Professional Documents
Culture Documents
Networking 3 Project
Semester:
Semester A, 2014/2015
Tutors:
Student names:
Student IDs:
Class Group
001
Learning Outcomes
Covered
Weighting:
Instructions
1. Title
The purpose of this project is to enhance the security of the Civil Service
Bureau (CSB) network in order to implement a centralized web-enabled Human
Resources Management Information System and Payroll System. This report
demonstrations and describes the propose network topology, VLSM and the
required enhancement to secure the network. This project is created by Ali Alaali,
and delivered on December 28 2013.
2. Abstract
This report identifies the techniques and standards have been used to
provide high level of security to the CSB network, such as Authentication,
Authorization and Auditing technology (AAA) which controls the access to the
network devices, virtual private network (VPN) which allows the remote users to
access the network by providing secure tunnel, Cisco Adaptive Security Appliance
(ASA) which provide high protection to the network from intrusion attempts,
Intrusion Detection and Prevention Systems (IDPS) which monitors network and
system activities for sly activities, as well other techniques and standards aim to
insure the security of the network. Furthermore end point security methods will be
included and discussed.
3. Acknowledgements
We would like to express our special thanks of gratitude to our tutors Mr.
Omer Fayyad and Mr. Peter Little for their help for us to accomplish the project by
providing recommendations for the network design, and explanations for any
misunderstanding of any requirements.
4. Table of Contents
Contents
1.
Title.................................................................................................................................... 2
2.
Abstract ............................................................................................................................. 2
3.
Acknowledgements .......................................................................................................... 2
4.
5.
6.
Introduction ...................................................................................................................... 5
6.1.
Purpose ..................................................................................................................... 5
6.2.
6.3.
Method ...................................................................................................................... 5
7.
Body................................................................................................................................... 6
8.
9.
Recommendations .......................................................................................................... 13
10.
References................................................................................................................... 15
11.
Appendices .................................................................................................................. 16
5. List of Symbols
Device symbol
Device name
Router
Switch
PC
Server
ASA Firewall
Internet
6. Introduction
6.1. Purpose
The purpose of this report is to outline the project of designing a network for
Civil Service Bureau (CSB) and implementing security techniques, policies and
methods to secure the network. Moreover it will discuss several aspects to overcome
the problem of security issues in order to prepare the network for remote access and
insure the protection of the network devices as well the travel data within the network
which are information security policies, standards, procedures and guidelines,
implementation of AAA, perimeter security of the proposed network, IDS and IPS
systems, End point security throughout the organization, cryptographic systems, VPN
and Proposed education, training and security awareness programs. Lastly it will
conclude with results and recommendations.
6.3. Method
The information within this report was gathered through several sources
including web sites, class lessons, course materials and Cisco materials.
7. Body
7.1. Network topology
7.2. VLSM
For more information about the VLSM for the wan connections, remote site network,
internal network, DMZ and government users refer to appendix ()
the password follows a set of rules that define it, as in a minimum of 6 characters,
where at least one character is a numeral.
An IPS has also been included at the network in order to detect, counter and
notify administrators of any attempts or existence of malicious IP addresses that
attempt to enter the network.
Due to the fact that remote users will also require to access the network
through the internet, a VPN Tunnel has been issued in order to provide access to the
internal network of the organization from remote places, data encryptions further
more ensure that the data would not be easily handed to hackers, adding more
security and integrity to the data with held within the organization.
The list below indicates the policies, standards, procedures and guidelines
weve reviewed and developed for the information security, the full templates of them
are attached to the appendices:
7.4.1. Policies:
7.4.1.1 User Account:
This document outlines the policy of using user accounts within the CSB.
7.4.1.2 User Privileges:
This policy discusses the user privileges and how they are granted and revoked.
7.4.1.3 Acceptable Use:
This policy clarifies the acceptable use of the CSBs information assets.
7.4.1.4 Password Policy:
This policy outlines the strategy of using passwords within the CSB network to
ensure the minimum required security.
7.4.1.5 Remote Access Security:
This policy addresses the issue of accessing the CSBs network remotely by the
external users who use VPN system as the connection type.
7.4.2. Standards:
7.4.2.1 Information Logging Standard:
This document describes the logging processes that are used to log the processes
within the network.
