ITB7303: Computer

Networking 3 Project

Semester:

Semester A, 2014/2015

Tutors:

Omar bani Fayyad

Student names:

Ali Alaali Hussain Alhamaly Meshal Mohamed

Student IDs:

201000096 201100451 - 201102095

Class Group

001

Learning Outcomes
Covered

Weighting:
Instructions

1. The following learning outcomes will be tested:

2. Describe the security threats facing modern network
infrastructures.
3. Secure network device access and implement AAA on network
devices.
4. Analyse threats and mitigate attacks to networks using various
techniques.
5. Design and implement secure network management and
reporting, and administer effective security policies.
6. Design and implement systems using the Cisco IOS firewall and
IPS
7. feature
sets. mark
50%
of the overall
8. Design and implement site-to-site IPSec VPNs.
-

This is a group project. Students are responsible for creating groups

of 2 or 3.
There are two parts for this project. The first part is a technical
report, about 2000 words excluding appendices. The technical
report should include the design and implementation (Packet
tracer file or screen shoots) of the project prototype. All
configuration details should be included as an appendix.
The second part is a project defense where you will implement a
similar scenario like your project or troubleshooting some
scenarios using physical equipment in the lab.
The report and the implementation should be uploaded on
Moodle via Turnitin by Sunday 28th December 2014 11.55pm.
Late submission will incur 5% penalty per working day.

1. Title
The purpose of this project is to enhance the security of the Civil Service
Bureau (CSB) network in order to implement a centralized web-enabled Human
Resources Management Information System and Payroll System. This report
demonstrations and describes the propose network topology, VLSM and the
required enhancement to secure the network. This project is created by Ali Alaali,
and delivered on December 28 2013.

2. Abstract
This report identifies the techniques and standards have been used to
provide high level of security to the CSB network, such as Authentication,
Authorization and Auditing technology (AAA) which controls the access to the
network devices, virtual private network (VPN) which allows the remote users to
access the network by providing secure tunnel, Cisco Adaptive Security Appliance
(ASA) which provide high protection to the network from intrusion attempts,
Intrusion Detection and Prevention Systems (IDPS) which monitors network and
system activities for sly activities, as well other techniques and standards aim to

insure the security of the network. Furthermore end point security methods will be
included and discussed.

3. Acknowledgements
We would like to express our special thanks of gratitude to our tutors Mr.
Omer Fayyad and Mr. Peter Little for their help for us to accomplish the project by
providing recommendations for the network design, and explanations for any
misunderstanding of any requirements.

4. Table of Contents
Contents
1.

Title.................................................................................................................................... 2

2.

Abstract ............................................................................................................................. 2

3.

Acknowledgements .......................................................................................................... 2

4.

Table of Contents .............................................................................................................. 3

5.

List of Symbols .................................................................................................................. 4

6.

Introduction ...................................................................................................................... 5
6.1.

Purpose ..................................................................................................................... 5

6.2.

Terms of Reference ................................................................................................... 5

6.3.

Method ...................................................................................................................... 5

7.

Body................................................................................................................................... 6

8.

Results and Conclusions ................................................................................................. 13

9.

Recommendations .......................................................................................................... 13

10.

References................................................................................................................... 15

11.

Appendices .................................................................................................................. 16

5. List of Symbols
Device symbol

Device name
Router
Switch
PC
Server

ASA Firewall
Internet

6. Introduction
6.1. Purpose
The purpose of this report is to outline the project of designing a network for
Civil Service Bureau (CSB) and implementing security techniques, policies and
methods to secure the network. Moreover it will discuss several aspects to overcome
the problem of security issues in order to prepare the network for remote access and
insure the protection of the network devices as well the travel data within the network
which are information security policies, standards, procedures and guidelines,
implementation of AAA, perimeter security of the proposed network, IDS and IPS
systems, End point security throughout the organization, cryptographic systems, VPN
and Proposed education, training and security awareness programs. Lastly it will
conclude with results and recommendations.

6.2. Terms of Reference

This report requested by Mr. Omer Fayyad, Networking and Data
Communications tutor at Bahrain Polytechnic and it is due on the 28th December,
2014.

6.3. Method
The information within this report was gathered through several sources
including web sites, class lessons, course materials and Cisco materials.

