UNIT-2

2.8 ATTACKS ON MOBILE/CELL PHONES

Wireless and mobile devices have become integral parts of our daily lives, offering convenience, connectivity and
accessibility. Mobile phones are vulnerable to various security threats and attacks due to their widespread use and the
sensitive data they handle.
However, this increased reliance on wireless technologies and mobile devices has also opened avenues for potential security
threats. Various attacks targeting these devices have emerged, which pose risks to personal privacy, data integrity and
network security. Understanding the common wireless and mobile device attacks is crucial in developing adequate
safeguards and protecting ourselves against these evolving threats.
Wireless and mobile device attacks are a growing concern for individuals, businesses and governments.
Some of the most common types of Wireless and Mobile Device Attacks are:
1. Smishing:
 Smishing become common now as smartphones are widely used. Smishing uses Short Message Service
(SMS) to send fraud text messages or links. The criminals cheat the user by calling. Victims may provide
sensitive information such as credit card information, account information, etc.
 Accessing a website might result in the user unknowingly downloading malware that infects the device.
2. Wardriving:
 Wardriving typically involves using a device equipped with Wi-Fi scanning capabilities, such as a laptop,
smartphone, or dedicated wardriving tools, to detect and record the presence of wireless networks and their
associated information.
 So, Wardriving refers to the activity of driving around in a vehicle with a device, such as a laptop or smartphone,
equipped with Wi-Fi scanning capabilities. The goal is to detect and record information about wireless networks,
including their names (SSID), signal strengths, and encryption status.
Common attacks that can be launched after war driving include:
 Wi-Fi eavesdropping: Attackers use the information they collect while driving around to find Wi-Fi networks
that don't have good protection. When they find these weak networks, they can secretly listen in on the
information being sent over them. This means they might be able to get important and private stuff, like
usernames and passwords, without anyone knowing. It's like secretly overhearing a conversation to learn
someone's secrets.
 Network intrusion: If the war driver identifies networks with weak security measures, they can attempt to
gain unauthorized access to the network. This may involve exploiting default or easily guessable passwords,
exploiting vulnerabilities in network devices, or utilizing brute-force attacks to crack weak passwords.
 Man-in-the-Middle (MitM) attacks: By gaining access to a targeted network, attackers can position
themselves as a 'man-in-the-middle' to intercept and manipulate communications between network devices.
This allows them to capture sensitive information, inject malicious content, or impersonate legitimate network
entities.
3. WEP attack:
 Wired Equivalent Privacy (WEP) is a security protocol. It is like a lock for your Wi-Fi, meant to keep your
wireless network safe, just like how a wired network is safe because it's physically secure.
 Now, to keep the data on your Wi-Fi secure, WEP uses a secret code called a "key." It's like having a secret
password to enter your Wi-Fi world.
  But, WEP has a problem. It doesn't manage these secret codes very well. Over time, more and more people end
up knowing the secret code. It's like sharing your password with too many friends.
 When too many people know the secret code, it becomes easier for bad guys to sneak into your Wi-Fi and see
what's going on. They can spy on a lot of the information being sent over your network.
 WEP isn't very good at keeping the secret code secret, and that makes it easier for bad guys to snoop around your
Wi-Fi. That's why WEP is not considered very secure, and it's better to use more advanced and secure methods
to protect your Wi-Fi.

4. WPA/WPA2 attack:
 A WPA attack is like a break-in attempt on a Wi-Fi network that uses the Wi-Fi Protected Access (WPA) security
protocol. WPA is supposed to make Wi-Fi more secure than older methods like WEP. But, there's a famous kind
of WPA attack called a WPA/ WPA2 handshake capture attack, also known as a 'dictionary' or 'brute-force' attack.
 In this attack, when a device connects to a Wi-Fi network, it does a special handshake, like a secret handshake,
with the Wi-Fi router. In this attack, an attacker intercepts this secret handshake. Once they have it, they can try
lots of different passwords, like guessing the secret code, until they find the right one.
 They might use super-fast computers or pre-made lists of possible passwords to do this. It's like trying to guess
the password to unlock a door when you know some of the clues.