7.4.2.2 Managing Computer Accounts:
This document describes the standards of using user accounts and how they are
managed. It is actually determines the way of accessing the CSBs systems resources in a
safe way.
7.4.2.3 Classification and Handling Standards:
This document outlines the standards of handling the data and information within
the CSBs network and the classifications of these information.
7.4.3. Procedures:
7.4.3.1 Identity Theft Reporting Procedure:
This document outlines the required procedures that must be followed to
manage the case of any identity theft.
7.4.3.2 Antivirus Information:
This document clarifies the procedures of using antivirus software in order to keep
the OS safe and protected, or to handle the case of any suspicious or malicious files.
7.4.3.3 Operational Security Procedures:
This procedures document outlines 3 sub-procedures that are required to guarantee
that the operational environments are secure.
7.4.4. Guidelines:
7.4.4.1 Password Construction Guidelines:
This document lists the recommended steps to create safe and strong passwords for
the user accounts.
7.4.4.2 Internet Gateway Security Guidelines:
This document outlines the recommendations and suggestions to manage the
process of the communication between the internal network (the CSB network) and the
external network (the Internet).
and DMZ VLAN (servers)]. The DMZ contains the servers, it can limits the access by
creating firewall rules to control the traffic from the external users via specific port,
services and limit the access from the internal side by the source IP addresses and
port to the specific server.
7.7.1. IDS
Considering functionality; the IDS (also known as Intrusion Detection
System) will trigger warnings to admins in times where an intrusion is detected,
however, it may only snapshot the network at times of intrusion, giving the admin a
view of how or when the intrusion happened, whilst in return being completely
incapable of avoiding the intrusion attack as it happens. The main advantage that the
IDS would hold over the IPS however is that it is completely detached off the network
functionality; thus if the IDS sensor was to ever fail or overload, the rest of the
network would not be affected.
7.7.2. IPS
The IPS (also known as Intrusion Prevention System) will analyse all the
packets as they pass through its sensor interface, in which case any packets with
malicious traffic signatures are halted, and thus a hack is prevented from ever
happening. An IPS is also able to trigger alarms and warnings to admins. However, it
does hold a key disadvantage when compared to the IDS; Noting the fact that the
IPS uses a hands-on sensor that acts as a checkpoint upon entry to the network,
having the sensor fail or overloaded may affect the entire functionality of the network.
It is also worthy of mention that the process of checking each packet before passing
through the sensor would prompt the issue of latency within the network.
We have finally decided to implement the IPS within our network, as it can
prove to be much more beneficial in comparison once provided with a well thought
security policy.
7.10.
the VPN has other properties such as authentication, address and name server
allocation. There are three types of authentications: user authentication which
authenticates and verifies the VPN client with the given permissions. Computer
authentication with L2TP/IPSec which ensure the computer is used by the client is
trusted or not. Data authentication and integrity which validate the data being
transmit reached the destination without any alteration by using an encryption key
which is known only by the source and the destination. The other property is address
and name server allocation, which aims to provide the client with an IP from the IP
pool on the VPN server after creating a virtual interface on the client that connected
with the virtual interface on the VPN server. As well, during this process to create
the connection there is other assignment of the Domain Name System (DNS) and
Windows Internet Name Service (WINS) to the connection occurs.
There are two types of VPN connection remote access VPN and site-to-site
VPN. The remote access VPN will be used for the remote users to allow them to
work from anywhere, while the site-to-site VPN will be used to the other
government staff.
7.11.
Development of comprehensive education, training and
security awareness programs.
Staff will always be required to sharpen their skills and be up to date in terms
of technological knowledge and such; it is therefore decided that the staff members
will be required to attend a monthly course class in order for them to keep up with
the outside world of technology, as will the requirements for the new recruits would
focus more on attained certificates. As an added measure; once a year, a batch of
employees may also be sent abroad for a short course class in order to further
develop their skills in their required field. Candidates that are partaking in this
training will be registered to such organizations as (ISC)2 for training; such
certifications provided include the
9. Recommendations
The CSB network systems need to be secured with the previous mentioned
techniques and strategies, but here are some additional recommendations that could
contribute in strengthen the network more:
Avoid using software firewalls and IPS/IDS systems, use hardware products instead
to ensure the most security
Ensure that the configurations of the security devices are strongly planned and
configured to minimize the possible of any security incidents.