7. Body
7.1. Network topology

7.2. VLSM
For more information about the VLSM for the wan connections, remote site network,
internal network, DMZ and government users refer to appendix ()

7.3. Comprehensive risk analysis and assessment.

As of the case with any system within a network, there are bound to be risks
and weak spots within the network; these vulnerabilities can include the opportunity
points for hackings, data theft, along with viruses and worms.
To start off, we have noticed the lack of strength in a basic network security
configuration, thus we have decided to implement a Authentication, authorization,
and accounting (AAA) security protocol to the network; this would further increase
the strength of security, making sure to separate the administrative accounts from all
the other types of accounts. Providing each user with user with a specific username
and password along with assigning different privileges to appropriate account types
further ensures the security of the network from any unwelcomed access. Certain
policies can also be proven useful, for example; password policies that state that the
user is to alter his/her password once every month, making sure in the process that

the password follows a set of rules that define it, as in a minimum of 6 characters,
where at least one character is a numeral.
An IPS has also been included at the network in order to detect, counter and
notify administrators of any attempts or existence of malicious IP addresses that
attempt to enter the network.
Due to the fact that remote users will also require to access the network
through the internet, a VPN Tunnel has been issued in order to provide access to the
internal network of the organization from remote places, data encryptions further
more ensure that the data would not be easily handed to hackers, adding more
security and integrity to the data with held within the organization.

7.4. Review and development of all information security policies,

standards, procedures and guidelines.
Security policy is a term that indicates the mechanisms of handling the
access of companys resources and the constraints that are imposed on employees,
customers and anyone who is involved to get access to those resources. The main
aim of defining policies is protecting organizations assets and sensitive data so
unauthorized people cannot gain access to those data unless they have the sufficient
authorizations.
Standards document addresses the specific minimum requirements in an
organizations policies so they make the policies more meaningful and affective.
After completing the policies and standards documents, it is necessary to
make a guidelines document. This document states the recommendations,
statements and the best methods that lead to accomplishing the purposes of the
security policies.
Procedures document provides the instructions that must be followed in order
to achieve the policies targets. It is outline the way of implementing the security
policy through sequenced steps so the final goal can be achieved. The importance of
having security policies is equal to having security policy procedures.
Procedures, standards and guidelines must be achieved in conjunction with
the policies as they provide the way and the recommendations to fully achieve the
policy aims.

The list below indicates the policies, standards, procedures and guidelines
weve reviewed and developed for the information security, the full templates of them
are attached to the appendices:

7.4.1. Policies:
7.4.1.1 User Account:
This document outlines the policy of using user accounts within the CSB.
7.4.1.2 User Privileges:
This policy discusses the user privileges and how they are granted and revoked.
7.4.1.3 Acceptable Use:
This policy clarifies the acceptable use of the CSBs information assets.
7.4.1.4 Password Policy:
This policy outlines the strategy of using passwords within the CSB network to
ensure the minimum required security.
7.4.1.5 Remote Access Security:
This policy addresses the issue of accessing the CSBs network remotely by the
external users who use VPN system as the connection type.

7.4.2. Standards:
7.4.2.1 Information Logging Standard:
This document describes the logging processes that are used to log the processes
within the network.
7.4.2.2 Managing Computer Accounts:
This document describes the standards of using user accounts and how they are
managed. It is actually determines the way of accessing the CSBs systems resources in a
safe way.
7.4.2.3 Classification and Handling Standards:
This document outlines the standards of handling the data and information within
the CSBs network and the classifications of these information.

7.4.3. Procedures:
7.4.3.1 Identity Theft Reporting Procedure:
This document outlines the required procedures that must be followed to
manage the case of any identity theft.
7.4.3.2 Antivirus Information:
This document clarifies the procedures of using antivirus software in order to keep
the OS safe and protected, or to handle the case of any suspicious or malicious files.
7.4.3.3 Operational Security Procedures:
This procedures document outlines 3 sub-procedures that are required to guarantee
that the operational environments are secure.

7.4.4. Guidelines:
7.4.4.1 Password Construction Guidelines:

This document lists the recommended steps to create safe and strong passwords for
the user accounts.
7.4.4.2 Internet Gateway Security Guidelines:
This document outlines the recommendations and suggestions to manage the
process of the communication between the internal network (the CSB network) and the
external network (the Internet).

7.5. Authentication, Authorization and Auditing.

In order to secure the network the configurations of the network devices must
be secure. Enable password command is not secure enough, as well configure one
password for many users will put the network under risk because it might be given for
the wrong user who might harm or hack the network. To overcome this issue
implement Authentication, authorization, and accounting (AAA) technology within
Civil Service Bureau (CSB) network will increase the security of the network. It is a
term for a framework which combined the important processes to insure the security
and effective network management which are auditing usage, enforcing policies,
providing the necessary information to bill for services and intelligently controlling
access to resources.
For the Civil Service Bureau (CSB) network AAA service will be provided by
an AAA server runs by Remote Authentication Dial-In User Service (RADIUS)
protocol and contains the users accounts and their privileges. This technology will
also save the time because modifying local users database in each router requires
time more than modifying the users database in the AAA server. The server will be
installed with the require users and privileges which will allows them to access the
routers and it will be configured with maximum fail attempt of five.