5. Bluejacking:
 Bluejacking is a wireless attack technique that sends unsolicited messages or business cards to Bluetooth-enabled
devices like mobile phones, laptops, or tablets. Unlike more malicious attacks, bluejacking does not aim to steal
or compromise data but to inconvenience or annoy the device owner.
 Blue jacking takes advantage of the Bluetooth functionality that allows devices to discover and establish
connections with nearby Bluetooth-enabled devices.
 The attacker typically crafts a short text message or business card containing a harmless or humorous message
and sends it to multiple nearby devices using the device discovery feature. When the recipient's Bluetooth is
turned on and set to discoverable mode, they receive the unsolicited message as a notification or text popup.

6. Replay attacks:
 A replay attack is a network intrusion method in which an attacker tricks where someone intercepts and copies
messages sent between two entities, like computers, to later use them in a deceitful way.
 They take advantage of the fact that some systems don't have ways to recognize or stop these repeated messages.
 The attacker captures legitimate network communications between two entities, which can include authentication
requests, encrypted messages, or session tokens.
 Later, they replay these captured messages to the target system or network, pretending it's the real deal, and
tricking it into allowing unauthorized access.
 It's a bit like playing a recording of someone saying the secret password to open a door.
7. Bluesnarfing:
 Bluesnarfing is a type of cyberattack that targets Bluetooth-enabled devices, allowing unauthorized access to
sensitive information on the targeted device. Unlike bluejacking, which involves sending unsolicited messages or
files, bluesnarfing is more malicious as it aims to steal data.
 In bluesnarfing, attackers exploit vulnerabilities in the Bluetooth protocol to gain unauthorized access to a device,
such as a mobile phone or a laptop. Once access is gained, the attacker can extract various types of sensitive
information, including contacts, messages, photos, or other personal data stored on the device.
 Bluesnarfing takes advantage of security weaknesses in Bluetooth implementations, and successful attacks can
compromise the privacy and security of the affected individual.
 To protect against bluesnarfing, it's essential to keep Bluetooth devices updated with the latest security patches,
use strong and unique PIN codes or passwords, and be cautious about pairing with unknown or untrusted devices.

8. RF jamming:
 RF, or Radio Frequency jamming, is a deliberate and malicious interference with wireless communication signals
using powerful Radio Frequency (RF) transmissions.
 The purpose of RF jamming is to disrupt or disable wireless communication within a specific frequency range,
rendering devices unable to send or receive signals effectively.
 RF jamming involves transmitting high-power RF signals on the same frequency band as the targeted wireless
communication. The jamming signals overpower or interfere with the original signals, causing interference or
blocking them entirely. This interference disrupts the normal operation of wireless devices such as Wi- Fi networks,
cellular networks, GPS systems, radio systems, or other wireless communication technologies.

9. Improper Session Handling:

 To facilitate ease-of-access for mobile device transactions, many apps make use of 'tokens,' which allow users to
perform multiple actions without being forced to re-authenticate their identity. Like passwords for users, tokens are
generated by apps to identify and validate devices.
 Secure apps generate new tokens with each access attempt, or 'session,' and should remain confidential.
 According to The Manifest, improper session handling occurs when apps unintentionally share session tokens, for
example with malicious actors, allowing them to impersonate legitimate users. Often this is the result of a session
that remains open after the user has navigated away from the app or website.
 For example, if you logged into a company intranet site from your tablet and neglected to log out when you finished
the task, by remaining open, a cybercriminal would be free to explore the website and other connected parts of your
employer's network.

10. Network Spoofing:

 Network spoofing is when hackers set up fake access points-connections that look like Wi-Fi networks, but are traps
in high-traffic public locations such as coffee shops, libraries and airports.
 Cybercriminals give the access points common names like 'Free Airport Wi-Fi' or 'Coffeehouse' to encourage users
to connect. In some cases, attackers require users to create an 'account' to access these free services, complete with
a password. Because many users employ the same email and password combination for multiple services, hackers
are then able to compromise users' email, e-commerce and other secure information.
  In addition to using caution when connecting to any free Wi-Fi, never provide personal information. And whenever
you are asked to create a login, whether for Wi-Fi or any application, always create a unique password.