It is strongly recommended to properly configure the end point security to avoid any
possible attacks that may occur from the connected devices.
Keep up with latest certifications in the field of security and ensure employees are
well trained on how to deal with the security issues. Prepare and follow a training
plan for this purpose.
Be aware of any new security challenges that are increases by the time in the
Internet world and ensure you have the sufficient capabilities to handle any
incidents.
Consider implementing the structure of fault-tolerance to ensure the high
availability of the network hardware components in case of any failover accidents
for the firewalls, switches ...etc.
It is highly recommended to keep up-to-date with the latest updated IPS signatures
to be able to track the new attacks.
If you are planning to use CISCO products in whole the network then it is
recommended to use the technology of TACACS instead of RADIUS as the first is
dedicated for the CISCO products.
Follow the policies in conjunction with the standards, procedures and guidelines to
strongly ensure the information security.
Consider using VIEWS in routers configuring to assign each view the minimum
needed privileges to a user to allow them to achieve the full requirements.
Ensure using secret instead of password in order to enable the encryption.
Shutdown the service of password reset to avoid any possibility of exploiting this
service to get the password illegally.
It is recommended to configure different VLANs so each department or section in
the network has separated VLAN.
10. References
Network Authentication, Authorization, and Accounting: Part One - The Internet
Protocol Journal - Volume 10, No. 1. (n.d.). Retrieved December 26, 2014, from
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-1/101_aaapart1.html
Four Tips for Designing a Secure Network Perimeter | SecurityWeek.Com. (n.d.).
Retrieved December 26, 2014, from http://www.securityweek.com/four-tips-designingsecure-network-perimeter
Endpoint security. (n.d.). Retrieved December 26, 2014, from
http://searchmidmarketsecurity.techtarget.com/definition/endpoint-security
Beal, V. (n.d.). Cryptography. Retrieved December 26, 2014, from
http://www.webopedia.com/TERM/C/cryptography.html
What Is VPN? (n.d.). Retrieved December 26, 2014, from
http://technet.microsoft.com/en-us/library/cc739294(v=ws.10).aspx
Password Construction Guidelines. (n.d.). Retrieved December 26, 2014, from
http://www.sans.org/security-resources/policies/general/pdf/password-constructionguidelines
INTERNET GATEWAY SECURITY GUIDELINES. (n.d.). Retrieved December 26, 2014, from
http://www.ogcio.gov.hk/en/infrastructure/methodology/security_policy/doc/g50_pub.pdf
Sharma, N. (n.d.). Information Security Policy Schedule A - Roles, Standards and
Operational Procedures. Retrieved December 26, 2014, from
http://policies.griffith.edu.au/pdf/Information-Security-Policy-Schedule-A-Roles-StandardsOperational-Procedures.pdf
AntiVirus Information. (n.d.). Retrieved December 26, 2014, from
http://security.calpoly.edu/content/antivirus/index
Identity Theft (Red Flag) Program and Security Incident Reporting Procedure. (n.d.).
Retrieved December 26, 2014, from
http://security.calpoly.edu/content/policies/standards/red-flag-program
Information Classification and Handling Standard - Section B. (n.d.). Retrieved December
26, 2014, from
http://security.calpoly.edu/content/policies/standards/classification/section_b
11. Appendices
11.1. VLSM
Subnet Name
Needed
Size
Allocated
Size
Dec Mask
Assignable
Range
Broadcast
CSB GovUsers
10.10.0.0
/30
255.255.255.252
10.10.0.1 10.10.0.2
10.10.0.3
CSB - Remote
10.10.0.4
/30
255.255.255.252
10.10.0.5 10.10.0.6
10.10.0.7
CSB CSBEdgeRouter
10.10.0.8
/30
255.255.255.248
10.10.0.9 10.10.0.14
10.10.0.15
Address Mask
15
Subnet
Name
Needed Allocated
Address Mask Dec Mask
Size
Size
Internal
users
Subnet
Name
30
Assignable
Broadcast
Range
Dec Mask
300
510
Needed Allocated
Address Mask
Size
Size
DMZ
Subnet
Name
Gov Users
16382
Assignable
Broadcast
Range
172.17.0.1 172.17.1.255
172.17.1.254
Assignable
Broadcast
Range
Dec Mask
Needed Allocated
Address Mask
Size
Size
10000
172.16.0.1 172.16.0.31
172.16.0.30
10.0.0.0
Dec Mask
/18 255.255.192.0
172.30.0.1 172.30.0.7
172.30.0.6
Assignable
Broadcast
Range
10.0.0.1 10.0.63.255
10.0.63.254
11.2.