7.6. Network perimeter security.

To increase the security of the network there are components and several
aspects can complement each other which are ASA firewall, De-Militarized Zones
(DMZs) which will be discussed within this part, Virtual Private Network (VPN),
Network IDS and IPS systems which will be illustrate later.
The ASA firewall is a device which purposes to allow and deny the traffic by
ports, source or destination IP, as well protocols. Furthermore it can controls other
functionalities such as application inspection, web filtering, IPsec, and SSL
connectivity. It will be placed between the border router and the switches.
Furthermore, it will isolate three VLANs by different security level [Inside VLAN
(internal users), Outside VLAN (internet connection and other exterior connections)

and DMZ VLAN (servers)]. The DMZ contains the servers, it can limits the access by
creating firewall rules to control the traffic from the external users via specific port,
services and limit the access from the internal side by the source IP addresses and
port to the specific server.

7.7. Network IDS and IPS systems.

Intrusion Detection System(aka. IDS) and the Intrusion Prevention
System(aka. IPS) are both vital mechanics that are to be used within a network; As
the names suggest, both these features work in order to deal with intrusion attacks
onto the network. However, both these features suffer from a set weakness, having
them not fully able to protect a network from internal threats, instead focusing mainly
on external threats, having them only react to a set of pre-defined known types of
intrusion attacks in the process. Both these technologies deploy with the help of
sensors

7.7.1. IDS
Considering functionality; the IDS (also known as Intrusion Detection
System) will trigger warnings to admins in times where an intrusion is detected,
however, it may only snapshot the network at times of intrusion, giving the admin a
view of how or when the intrusion happened, whilst in return being completely
incapable of avoiding the intrusion attack as it happens. The main advantage that the
IDS would hold over the IPS however is that it is completely detached off the network
functionality; thus if the IDS sensor was to ever fail or overload, the rest of the
network would not be affected.

7.7.2. IPS
The IPS (also known as Intrusion Prevention System) will analyse all the
packets as they pass through its sensor interface, in which case any packets with
malicious traffic signatures are halted, and thus a hack is prevented from ever
happening. An IPS is also able to trigger alarms and warnings to admins. However, it
does hold a key disadvantage when compared to the IDS; Noting the fact that the
IPS uses a hands-on sensor that acts as a checkpoint upon entry to the network,
having the sensor fail or overloaded may affect the entire functionality of the network.
It is also worthy of mention that the process of checking each packet before passing
through the sensor would prompt the issue of latency within the network.

We have finally decided to implement the IPS within our network, as it can
prove to be much more beneficial in comparison once provided with a well thought
security policy.

7.8. End point security throughout the organization.

First of all, end point refers to all the devices ae connected to the network
such as PCs, laptops or smart phones. Before the establishing the connection the
device must fulfil with certain standards. Endpoint security systems is a system
involves security software and works on a client/server model managed and
accessible centrally or the gateway of the network along with a software being
installed on the end point. With this system before establish any connection the
server will validate the credentials, make sure that the end point meets the terms of
the security policies and elements. It also update the installed software of the endpoint if its
need. Some of the elements are operating system and anti-virus software with current
updates. If the endpoint does not meet these requirements it will get limited access.

7.9. Cryptographic systems and technologies.

Cryptographic systems and technologies aim to secure the information and
protect it on the networks. It uses to protect massages, e-mails and important
information such as corporate data and credit card information. This system works
with two basic components algorithm which is a mathematical function, and key
which is the parameter used in the transformation. There several cryptographic
algorithms but the three basic types are cryptographic hash functions which not need
keys, symmetric algorithms which require a single key known by both the sender and
receiver, and asymmetric algorithms which use two keys public and a private. The
most used cryptographic algorithms are DES, RSA, HASH, MD5, AES, SHA-1 and
HMAC. These cryptographic algorithms will be used in several places to ensure the
security of the network and the transmitted data in it, such as VPN communication.

7.10.

Virtual Private Network (VPN) infrastructure.

A virtual Private Network (VPN) is a network aims to provide remote users

with a secure access to their companys network via the internet. It creates a secure
tunnel to pass the data through it and protect it from any interrupting by using
procedures and tunnelling protocols such as the Layer Two Tunnelling Protocol. It
encrypts the data from the source and decrypted in the destination. Furthermore

the VPN has other properties such as authentication, address and name server
allocation. There are three types of authentications: user authentication which
authenticates and verifies the VPN client with the given permissions. Computer
authentication with L2TP/IPSec which ensure the computer is used by the client is
trusted or not. Data authentication and integrity which validate the data being
transmit reached the destination without any alteration by using an encryption key
which is known only by the source and the destination. The other property is address
and name server allocation, which aims to provide the client with an IP from the IP
pool on the VPN server after creating a virtual interface on the client that connected
with the virtual interface on the VPN server. As well, during this process to create
the connection there is other assignment of the Domain Name System (DNS) and
Windows Internet Name Service (WINS) to the connection occurs.
There are two types of VPN connection remote access VPN and site-to-site
VPN. The remote access VPN will be used for the remote users to allow them to
work from anywhere, while the site-to-site VPN will be used to the other
government staff.