2.9 MOBILE DEVICES: SECURITY IMPLICATIONS FOR ORGANISATIONS

Mobile devices have become a crucial part of daily operations within organizations, facilitating remote work, enhancing
productivity, and enabling better communication. However, the increased use of mobile devices also introduces significant
security implications and challenges for organizations. They give possibly unsecured devices access to corporate servers
and sensitive databases, opening them to attack. Cybercriminals and fraudsters can exploit these vulnerabilities and cause
harm or damage to the user and the organization.
Why is Mobile Device Security important?
 Nowadays, more than half of work computers are mobile devices. These devices create unique challenges for
keeping the company's network safe because they can be used in various locations and for different purposes.
 Threats to these devices include harmful apps, scams, data leaks, spyware, and using unsecure Wi-Fi. Also, there's
the risk of someone losing their device or it getting stolen.
 To avoid security problems, companies need to take steps to lower these risks.
What role do mobile devices have in business?
 Many people work from different places, like home or on the go, using devices like laptops, tablets, and
smartphones. These devices help workers stay productive. For example, workers often have smartphones that let
them access work emails and business apps wherever they are. But these devices can do more than just help with
work on the go. They can be used for things like making sales, keeping records, logging data, and submitting forms.
With the right support, mobile devices can even work like full-fledged workstations.
 Securing mobile devices is important, especially personal ones, because they have more security concerns than
devices with single-use purposes. The security rules should focus on protecting these personal devices, even though
they may also apply to other types of devices like corporate-owned ones. Some companies buy mobile devices for
their employees, which is another common type of mobile device in business.
What are the benefits of Mobile Device Security?
Mobile device security, or mobile device management, provides the following:
 Regulatory compliance.
 Security policy enforcement.
 Support of 'bring your own device' (BYOD).
 Remote control of device updates.
 Application control.
 Automated device registration.
 Data backup.
Above all, mobile device security protects an enterprise from unknown or malicious outsiders being able to access sensitive
company data.

2.9.1 How does Mobile Device Security work?

Securing mobile devices requires a multi-layered approach and investment in enterprise solutions. While there are key
elements to mobile device security, each organization needs to find what best fits its network.
To get started, here are some mobile security best practices:
  Establish, share and enforce clear policies and processes: Mobile device rules are only as effective as a
company's ability to properly communicate those policies to employees. Mobile device security should include
clear rules about:
1) What devices can be used.
2) Allowed OS levels.
3) What the company can and cannot access on a personal phone.
4) Whether IT can remote wipe a device.
5) Password requirements and frequency for updating passwords.
 Password protection: One of the most basic ways to prevent unauthorised access to a mobile device is to create a
strong password and yet weak passwords are still a persistent problem that contributes to most data hacks. Another
common security problem is workers using the same password for their mobile device, email and every work-
related account. It is critical that employees create strong, unique passwords (of at least eight characters) and create
different passwords for different accounts.
 Leverage biometrics: Instead of relying on traditional methods of mobile access security, such as passwords, some
companies are looking to biometrics as a safer alternative. Biometric authentication is when a computer uses
measurable biological characteristics, such as face, fingerprint, voice, or iris recognition for identification and
access. Multiple biometric authentication methods are now available on smartphones and are easy for workers to
set up and use.
 Avoid public Wi-Fi: A mobile device is only as secure as the network through which it transmits data. Companies
need to educate employees about the dangers of using public Wi-Fi networks, which are vulnerable to attacks from
hackers who can easily breach a device, access the network and steal data. The best Defense is to encourage smart
user behaviour and prohibit the use of open Wi-Fi networks, no matter the convenience.
 Beware of apps: Malicious apps are some of the fastest growing threats to mobile devices. When an employee
unknowingly downloads one, either for work or personal reasons, it provides unauthorised access to the company's
network and data. To combat this rising threat, companies have two options: instruct employees about the dangers
of downloading unapproved apps, or ban employees from downloading certain apps on their phones altogether.
 Mobile device encryption: Most mobile devices are bundled with a built-in encryption feature. Users need to
locate this feature on their device and enter a password to encrypt their device. With this method, data is converted
into a code that can only be accessed by authorised users. This is important in case of theft and it prevents
unauthorised access.

