There usual stages of this cycle are:

  • Requirement analysis
  • Design
  • Development and testing
  • Implementation
  • Documentation
  • Evaluation

Safety Procedures & Policies

Some safety policies and procedures for the networking equipment in your organization should include the following commonalities:[2]

  • Following the installation & maintenance guides for the equipment as closely as possible
  • Keeping all work areas as clean and organized as possible
  • Wearing appropriate safety equipment
  • Assistance when lifting heavy network objects
  • Caution when interacting with electricity
  • Avoiding other risks of electric shock

References

  1. Model Privileged Access Agreement. Berkeley Information Security Office.
  2. Sequeira, A. (2018). CompTIA Network+ N10-007 Cert Guide.
  3. Onboarding and Off-boarding: The Role of IT Pros. Spanning.
  4. Hayes, R. (2007). Retail Security and Loss Prevention.
  5. De Groot, J. (2020, Oct 1). What is Data Loss Prevention (DLP)? A Definition of Data Loss Prevention. Data Insider.
  6. Remote access policy. Wikipedia.
  7. Incident Response Policy.  FBI.
  8. Bring your own device. Wikipedia.
  9. Non-disclosure agreement. Wikipedia.
  10. Selecting a Development Approach. CMS.
  11. Systems development life cycle. Wikipedia.

Related Items