7.11.
Development of comprehensive education, training and
security awareness programs.
Staff will always be required to sharpen their skills and be up to date in terms
of technological knowledge and such; it is therefore decided that the staff members
will be required to attend a monthly course class in order for them to keep up with
the outside world of technology, as will the requirements for the new recruits would
focus more on attained certificates. As an added measure; once a year, a batch of
employees may also be sent abroad for a short course class in order to further
develop their skills in their required field. Candidates that are partaking in this
training will be registered to such organizations as (ISC)2 for training; such
certifications provided include the

System Security Certified Practitioner (SCCP)

Certification and Accreditation Professional (CAP)
Certified Secure Software Lifecycle Professional (CSSLP)
Certified Information Systems Security Professional (CISSP)

8. Results and Conclusions

This report discussed many security aspects that the CSB should consider and
bear in mind in order to avoid the network and its sensitive data from any harmful
incidents that may be occurred as a result of physical accidents (natural or
deliberated) or software incidents (attacks or failovers). This report covered the
needed security strategies and technologies such as the Comprehensive Risk
Analysis, IPS/IDS systems, ASA Firewalls, VPN Services, End Point Security,
Cryptography and Information Security Policies, Standards, Procedures and
Guidelines, along with additional considerations and explanatory topologies and
templates.

9. Recommendations
The CSB network systems need to be secured with the previous mentioned
techniques and strategies, but here are some additional recommendations that could
contribute in strengthen the network more:
Avoid using software firewalls and IPS/IDS systems, use hardware products instead
to ensure the most security
Ensure that the configurations of the security devices are strongly planned and
configured to minimize the possible of any security incidents.
It is strongly recommended to properly configure the end point security to avoid any
possible attacks that may occur from the connected devices.
Keep up with latest certifications in the field of security and ensure employees are
well trained on how to deal with the security issues. Prepare and follow a training
plan for this purpose.
Be aware of any new security challenges that are increases by the time in the
Internet world and ensure you have the sufficient capabilities to handle any
incidents.
Consider implementing the structure of fault-tolerance to ensure the high
availability of the network hardware components in case of any failover accidents
for the firewalls, switches ...etc.
It is highly recommended to keep up-to-date with the latest updated IPS signatures
to be able to track the new attacks.
If you are planning to use CISCO products in whole the network then it is
recommended to use the technology of TACACS instead of RADIUS as the first is
dedicated for the CISCO products.
Follow the policies in conjunction with the standards, procedures and guidelines to
strongly ensure the information security.

 Consider using VIEWS in routers configuring to assign each view the minimum
needed privileges to a user to allow them to achieve the full requirements.
Ensure using secret instead of password in order to enable the encryption.
Shutdown the service of password reset to avoid any possibility of exploiting this
service to get the password illegally.
It is recommended to configure different VLANs so each department or section in
the network has separated VLAN.

10. References
Network Authentication, Authorization, and Accounting: Part One - The Internet
Protocol Journal - Volume 10, No. 1. (n.d.). Retrieved December 26, 2014, from
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-1/101_aaapart1.html
Four Tips for Designing a Secure Network Perimeter | SecurityWeek.Com. (n.d.).
Retrieved December 26, 2014, from http://www.securityweek.com/four-tips-designingsecure-network-perimeter
Endpoint security. (n.d.). Retrieved December 26, 2014, from
http://searchmidmarketsecurity.techtarget.com/definition/endpoint-security
Beal, V. (n.d.). Cryptography. Retrieved December 26, 2014, from
http://www.webopedia.com/TERM/C/cryptography.html
What Is VPN? (n.d.). Retrieved December 26, 2014, from
http://technet.microsoft.com/en-us/library/cc739294(v=ws.10).aspx
Password Construction Guidelines. (n.d.). Retrieved December 26, 2014, from
http://www.sans.org/security-resources/policies/general/pdf/password-constructionguidelines
INTERNET GATEWAY SECURITY GUIDELINES. (n.d.). Retrieved December 26, 2014, from
http://www.ogcio.gov.hk/en/infrastructure/methodology/security_policy/doc/g50_pub.pdf
Sharma, N. (n.d.). Information Security Policy Schedule A - Roles, Standards and
Operational Procedures. Retrieved December 26, 2014, from
http://policies.griffith.edu.au/pdf/Information-Security-Policy-Schedule-A-Roles-StandardsOperational-Procedures.pdf
AntiVirus Information. (n.d.). Retrieved December 26, 2014, from
http://security.calpoly.edu/content/antivirus/index
Identity Theft (Red Flag) Program and Security Incident Reporting Procedure. (n.d.).
Retrieved December 26, 2014, from
http://security.calpoly.edu/content/policies/standards/red-flag-program
Information Classification and Handling Standard - Section B. (n.d.). Retrieved December
26, 2014, from
http://security.calpoly.edu/content/policies/standards/classification/section_b