2.9.2 What are the different types of Mobile Device Security?

There are many aspects to a complete security plan. Common elements of a mobile security solution include the following:
 Enterprise mobile management platform: In addition to setting up internal device policies that protect against
unauthorized access, it is equally important to have an Enterprise Mobile Management (EMM) platform that
enables IT to gather real-time insights to catch potential threats.
 E-mail security: Email is the most popular way for hackers to spread ransomware and other malware. To combat
such attacks, it is critical for businesses to be armed with advanced email security that can detect, block and address
threats faster; prevent any data loss; and protect important information in transit with end-to-end encryption.
 Endpoint protection: This approach protects enterprise networks that are remotely accessed by mobile devices.
Endpoint security protects companies by ensuring that portable devices follow security standards and by quickly
 alerting security teams of detected threats before they can do damage. Endpoint protection also allows IT
administrators to monitor operation functions and data backup strategies.
 VPN: A virtual private network, or VPN, extends a private network across a public network. This enables users to
send and receive data across shared or public networks as if their computing devices were directly connected to the
private network. VPNs' encryption technology allows remote users and branch offices to securely access corporate
applications and resources.
 Secure web gateway: A secure web gateway protects against online security threats by enforcing company security
policies and defending against phishing and malware in real-time. This is especially important for cloud security as
this type of protection can identify an attack on one location and immediately stop it at other branches.
 Cloud access security broker: A cloud access security broker (CASB) is a tool that sits between cloud service
consumers and cloud service providers to enforce security, compliance and governance policies for cloud
applications. CASBS help organisations extend the security controls of their on-premises infrastructure to the cloud.

2.10 ORGANISATIONAL MEASURES FOR HANDLING MOBILE

 Mobile devices can be really helpful at work, making things faster and saving money. But, they can also be risky
for security. Experts use fancy words to talk about the problems companies face with security. One important idea
is the "attack surface," which is like finding weak points in our important information or business. When bad guys
attack, it can cause money problems, legal issues, or damage our reputation. So, we need to protect our stuff by
adding layers of security, like having many locks on a treasure chest. This is important for mobile devices because
the more we use them for work, the more we need to keep them safe.
 Since mobile devices move around a lot and are not always protected by our usual security tools, we have to be
extra careful. We want to stop bad guys from getting into our systems, applications, and data using mobile devices.
We also don't want these devices to become a risk or cost us money. But, we need to be careful not to make security
too strict because then it can get in the way of people doing their jobs.
 Even though keeping things safe can be a bit challenging and may cost something, we can follow some good
practices to protect our mobile devices. These practices will help prevent our important information, trade secrets,
or advantages from being exposed or accessed without permission.
 Some of these practices aim at securing the mobile devices themselves, while others aim to protect the data and
applications with which mobile users need to interact. All will help reduce the risk of loss or harm to your company
or organization.
These seven tips will help you secure your mobile environment without placing a burden on your workforce.
1) Mobile Devices Need Antimalware Software: Checking out the latest or new malware that can harm our devices,
we see that phones like iPhones and Androids are becoming popular targets, just like computers (Windows, MacOS
and Linux). Anybody who wants to use a mobile device to access the Internet should install and update antimalware
software for his or her smartphone or tablet.
2) Secure Mobile Communications: Many experts suggest that it's important to make sure the messages and
information sent from mobile devices are turned into secret codes (encrypted). This is because wireless message s
can be easily listened to by others. These experts also advise that if you want to connect your mobile device to a
company or an online service, it's a good idea to use something called a VPN. VPNs not only include strong
encryption, they also provide opportunities for logging, management and strong authentication means it also ensure
that the right people can use a mobile device to access applications, services or remote desktops or systems.
 3) Require Strong Authentication, Use Password Controls: Many new phones have cool security features like
fingerprint scanners, face recognition, and voice recognition. Even older phones can use small, portable security
tokens or one-time passwords sent through email or automated phone messages. It's not enough to just have a
username and password; it's safer to use a few different ways to prove it's really you. This makes sure that just
having a phone doesn't mean you can get into important stuff. People should also be told to set passwords on their
phones. Companies should think about whether, in case of a lot of wrong password tries, the phone should erase all
its information. Most new phones can do this, and older ones can too with special management systems.
4) Control Third-party Software: If a company gives its employees mobile phones, they should make rules to stop
them from using outside apps. This helps to avoid problems where harmful software is installed on purpose or by
accident. These kinds of apps can create secret ways for information to be stolen. For those who bring their own
devices to work, the safest way is to make them connect to a special work area online. This means only the things
they see on the screen are sent to their device, and nothing stays on it after they finish working. Since this connection
is usually done through a VPN, it's secure, and companies can make rules to stop people from saving files on their
phones.
5) Create Separate, Secured Mobile Gateways: It's crucial to know exactly what tasks, systems, and apps mobile
users truly need to use. By directing mobile data through special gateways that have customized security features
like firewalls, filters for certain types of content, and tools to prevent data loss, employees can focus on their work
even when they're not in the office. This method also adds extra protection to important resources that mobile users
might not need to access on their devices.
6) Choose (or Require) Secure Mobile Devices, Help Users Lock Them Down: Set up mobile devices to stay away
from insecure Wi-Fi networks, and it's a good idea to keep Bluetooth hidden when it's not actively used for things
like headsets. In fact, when Bluetooth is not in use, it's safest to turn it off completely. Make a suggested setup for
personal mobile devices that will be used for work, and make sure to apply these settings before users start using
their devices for work.
7) Perform Regular Mobile Security Audits, and Penetration Testing: Every year, it's a good idea for companies
and organizations to bring in a trustworthy security testing company. These experts can check and test the security
of your mobile devices. If they find any problems, they can also help fix them. It's like hiring professionals to do
the same kind of testing that bad guys might try. Doing this helps you protect yourself from the threats these bad
guys might pose sooner or later.

