National Cyber Security Policy Development to Deter Threats and Minimize the Risk of Data Breach from an Air-Gapped Network

Abstract

Worldwide connectivity and digitalization of services have escalated the usage of information and communication technology which in turn has resulted in greater exposure of information assets to a hub of sprouting cybersecurity vulnerabilities and threats. Cybersecurity policies are a cornerstone for governing cybersecurity in an air-gapped network. These policies define the need to safeguard an organization’s assets for confidentiality, integrity, and availability. Therefore, the present research aims to develop governing and technical policies to ensure resilience against cyberthreats in an air-gapped network. After the development of a main governing policy, five subsidiary/ technical policies were developed namely Personnel Policy, Social Engineering Policy, Physical Security Policy, Infrastructure Hardening Policy, and Access Control Policy. Personnel Policy was developed for the compliance of recruitment, training, and departure of personnel with the security safeguards to the access and use of info technology resources and data. A subsidiary policy on Social Engineering being indispensable to inform employees that fraudulent social engineering assaults do occur, and processes exist for detecting such attacks was included in the current study. Likewise, a Physical Security Policy to protect the physical security of all humans and info assets effectively stops unauthorized physical access, destruction, and interference with info and info processing facilities was developed. An Infrastructure Hardening Policy was added as a subsidiary policy as it is direly needed to harden the system or structure by reducing its surface of vulnerability and mitigating the possibility of a successful attack by further decreasing the obfuscation. The Access Control Policy specifying the rules related to authorizing, monitoring, and controlling access to an organization’s accounts, information, and information systems was added as part of the sub-policies. After an extensive elaboration of the aforementioned governing and technical policies, guidelines on system hardening as an illustration of describing the procedural details have been described delivering step-by-step instructions on the ‘how’ of taking out the policy statements. System hardening guidelines enable end-users to secure their PCs and laptops from various threats, vulnerabilities, and viruses. In conclusion, robust enforcement, consistent audit, and regular up-gradation of policies and guidelines is the only viable mechanism to safeguard the confidentiality, integrity, and availability of assets in an air-gapped network.