Policies:
Subsection
Policy
Approved by:
Objectives
Purpose
The purpose of this policy is to outline the standards of accessing CSBs systems and
data remotely. The aim of these standards is to minimize the opportunity of causing
damage to CSB through unauthorized access and use of the systems and data.
Audience
This policy applies to all employees and to who has a remote access to the CSB
systems that do work on behalf of CSB.
The implementations of the remote access that is covered by this policy include, but
not limited to, VPN.
Policy
Exceptions
Disciplinary Actions
Subsection
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
Policy
Approved by:
Objectives
Providing best equipment assets is a key factor to provide the users with the best services. In
support of this goal, CSB inform employees and anyone use them properly.
Purpose
This policy outlines the suitable use of the available assets at the CSB, and addresses the
possible unwise use which may result in exposing them to risks.
Audience
Acceptable Use policy applies equally to all the employees granted to use CSBs equipment.
Policy
The employee is responsible for informing or reporting the concerned department of any
theft, unauthorized disclosure or loss of any CSB proprietary information and assets.
The employee is allowed to access or share CSB information proprietary with the only
authorized persons and only to the purpose of achieving the job duties.
Individual departments are responsible for providing the employees with the appropriate
guidelines concerning personal use of the Internet, Entranet and Extranet systems so the
employees can exercise good judgment regarding the acceptable use. In case of there are no
such guidelines, departmental policies should guide the employees on acceptable personal
use.
Equipment, systems and data traffic may be audited for security and maintenance purposes
by the authorized individuals within the CSB.
Any device that connects to the internal network must comply with minimum access policy.
Users system level and password level must conform to the Password Policy.
All computing devices within the CSB must be secured with a password. In case of a device is
unattended it must be logged off or shutdown.
Employees may use the organization devices and equipment in the work allocated time.
Any use of equipment must be for the purpose of achieving the organization goals,
employees may not use them for personal purposes.
All equipment must not be moved or replaced from the workplace.
Installing new devices and any other equipment is confined to the authorized employees
only.
Exceptions
Disciplinary
Actions
Violation of this policy may result in disciplinary actions. Additionally, individuals are subject
to civil and criminal prosecution.
Subsection
Policy
Objectives
Purpose
The purpose of this policy is to protect the assets of the organization by clearly informing
users of their privileges granted for them in order to allow them to access only the needed
services.
Audience
CSB Users policy applies equally to all individuals granted access (internal and external
users) privileges to an CSB Information resources
Policy
Each user account is granted a level of privileges that allow them to access the minimum
needed information and services.
Approved by:
Non-employee users are granted to access the provided services and not the organization
data.
Employees may gain access to some of the organization data according to their work
requirements and positions.
Users privileges are classified hierarchically so the most top user privilege can grant or
revoke privileges to the lower users.
Exceptions
Disciplinary
Actions
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
Subsection
Policy
Objectives
This policy is created to ensure that each employee or any authorized user are
following the best security practices that avoid the organization from any unauthorized
or exploitation of CSBs resources.
Purpose
The purpose of this policy is to outline how to create strong passwords, protect those
passwords and to outline the frequency change of them.
Audience
CSB Password Policy applies equally to all users with access to CSB data and systems.
Policy
1. Password Creation:
1.1 All system-level and user-level passwords must comply with the Password
Construction Guideline.
1.2 Users personal password used outside CSB must not be used inside the
organization.
1.3 System-level accounts must be protected with unique passwords and then
the same password cannot be used in any other accounts.
2. Password Change:
2.1 System-level passwords must be changed every three months at least.
2.2 User-level passwords must be changed every eight months a year.
Recommended period for a password to be changed is every three months.
2.3 If a password considered as easy to be cracked or guessed, then it must be
changed to meet the requirements of the Password Construction
Guideline.
3. Password Protection:
3.1 Passwords are considered as confidential CSB information, so they must
not be shared with anyone and be sensitive when treating with them.
3.2 Passwords must not be written in a readable format, sent via email
messages or sent through any electronic communication forms.