11. Appendices
11.1. VLSM
Subnet Name

Needed
Size

Allocated
Size

Dec Mask

Assignable
Range

Broadcast

CSB GovUsers

10.10.0.0

/30

255.255.255.252

10.10.0.1 10.10.0.2

10.10.0.3

CSB - Remote

10.10.0.4

/30

255.255.255.252

10.10.0.5 10.10.0.6

10.10.0.7

CSB CSBEdgeRouter

10.10.0.8

/30

255.255.255.248

10.10.0.9 10.10.0.14

10.10.0.15

Address Mask

Subnet Needed Allocated

Address Mask
Name
Size
Size
Remote
users

15

Subnet
Name

172.16.0.0 /27 255.255.255.224

Needed Allocated
Address Mask Dec Mask
Size
Size

Internal
users

Subnet
Name

30

Assignable
Broadcast
Range

Dec Mask

300

510

172.17.0.0 /23 255.255.254.0

Needed Allocated
Address Mask
Size
Size

DMZ

Subnet
Name
Gov Users

16382

Assignable
Broadcast
Range
172.17.0.1 172.17.1.255
172.17.1.254

Assignable
Broadcast
Range

Dec Mask

172.30.0.0 /29 255.255.255.248

Needed Allocated
Address Mask
Size
Size
10000

172.16.0.1 172.16.0.31
172.16.0.30

10.0.0.0

Dec Mask

/18 255.255.192.0

172.30.0.1 172.30.0.7
172.30.0.6

Assignable
Broadcast
Range
10.0.0.1 10.0.63.255
10.0.63.254

11.2.

Policies:

Subsection

2.1 NETWORK SECURITY

Change Control #: 1.0

Policy

1.2.3 Remote Access Policy

Approved by:

Objectives

Purpose

The purpose of this policy is to outline the standards of accessing CSBs systems and
data remotely. The aim of these standards is to minimize the opportunity of causing
damage to CSB through unauthorized access and use of the systems and data.

Audience

This policy applies to all employees and to who has a remote access to the CSB
systems that do work on behalf of CSB.
The implementations of the remote access that is covered by this policy include, but
not limited to, VPN.

Policy

1. The remote users privileges must be considered as same as the privileges

granted to on-site users.
2. Remote access must be controlled and protected by accounts passwords,
refer to Password Policy to follow the steps of creating a strong password.
3. Login credentials or email credentials must not be shared with anyone.
4. The user who connects remotely to the CSB network must ensure that his
computer must not be connected to another network at the same time.
5. All computers and any equipment that connect remotely to the CSB network
must be equipped with up-to-date antivirus software, this applies for
personal devices and CSB-owned equipment.
6. Personal equipment that are used to connect to the CSB network remotely
must be fitted with the requirements of the CSB-owned equipment.

Exceptions

Disciplinary Actions

Subsection

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

2.1 NETWORK SECURITY

Change Control #: 1.0

Policy

1.2.1 Acceptable Use

Approved by:

Objectives

Providing best equipment assets is a key factor to provide the users with the best services. In
support of this goal, CSB inform employees and anyone use them properly.

Purpose

This policy outlines the suitable use of the available assets at the CSB, and addresses the
possible unwise use which may result in exposing them to risks.

Audience

Acceptable Use policy applies equally to all the employees granted to use CSBs equipment.

Policy

The employee is responsible for informing or reporting the concerned department of any
theft, unauthorized disclosure or loss of any CSB proprietary information and assets.
The employee is allowed to access or share CSB information proprietary with the only
authorized persons and only to the purpose of achieving the job duties.
Individual departments are responsible for providing the employees with the appropriate
guidelines concerning personal use of the Internet, Entranet and Extranet systems so the
employees can exercise good judgment regarding the acceptable use. In case of there are no
such guidelines, departmental policies should guide the employees on acceptable personal
use.
Equipment, systems and data traffic may be audited for security and maintenance purposes
by the authorized individuals within the CSB.
Any device that connects to the internal network must comply with minimum access policy.
Users system level and password level must conform to the Password Policy.
All computing devices within the CSB must be secured with a password. In case of a device is
unattended it must be logged off or shutdown.
Employees may use the organization devices and equipment in the work allocated time.
Any use of equipment must be for the purpose of achieving the organization goals,
employees may not use them for personal purposes.
All equipment must not be moved or replaced from the workplace.
Installing new devices and any other equipment is confined to the authorized employees
only.

