Avaya

Message Networking Help
Home | Search  
Print | Back | Fwd | Close  
Getting Started Admin Maintenance Reference
Home > Getting started > Concepts and features > System security > Security policy

Security policy

A security policy is a statement of rules that must be followed by all the people who are given access to an organization's information and technology assets, both hardware and software. Security problems change constantly. Security measures that you implement today may not be so secure tomorrow. One of the most important tools for securing a system is to have a published security policy that you enforce. Having a security policy in place is of paramount importance for the functioning of your system in an efficient and secure manner and protecting the information assets of your organization. This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining network access, service access, local and remote user authentication, dial-in and dial-out, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security. In addition, the security policy must clearly:

  • Identify what is to be protected.

  • State what it needs to be protected against.

  • State the possibilities and occurrences of well known threats.

  • Describe processes to implement measures that protect corporate assets in a cost-effective manner.

  • Describe processes for reviewing an improving the security measures on a continuous basis.

  • Define corporate security goals.

  • Include rules about negative or irresponsible behavior, a path of problem escalation, and information about who to notify of all security issues.

  • Define measures that ensure that the security policy is not circumvented by anyone.

The security policy must be based on a carefully conducted security analysis, risk assessment, and business needs analysis. Refer to the Site Security Handbook memo (RFC2196) issued by the Internet Engineering Task Force at www.ietf.org for help on creating a security policy.

General security guidelines

Security is more than preventing hackers from eavesdropping on messages. It also means protecting your system against fraudulent long distance charges, corporate espionage, and malicious system intrusions. By recognizing the different types of hackers and the trails they leave, you can protect your system, and possibly catch the culprit. Prevention is your most effective weapon against voice mail hackers. In fact, almost all can be deterred with a combination of common-sense policies and procedures that involve better system design and administration, subscriber education, and effective company voice mail policies and guidelines.

A well established security policy can considerably enhance the security of your system. Following are some of the general guidelines that can help reduce unauthorized usage. Ensure that the security policy includes the following:

  • Protects System Administration Access. Establish multiple access levels for subscribers, system managers, system programmers. Require passwords for each level of access. Ensure that secure passwords exist for all logins that allow system administration or maintenance access to the system. Change the passwords frequently.

  • Provides Physical Security for Telecommunications Assets. Locate your Message Networking system in a room with controlled access. Restrict unauthorized access to equipment rooms and wire connection closets. Protect system documentation and reports data from being compromised.

  • Monitors Traffic and System Activity for Abnormal Patterns. Establish procedures and make review of system and network reports, to identify hackers, a weekly required part of system management. Activate features that turn off access in response to unauthorized access attempts. Use traffic and call detail reports to monitor call activity levels.

Top of page

Educate and train users

Everyone who uses the system is responsible for the security of the system. Informed people are more likely to cooperate with security measures that often make the system less flexible and more difficult to use. A bit of renewed awareness, perhaps in the form of a refresher course or an updated manual can go a long way in enhancing the general security of the system.

In addition ensure that do the following:

  • Discourage the practice of writing down passwords. If a password needs to be written down, it must be kept in a secure place and never discarded while it is active.

  • Establish well controlled procedures for resetting passwords

  • Establish procedures to counter social engineering. Social engineering is a con game that hackers frequently use to obtain information that may help them gain access to your system.

Top of page
Home | Search | Print | Back | Fwd | Close
©2006 Avaya Inc. All rights reserved.
Last modified 11 January, 2006