3.3 Passwords must not be shared over phone calls.
3.4 Passwords must not be written down and stored in users office, and must
not be saved in a note or any electronic readable file without encryption.
Exceptions
Disciplinary
Actions
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
Subsection
Policy
Objectives
The key aim of our organization is to keep our services available to users from internal and
external network so they can gain access without violating or misusing those services and
organization information.
Purpose
The purpose of this policy is to protect the assets of the organization by clearly informing
users of their roles and responsibilities for using the services and access the data wisely.
Audience
CSB Users policy applies equally to all individuals granted access (internal and external
users) privileges to an CSB Information resources
Policy
This policy requires that each user uses our services must have a unique account ID with a
password that conform to our password standard.
Approved by:
Users may not share their credentials with anyone else apart of the who is the user and
position they are in.
Passwords must not be stored in written or in any readable form.
A new password must be requested in case of any compromise is suspected.
Exceptions
Disciplinary
Actions
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
11.3. Standards:
Subsection
Standard
Overview
Purpose
The main aim of this document is to address the issue of information logging by addressing
the requirements of this issue and how information systems must match those
requirements in order to generate appropriate audit logs.
Approved by:
Audience
Guidelines
Exception
NonCompliance
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
Subsection
Standard
Overview
Information classification is the process of handling and saving them from harm or loss by
assigning value to information in order to be able to organize it.
Purpose
efforts and access control. This document provides guidelines for the information
classification process.
Audience
Standard
This document applies to all information and data maintained, generated, entrusted and
collected to CSB.
1. Classification Levels:
1.1 High: An unauthorized disclosure, compromise or destruction would lead to
harsh damage to CSB and its employees and govern entities. This can lead to
violate laws and obligations, finance loss, CSBs reputation damage and it is
possible to a legal action is occurred.
Example of level 1 (high) information (confidential):
a. Personally identifiable information (PIN, DOB, credentials, biometric info,
private key etc)
b. Financial information (credit card no, bank account, account security code
etc)
c. Health information (insurance info, medical records, psychological records)
d. Law enforcement information (personal records, criminal background
records, individual enforcement records etc)
1.2 Moderate: An unauthorized disclosure, compromise or destruction would
directly or indirectly lead to bad affect on CSB or its employees which may lead
to a legal action to be occurred and financial loss, damage to CSBs reputation
may also occur.
Example of level 2 (Moderate) information (internal use only):
a. Identity validation keys (DOB full and part)
b. Employee information (address, birthplace, ID, salary, history, phone
number, gender etc)
c. Technical Security Information (vulnerability or security information)
1.3 Low: CSBs assets may not be exposed to risks as knowledge of these
information doesnt affect directly or indirectly the security and may not lead to
financial loss.
Example of level 3 (Low) information (Publicly Available):
a. Employee info (title, public email address, department, classification, name
etc)
b. Financial info (financial budget info, purchase info)
Exception
NonCompliance
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
Subsection
Standard
Overview
This document addresses the issue of managing monitoring of computer accounts that are
being used to access the resources of the CSB network.
Purpose
This standard aims to ensure proper access to the CSB network resources. It manages the
requesting, approving, terminating and granting of accessing computer systems. Computer
accounts managing is a critical practice in protecting CSB sensitive data and minimize the
exposure of risks.
Audience
This standard applies to all computer systems in all CSB departments and to all employee or
anyone who has a computer account. This includes, but is not limited to, user-level accounts
and system-level account.
Guidelines
1. Required:
1.1 A user account must only be used by the person whom it is assigned to.
1.2 Any creating or terminating accounts processes must be done with approval of
the authorized owner of the system, database or application. These processes
must be documented and a list of the owners who are authorized to do those
processes also must be documented and maintained.
1.3 No one is allowed to grant their own accounts the privileges and authorization.
1.4 The granted and allowed privileges must meet the minimum requirements for
the user. Administrative accounts must not be given to someone who doesnt
require this.
1.5 All accounts that are become no longer required must be deleted or disabled by
changing the authorization or removing the accounts that are no longer require
any privileges.
1.6 User accounts can be suspended in response to requests by an appropriate
representative in the respective department, the Chief Information Officer, or
Information Security Officer.