Exceptions

Disciplinary
Actions

Violation of this policy may result in disciplinary actions. Additionally, individuals are subject
to civil and criminal prosecution.

Subsection

1.1 PERSONNEL SECURITY

Change Control #: 1.0

Policy

1.1.2 User Privileges

Objectives

Giving users their corresponding privileges contributes in maintaining our organization

confidentiality.

Purpose

The purpose of this policy is to protect the assets of the organization by clearly informing
users of their privileges granted for them in order to allow them to access only the needed
services.

Audience

CSB Users policy applies equally to all individuals granted access (internal and external
users) privileges to an CSB Information resources

Policy

Each user account is granted a level of privileges that allow them to access the minimum
needed information and services.

Approved by:

Non-employee users are granted to access the provided services and not the organization
data.
Employees may gain access to some of the organization data according to their work
requirements and positions.
Users privileges are classified hierarchically so the most top user privilege can grant or
revoke privileges to the lower users.
Exceptions

Disciplinary
Actions

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

Subsection

2.1 NETWORK SECURITY

Policy

2.1.2 Password Policy

Objectives

This policy is created to ensure that each employee or any authorized user are
following the best security practices that avoid the organization from any unauthorized
or exploitation of CSBs resources.

Purpose

The purpose of this policy is to outline how to create strong passwords, protect those
passwords and to outline the frequency change of them.

Audience

CSB Password Policy applies equally to all users with access to CSB data and systems.

Policy

Change Control #: 1.0

Approved by:

1. Password Creation:
1.1 All system-level and user-level passwords must comply with the Password
Construction Guideline.
1.2 Users personal password used outside CSB must not be used inside the
organization.
1.3 System-level accounts must be protected with unique passwords and then
the same password cannot be used in any other accounts.
2. Password Change:
2.1 System-level passwords must be changed every three months at least.
2.2 User-level passwords must be changed every eight months a year.
Recommended period for a password to be changed is every three months.
2.3 If a password considered as easy to be cracked or guessed, then it must be
changed to meet the requirements of the Password Construction
Guideline.
3. Password Protection:
3.1 Passwords are considered as confidential CSB information, so they must
not be shared with anyone and be sensitive when treating with them.
3.2 Passwords must not be written in a readable format, sent via email
messages or sent through any electronic communication forms.
3.3 Passwords must not be shared over phone calls.
3.4 Passwords must not be written down and stored in users office, and must
not be saved in a note or any electronic readable file without encryption.

Exceptions

Disciplinary
Actions

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

Subsection

1.1 PERSONNEL SECURITY

Change Control #: 1.0

Policy

1.1.1 User Account

Objectives

The key aim of our organization is to keep our services available to users from internal and
external network so they can gain access without violating or misusing those services and
organization information.

Purpose

The purpose of this policy is to protect the assets of the organization by clearly informing
users of their roles and responsibilities for using the services and access the data wisely.

Audience

CSB Users policy applies equally to all individuals granted access (internal and external
users) privileges to an CSB Information resources

Policy

This policy requires that each user uses our services must have a unique account ID with a
password that conform to our password standard.

Approved by:

Users may not share their credentials with anyone else apart of the who is the user and
position they are in.
Passwords must not be stored in written or in any readable form.
A new password must be requested in case of any compromise is suspected.
Exceptions

Disciplinary
Actions

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

11.3. Standards:
Subsection

3.1 NETWORK SECURITY

Change Control #: 1.0

Standard

3.1.1 Information Logging Standard

Overview

Logged information of systems, applications or services can lead to compromise or as key

information sources.

Purpose

The main aim of this document is to address the issue of information logging by addressing
the requirements of this issue and how information systems must match those
requirements in order to generate appropriate audit logs.

Approved by:

Audience

This policy applies to all production systems on CSB Network.

Guidelines

1.1 General Requirements:

Any system that handles confidential information and data, handle connections, or
provide the function of authentication, authorization and accounting must record
sufficient logs and audits that meet the following questions:
a. What activity was performed?
b. Who performed this activity?
c. Date and time of performing the activity
d. With what tool(s) was the activity performed?
e. What is the result or status of the activity?
1.2 What activities to log:
The following activities shall be logged by the systems whenever they are performed:
a. Any confidential information that are being updated, deleted, created or read.
b. Any new connection that is being initiated.
c. Any new connection that is being accepted.
d. Changing permissions (grant, revoke or modify) for users, files, database
objects and adding new group or a user.
e. Any malicious/suspicious activity detected from any security system such as
IDS/IPS.

Exception

NonCompliance

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

Subsection

3.1 NETWORK SECURITY

Standard

3.1.2 Information Classification and Handling Standard

Overview

Information classification is the process of handling and saving them from harm or loss by
assigning value to information in order to be able to organize it.