2.11 ORGANISATIONAL SECURITY POLICIES AND MEASURES IN MOBILE COMPUTING ERA

 Having security policies for mobile devices is crucial to create a safe environment. In this series, you will discover
three key elements that are essential to your mobile security policy and learn how government regulations affect
what is required in your policy.
 Safeguarding an organization's assets and IT infrastructure is always a top priority. The widespread use of handheld
devices raises cybersecurity concerns as people store sensitive information like credit card details, passwords, and
important organizational data on their mobile devices.
 Losing a USB drive, portable drive, or laptop could expose valuable customer data, posing both public relations
and legal risks. To protect against theft, it's essential to discourage users from storing important information on
insecure platforms.
  While enforcing this policy may be challenging, raising user awareness can make it more effective. Clearly
outlining information classification and handling policies is crucial, specifying what types of data can be stored on
mobile devices.
 Avoiding the storage of confidential data on vulnerable platforms helps reduce the risk of theft or loss.
Guidelines for Implementing Mobile Device Security Policies:
1) Assess the necessity of mobile computing devices for employees based on the risks and benefits within the
organisation, industry and regulatory context.
2) Incorporate additional security technologies appropriate for the organisation and device types, such as strong
encryption, device passwords and physical locks.
3) Standardise mobile computing devices and associated security tools to prevent security deterioration due to device
and tool disparities.
4) Develop a specific framework for mobile device usage, covering data syncing, firewalls, anti-malware software
and types of permissible stored information.
5) Centralise management of mobile computing devices, maintain an inventory and regulate device usage.
6) Establish patching procedures for mobile device software and integrate them with centralised inventory
management.
7) Label and register devices with a service for facilitating recovery in case of loss or theft.
8) Implement procedures to disable remote access for reported lost or stolen mobile devices, ensuring data security.
9) Remove data from unused devices or before reassigning them to new owners to prevent unauthorised access to
confidential company information.
10) Provide education and awareness training to personnel using mobile devices to enhance information security
practices.