Exception
NonCompliance
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
11.4. Procedures:
Subsection
Procedure
Overview
Assist individuals to be able to detect, prevent, mitigate and report any incidents of identity
theft.
Purpose
The purpose of this document is to outline the required procedures that assist individual in
1) detect, prevent, mitigate and report any incidents of identity theft. 2)reporting these
incidents.
Audience
Procedures
Identification of Red Flags; red flags can be identified through the followings:
Approved by:
Alerts.
Suspicious Documents.
Suspicious Personal Identifying Information.
Unusual use or suspicious account activity.
Any notices that indicate a case of identity theft incidents.
Detection of Red Flags, red flags can be detected through the followings:
When verifying and obtaining identity.
When authenticating customers.
When the transactions are monitored
Response to a Red Flag: Employees must report any incidents of identity theft to the
appropriate authorized person in the CSB and then the concerned in turn will cooperate
with the employee in order to take the suitable response.
Employee Training: all employees must be trained to be able to deal with any incidents of
identity theft.
Exceptions
Disciplinary
Actions
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
11.5. Guidelines
Subsection
Guideline
Overview
Internet Gateway is the interface that meet the external network, which is the Internet. It
is the point where internal network establish a connection with the Internet. Securing this
gateway is a critical practice that can tighten the control and protect the internal network
from risks.
Purpose
This document addresses the best guidelines that are considered as best practices to
maintain security risks that come from the Internet.
Scope
This document applies to the following major areas of the CSB network:
1.
2.
3.
4.
Guidelines
Firewalls/ASA systems.
Routers.
Web Security.
Other security considerations.
1. Firewalls: Considered as a critical security measure for protecting CSBs
resources against intruders. It must be installed between the internal network
and the external network or in any point the network where the functions of
filtering, examining, restricting or redirecting are required for the flow of data.
Choose the proper firewall product depending on the following considerations:
Features, Price, Vendor support, Logging, Reliability, Ease of Management.
1.1 Configuration:
1.1.1 All incoming and outgoing data flow must go through the firewall to
take the proper actions.
1.1.2 Plan carefully which data are allowed to go in.
1.1.3 Configure it to use NAT to protect the private internal information.
1.1.4 Configure it to block unused ports.
1.1.5 Place the firewall hardware in a secure place.
1.1.6 Set up the real-time alerts for emergency incidents.
1.2 Firewall Administration:
1.2.1 Keep it maintained.
1.2.2 Configurations must be document.
1.2.3 Ensure that parallel firewalls configurations are identical.
1.2.4 Logs must be done on regular basis.
1.2.5 Assign 2 administrators at least to administrate the firewall.
2. Routers: Routers are the network components that connect the network elements
together and provide proper communication between them. Consider the
following:
2.1 Routers must configured, as firewalls, to deny all traffic by default except the
needed data flow.
2.2 Logging must be done on regular basis.
2.3 Test routers functionality when implementing or updating are occurred to the
network.
3. Web Security (Internet):
3.1 Use strong authentication techniques and mechanisms for remote
administration control.
3.2 Use Encrypted connections.
3.3 Java Applet, ActiveX, Cookies and any other content should be configured in a
secure manner.
4. Other Security Considerations:
4.1 All gateway components should be secured and protected physically in
dedicated and locked areas.
4.2 Areas used to protect the equipment must be equipped well against natural or
physical disasters.
4.3 Enable logging functions in all network components that are applicable for.
4.4 Review the recorded logs regularly.
4.5 Backup and Recovery functions should be prepared and configured to be
functional with any changes or updating to the systems configurations.
Exception
NonCompliance
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.
Subsection
Guideline
Overview
To protect the network it is too important to create a username and a password. Passwords
are considered as one of the most critical security manner to protect the network and avoid
it from exploiting and unauthorized access.
Purpose
The purpose of this document is to provide the user with best practices that lead to creating
a secure and strong password.
Audience
CSB Password Policy applies equally to all users with access to CSB data and systems. This
guideline applies to all passwords including but not limited to system-level accounts, userlevel accounts and login locally for routers.
Guidelines
Passwords must not be written down or stored anywhere in readable format. Its
recommended to choose passwords that are easy to remember but not easy to guess. Also
it is recommended to use special characters instead of normal characters. For example, the
word, Password could become the password P@$$w0rd or any other variation.
Exception
NonCompliance
Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.