Purpose

This process is critical in information security as it allows to determine the relative

sensitivity and criticality of information assets. This process provides the ability to protect

Change Control #: 1.0

Approved by:

efforts and access control. This document provides guidelines for the information
classification process.
Audience

Standard

This document applies to all information and data maintained, generated, entrusted and
collected to CSB.
1. Classification Levels:
1.1 High: An unauthorized disclosure, compromise or destruction would lead to
harsh damage to CSB and its employees and govern entities. This can lead to
violate laws and obligations, finance loss, CSBs reputation damage and it is
possible to a legal action is occurred.
Example of level 1 (high) information (confidential):
a. Personally identifiable information (PIN, DOB, credentials, biometric info,
private key etc)
b. Financial information (credit card no, bank account, account security code
etc)
c. Health information (insurance info, medical records, psychological records)
d. Law enforcement information (personal records, criminal background
records, individual enforcement records etc)
1.2 Moderate: An unauthorized disclosure, compromise or destruction would
directly or indirectly lead to bad affect on CSB or its employees which may lead
to a legal action to be occurred and financial loss, damage to CSBs reputation
may also occur.
Example of level 2 (Moderate) information (internal use only):
a. Identity validation keys (DOB full and part)
b. Employee information (address, birthplace, ID, salary, history, phone
number, gender etc)
c. Technical Security Information (vulnerability or security information)
1.3 Low: CSBs assets may not be exposed to risks as knowledge of these
information doesnt affect directly or indirectly the security and may not lead to
financial loss.
Example of level 3 (Low) information (Publicly Available):
a. Employee info (title, public email address, department, classification, name
etc)
b. Financial info (financial budget info, purchase info)

Exception

NonCompliance

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

Subsection

3.1 NETWORK SECURITY

Standard

3.1.2 Managing Computer Accounts Standard

Overview

This document addresses the issue of managing monitoring of computer accounts that are
being used to access the resources of the CSB network.

Purpose

This standard aims to ensure proper access to the CSB network resources. It manages the
requesting, approving, terminating and granting of accessing computer systems. Computer
accounts managing is a critical practice in protecting CSB sensitive data and minimize the
exposure of risks.

Audience

This standard applies to all computer systems in all CSB departments and to all employee or
anyone who has a computer account. This includes, but is not limited to, user-level accounts
and system-level account.

Guidelines

Change Control #: 1.0

Approved by:

1. Required:
1.1 A user account must only be used by the person whom it is assigned to.
1.2 Any creating or terminating accounts processes must be done with approval of
the authorized owner of the system, database or application. These processes
must be documented and a list of the owners who are authorized to do those
processes also must be documented and maintained.
1.3 No one is allowed to grant their own accounts the privileges and authorization.
1.4 The granted and allowed privileges must meet the minimum requirements for
the user. Administrative accounts must not be given to someone who doesnt
require this.
1.5 All accounts that are become no longer required must be deleted or disabled by
changing the authorization or removing the accounts that are no longer require
any privileges.
1.6 User accounts can be suspended in response to requests by an appropriate
representative in the respective department, the Chief Information Officer, or
Information Security Officer.

Exception

NonCompliance

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

11.4. Procedures:
Subsection

1.1 PERSONNEL SECURITY

Change Control #: 1.0

Procedure

3.1.1 Identity Theft Reporting Procedure

Overview

Assist individuals to be able to detect, prevent, mitigate and report any incidents of identity
theft.

Purpose

The purpose of this document is to outline the required procedures that assist individual in
1) detect, prevent, mitigate and report any incidents of identity theft. 2)reporting these
incidents.

Audience

This document applies to all employees in CSB.

Procedures

Identification of Red Flags; red flags can be identified through the followings:

Approved by:

Alerts.
Suspicious Documents.
Suspicious Personal Identifying Information.
Unusual use or suspicious account activity.
Any notices that indicate a case of identity theft incidents.

Detection of Red Flags, red flags can be detected through the followings:
When verifying and obtaining identity.
When authenticating customers.
When the transactions are monitored

Response to a Red Flag: Employees must report any incidents of identity theft to the
appropriate authorized person in the CSB and then the concerned in turn will cooperate
with the employee in order to take the suitable response.
Employee Training: all employees must be trained to be able to deal with any incidents of
identity theft.
Exceptions

Disciplinary
Actions

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

Operational Security Procedures:

1. Segregation of Duties:
a. Functions and duties will be separated to guarantee an unauthorized activities
are not occurred to CSB sensitive information and data.
2. Environment Separation:
a. Information systems will be separated physically to maintain the availability,
security and performance of CSB resources to guarantee the productivity
processes and avoid them from compromise or any harm impacts.
3. Software Development Life Cycle:
a. This procedure must be documented in order to keep the software updated
which result in better network security.
3.2 Antivirus Software Information Procedures:
Overview:
Antivirus software is one of the most essential security component that contribute in
keeping the CSBs devices secure and protected and avoid them from the exposure to
compromise or risks. It is critical to ensure that the connected device is equipped with up-todate and active antivirus software. This applies to all computers, laptops and PCs and
portable handheld devices that are being used to access the CSBs sensitive data and
information.
Procedures:
Stay Safe:
1. Make sure your device is installed with the appropriate antivirus software (it is given
by the Information Security Officer).
2. Be aware of any suspicious and malicious contents such as hoaxes and scams.
3. Have enough information about the different types of any malicious code (viruses,
malware etc).
4. Ensure the software is updated and activated.
Clean your device from any malware or malicious code:
1. Report the incident to the concerned security officer.
2. Use the antivirus software to scan and detect these malicious activities.
3. Response to any instructions given by the security officer.

11.5. Guidelines
Subsection

4.1 NETWORK SECURITY

Guideline

4.1.2 Internet Gateway Security Guidelines

Overview

Internet Gateway is the interface that meet the external network, which is the Internet. It
is the point where internal network establish a connection with the Internet. Securing this
gateway is a critical practice that can tighten the control and protect the internal network
from risks.

Purpose

This document addresses the best guidelines that are considered as best practices to
maintain security risks that come from the Internet.

Scope

This document applies to the following major areas of the CSB network:
1.
2.
3.
4.

Guidelines

Change Control #: 1.0

Approved by:

Firewalls/ASA systems.
Routers.
Web Security.
Other security considerations.
1. Firewalls: Considered as a critical security measure for protecting CSBs
resources against intruders. It must be installed between the internal network
and the external network or in any point the network where the functions of
filtering, examining, restricting or redirecting are required for the flow of data.
Choose the proper firewall product depending on the following considerations:
Features, Price, Vendor support, Logging, Reliability, Ease of Management.
1.1 Configuration:
1.1.1 All incoming and outgoing data flow must go through the firewall to
take the proper actions.
1.1.2 Plan carefully which data are allowed to go in.
1.1.3 Configure it to use NAT to protect the private internal information.
1.1.4 Configure it to block unused ports.
1.1.5 Place the firewall hardware in a secure place.
1.1.6 Set up the real-time alerts for emergency incidents.
1.2 Firewall Administration:
1.2.1 Keep it maintained.
1.2.2 Configurations must be document.
1.2.3 Ensure that parallel firewalls configurations are identical.
1.2.4 Logs must be done on regular basis.
1.2.5 Assign 2 administrators at least to administrate the firewall.

2. Routers: Routers are the network components that connect the network elements
together and provide proper communication between them. Consider the
following:

2.1 Routers must configured, as firewalls, to deny all traffic by default except the
needed data flow.
2.2 Logging must be done on regular basis.
2.3 Test routers functionality when implementing or updating are occurred to the
network.
3. Web Security (Internet):
3.1 Use strong authentication techniques and mechanisms for remote
administration control.
3.2 Use Encrypted connections.
3.3 Java Applet, ActiveX, Cookies and any other content should be configured in a
secure manner.
4. Other Security Considerations:
4.1 All gateway components should be secured and protected physically in
dedicated and locked areas.
4.2 Areas used to protect the equipment must be equipped well against natural or
physical disasters.
4.3 Enable logging functions in all network components that are applicable for.
4.4 Review the recorded logs regularly.
4.5 Backup and Recovery functions should be prepared and configured to be
functional with any changes or updating to the systems configurations.
Exception

NonCompliance

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

Subsection

4.1 NETWORK SECURITY

Guideline

2.1.2 Password Construction Guidelines

Overview

To protect the network it is too important to create a username and a password. Passwords
are considered as one of the most critical security manner to protect the network and avoid
it from exploiting and unauthorized access.

Purpose

The purpose of this document is to provide the user with best practices that lead to creating
a secure and strong password.

Change Control #: 1.0

Approved by:

Audience

CSB Password Policy applies equally to all users with access to CSB data and systems. This
guideline applies to all passwords including but not limited to system-level accounts, userlevel accounts and login locally for routers.

Guidelines

All passwords must at least meet the following guidelines:

Strong Password Characteristics:
1.
2.
3.
4.

Contains at least 10 characters.

Contain upper case and lower case letters.
Must contain one number at least. (0-9)
Must contain one special character at least. (i.e. !@#$%^&* etc)

Passwords must not be written down or stored anywhere in readable format. Its
recommended to choose passwords that are easy to remember but not easy to guess. Also
it is recommended to use special characters instead of normal characters. For example, the
word, Password could become the password P@$$w0rd or any other variation.
Exception

NonCompliance

Violation of this policy may result in disciplinary actions. Additionally, individuals are
subject to civil and criminal prosecution.

11.6. Configure Remote Access

Note: the configuration of the Remote Access will be implemented by using CCP