2.11.1 Security Policy

A security policy is a document that spells out the rules, expectations and overall approach that an organisation uses to
maintain the confidentiality, integrity and availability of its data. These policies operate at various levels, ranging from
high-level constructs defining enterprise-wide security goals and principles to more specific documents addressing
particular issues like remote access or Wi-Fi usage. Often, security policies are complemented by other types of
documentation, such as standard operating procedures. Together, these documents collaborate to help the company meet its
security objectives. While the policy establishes the overall strategy and security posture by addressing the 'what' and 'why',
procedures, standards, and guidelines provide the necessary structure and details on 'how' to implement and uphold the
security measures.
Reasons for security policy to be important:
Security policies may seem like just another layer of bureaucracy, but in truth, they are a vitally important component in
any information security program.
Some of the benefits of a well-designed and implemented security policy include:
1) Guides the implementation of technical controls: A security policy does not provide specific low-level technical
guidance, but it does spell out the intentions and expectations of senior management regarding security. It is then
up to the security or IT teams to translate these intentions into specific technical actions.
For example, a policy might state that only authorized users should be granted access to proprietary company
information. The specific authentication systems and access control rules used to implement this policy can change
 over time, but the general intent remains the same. Without a place to start from, the security or IT teams can only
guess senior management's desires. This can lead to inconsistent application of security controls across different
groups and business entities.
2) Sets clear expectations: Without a security policy, each employee or user will be left to his or her own judgment
in deciding what is appropriate and what is not. This can be disastrous when different employees apply different
standards. Is it appropriate to use a company device for personal use? Can a manager share passwords with their
direct reports for the sake of convenience? What about installing unapproved software? Without clear policies,
different employees might answer these questions in different ways. A security policy should also clearly spell out
how compliance is monitored and enforced.
3) Helps meet regulatory and compliance requirements: Documented security policies are a requirement of
legislation like HIPAA and Sarbanes-Oxley, as well as regulations and standards like PCI-DSS, ISO 27001 and
SOC2. Even when not explicitly required, a security policy is often a practical necessity in crafting a strategy to
meet increasingly stringent security and data privacy requirements.
4) Improves organisational efficiency and helps meet business objectives: A good security policy can enhance an
organisation’s efficiency. Its policies get everyone on the same page, avoid duplication of effort and provide
consistency in monitoring and enforcing compliance. Security policies should also provide clear guidance for when
policy exceptions are granted and by whom. To achieve these benefits, in addition to being implemented and
followed, the policy will also need to be aligned with the business goals and culture of the organization.

2.11.2 Elements of an Effective Security Policy

Security policies are an essential component of an information security program and need to be properly crafted,
implemented and enforced. An effective security policy should contain the following elements:
1) Clear purpose and objectives: This is especially important for program policies. Remember that many employees
have little knowledge of security threats and may view any type of security control as a burden. A clear mission
statement or purpose spelled out at the top level of a security policy should help the entire organisation understand
the importance of information security.
2) Scope and applicability: Every security policy, regardless of type, should include a scope or statement of
applicability that clearly states to who the policy applies. This can be based around the geographic region, business
unit, job role, or any other organisational concept so long as it is properly defined.
3) Commitment from senior management: Security policies are meant to communicate intent from senior
management, ideally at the C-suite or board level. Without buy-in from this level of leadership, any security
program is likely to fail. To succeed, your policies need to be communicated to employees, updated regularly and
enforced consistently. A lack of management support makes all of this difficult if not impossible.
4) Realistic and enforceable policies: While it might be tempting to base your security policy on a model of
perfection, you must remember that your employees live in the real world. An overly burdensome policy isn't likely
to be widely adopted. Likewise, a policy with no mechanism for enforcement could easily be ignored by a
significant number of employees.
5) Clear definitions of important terms: Remember that the audience for a security policy is often non-technical.
Concise and jargon-free language is important and any technical terms in the document should be clearly defined.
 6) Tailored to the organisation's risk appetite: Risk can never be eliminated, but it is up to each organisation's
management to decide what level of risk is acceptable. A security policy must take this risk appetite into account,
as it will affect the types of topics covered.
7) Up-to-date information: Security policy updates are crucial to maintaining effectiveness. While the program or
master policy may not need to change frequently, it should still be reviewed on a regular basis. Issue-specific
policies will need to be updated more often as technology, workforce trends and other factors change. You may find
new policies are also needed over time: BYOD and remote access policies are great examples of policies that have
become ubiquitous only over the last decade or so.

