• Home
• About
• Network Technologies
  Network Design and Implementation Legacy Migration Network Management Industrial Controls
• Information Security
  Security Policies Assessments Security Products Secure Architectures Investigations Firewalls Intrusion Detection Virtual Networks Content Filtering
• Contact

Hudson Business Networks

business networks, home network, firewalls, security, consulting

Our focus is information security and enabling technologies that include network engineering and architecture, information system support, training, and project management.

Our people, our experience, and our understanding of technology uniquely qualify us to meet our customers needs.

Information Security

Security Policies

We help organizations achieve their security and risk management goals by working with them to develop security policies, guidelines, standards, procedures, and related policies. These documents minimize and manage risks and liabilities.

The security policy is not a technical document. It communicates senior management's direction, guidelines, expectations, and intentions concerning organizational security. The security policy will reference security standards, guidelines or best practices, procedures, and related policies.

• Security Standards - Standards are the minimum requirements that must be met. Standards are compilsory in nature. They should be easy to understand and not open to interpretation. They can include rules for authentication, network services, host configuration, workstation software, and availability.


• Security Guidelines - Guidelines are documents that address intentions and allow for interpretation. They are recommendations or best practices. Guidelines are most useful when implementing very complex applications or Web sites.


• Procedures - Procedures are documented, step-by-step actions that guide people through a particular process to produce the desired outcome. Procedures are best applied to operations that are repetitive in nature. Examples include workstation setup, VPN configuration, first level troubleshooting, password resets, and initial host hardening.

Hudson Business Networks understands the complexities within an information environment. Our team of security experts can guide organizations through the process of creating a security policy that is right for their organization. We work with organizations to help them define their security goals, objectives, and philosophy.

Our engineers know the requirements needed to comply with increasingly complex governmental regulations concerning privacy and information security.

Additionally, we can help an organization with industry best practices. This includes how other companies are dealing with the same issues, how others, in like industries, are securing their infrastructures.

Why do organizations need security policies?
Security policies are needed to manage, mitigate, and eliminate risk to companies, organizations, institutions, and agencies. Risks to organizations include criminal activity, civil liability, regulatory compliance, employee misconduct, and equipment failure.

What is a Security Policy?
A security policy is: a document that contains management's directives that define the role of security in an organization. It determines how an organization will setup and administer their security program. It dictates security goals and objectives, assigns roles and responsibilities, it defines the value of the security program, and details how the security policy will be implemented and enforced.

The role of a Security Policy in an organization
Security Policies protect an organization by managing risk, reducing liability, communicating priorities, and exercising "Due Care". "Due Care" is the reasonable measures that a company takes to protect it's self and to prevent harm to others. Senior management is ultimately responsible for the company's assets, information resources, managing risk, and exercising "Due Care".

What is in a security policy?
A security policy must address some core components. Other components are dependent on the organizations security objectives, government regulatory compliance, existing policies, installed infrastructure, risks to the organization, financial information, privacy requirements, and vendor / supplier requirements.

Acceptable Usage Policy

These policies govern how an organization's resources may be used and includes an employee's responsibility for security.

Some of the areas covered by the acceptable usage policy will include:

Expectations of Conduct for Accessing the Internet
This includes inappropriate web sites, content of email, chat, and file transfer. This includes messages originating form the employee that utilize company resources.

Copyright Protection
This includes unlicensed software, music, video, and other types of copyrighted material. These statements can reduce liability risks to an organization and can reduce the possibility of trojan horses and malware.

Employee Security Testing
This includes password crackers, sniffers, port scanners, port redirection, firewall configuration utilities, anti-intrusion detection programs, DNS tools, remote control programs, vulnerability scanners, and SNMP managers and discovery tools. Most of these tools have legitimate uses for authorized personnel, but most of these programs are not appropriate for individual employees.

Network Services
Use of networks services and resources should be in a prescribe manner, according to standards. Additionally, web services, email, Internet access, and other networks services should be centrally controlled. Unauthorized network servers often introduce security vulnerabilities into an environment. Without official oversight and review these resources represent risk to the organization and unnecessary liabilities.

Employee Monitoring
If the organization monitors employee phone usage, Internet access, and customer interaction then it should be stated. Expectations need to be communicated and training provided.

Other areas include
Equipment care and handling Virus Protection Home workers and telecommuters Games Newsgroups

Privacy Policy

Document's organizational values, direction, and sets expectations with regards to an individual's privacy and customer privacy. There are a number of governmental requirements in this area that dictate the security that must be in place to safeguard this information depending on the industry and the type of information.

Employee Privacy Policies
This is the expectation of privacy within the organization. If employee monitoring takes place it should be stated. If the organization will monitor email and Internet access is should be documented.

Customer Privacy Policies
This should include whether the organization may share or sell that information. There should be a demarcation between identifiable personal information and public personal information. There is a big difference between sharing a phone number and disseminating credit or health information.

Enforcement Policy

Enforcement policies are technical standards and guidelines for the configuration of security enforcement devices. These include:

Firewall Policies
Documents the role of an organization's firewall in the security program. This includes how the firewall is configured and used to enforce the company's security policy. Host and appliance initial setup, patches, fixes and updates, properties, network address translation (NAT), change control, and policy review.

Intrusion Detection
How intrusion detection fits into the company's overall security program, the goals of intrusion detection, specific configuration options, initial setup, patches, fixes and updates.

Content Filtering Systems
How these systems and subsystems are configured to support the organization's security program. Email and Web filter configurations that goals and specific settings, initial setup, patches, fixes and updates.

Other enforcement policies may include
Access Control Lists, Authentication Server

Logging & Monitoring Policy

Logging and Monitoring policies have a major impact in an organization's day-to-day security. To much logging will reduce the effectiveness or the logging as limited resources are spread too thin. Too little logging and the organization risks missing vital data.

Well thought out logging policies can help an organization:

• Maintain the proper levels of personnel
• Detect intrusions and compromises
• Detect equipment failures and prevent down time.
• Provide qualitative data for capacity planning

The idea is to ensure that the most important data is capture, reviewed, and acted upon in a timely manner. Logging policies should include notification procedures, guidelines for log review intervals, retention standards, and response time expectations.

Logs are becoming more important and, in some cases, logging can become a liability to an organization. By logging Internet access, customer activity, email messaging, and other types of logging; the organization may be asked to produce those logs for criminal and civil investigations. It is important that the organization have an aging policy that deletes older logs.

Determining the information logged, the retention levels, aging policies, the review interval, and notification procedures an organization can reduce their risks and liabilities while retaining more valuable information.