2.11.3 Organisational Policies for Mobile Hand-Held Device Usage

Creating distinct mobile computing policies or integrating mobile devices into existing policies is key to handling device
usage. Hybrid approaches can extend the 'acceptable use policy for other technologies to mobile devices, covering usage
under general IT policies. Over time, adjustments to policies may be necessary to address varying challenges posed by
wireless and non-wireless devices, different user frequencies and connections to WANs and LANs.
Planning for mobile devices and devising appropriate security policies is essential for organisations, even if they are new
to the mobile device landscape. Anticipating uses and potential risks allows companies to adapt and create necessary policies
to mitigate cybersecurity threats posed by mobile computing devices.
Ten questions to ask when building your security policy: To establish an effective security policy that contributes to the
development of a genuine culture of security, it should be both pertinent and practical. The language used in the policy
should strike a balance between being thorough and succinct. Achieving this equilibrium can indeed be a challenging
endeavor. Although there are numerous templates and real-world instances available to serve as starting points, each security
policy must be meticulously tailored to meet the unique requirements of the organization.
Whether you are starting from scratch or building from an existing template, the following questions can help you get in
the right mindset:
1. How will you align your security policy to the business objectives of the organisation?
2. Who will I need buy-in from? Is senior management committed?
3. Who is the audience for this policy?
4. What is the policy scope?
5. How will compliance with the policy be monitored and enforced?
6. What regulations apply to your industry? For instance, GLBA, HIPAA, Sarbanes- Oxley, etc.
7. What is the organisation's risk appetite?
8. What kind of existing rules, norms, or protocols (both formal and informal) are already present in the organisation?
9. How often should the policy be reviewed and updated?
10. How will policy exceptions be handled?
Security policy examples: A large and complex enterprise might have dozens of different IT security policies covering
different areas. The policies you choose to implement will depend on the technologies in use, as well as the company culture
and risk appetite. That said, the following represent some of the most common policies:
1. Program or organisational policy: This high-level security blueprint is a must for all organisations and spells out the
goals and objectives of an information security program. The program policy also specifies roles and responsibilities,
compliance monitoring and enforcement and alignment with other organisational policies and principles.
2. Acceptable use policy: This is an issue-specific policy that defines the acceptable conditions under which an employee
can access and use the company's information resources.
3. Remote access policy: This issue-specific policy spells out how and when employees can remotely access company
resources.
4. Data security policy: Data security can be addressed in the program policy, but it may also be helpful to have a dedicated
policy describing data classification, ownership and encryption principles for the organization.
5. Firewall policy: One of the most common system-specific policies, a firewall policy describes the types of traffic that
an organization's firewall(s) should allow or deny. Note that even at this level, the policy still describes only the "what"; a
document describing how to configure a firewall to block certain types of traffic is a procedure, not a policy.
Organizational Security Policies: An organizational security policy is a set of rules or procedures that is imposed by an
organization on its operations to protect its sensitive data.
 The organizational security policies that are required by the evaluated configuration are as follows:
 Only those users who have been authorized to access the information within the system can access the system.
 The system must limit the access to viewing of, modification of and destruction of the information in protected
resources to those authorized users who have a 'need to know' that information.
 The users of the system are held accountable for their actions within the system. Labelled Security only: The system
must limit the access to information based on the following criteria:
o Sensitivity of the information that is contained in objects, as represented by a label.
o Formal clearance of users to access that information, as represented by user profiles.
Enforcing the access rules prevents a user from accessing information that is of higher sensitivity than the user is operating
at and prevents a user from causing information to be downgraded to a lower sensitivity. The method for classification of
information is made based on criteria that are defined by the organisation. This classification is usually based on relative
value to the organisation and its interest to limit dissemination of that information. The determination of classification of
information is outside the scope of the IT system; the IT system is expected only to enforce the classification rules, not to
determine classification. The method for determining clearances is also outside the scope of the IT system and is based on
the trust that the organisation places in individual users and to some extent on the individual's role within the organisation.