Security policies are worth the time and effort needed to develop
them. A security policy benefits a company in the following way:
It provides a process to audit existing network security.
It provides a general security framework for implementing network
security.
It defines which behavior is and is not allowed.
It often helps determine which tools and procedures are needed for the
organization.
It helps communicate consensus among a group of key decision makers and
defines the responsibilities of users and administrators.
It defines a process for handling network security incidents.
It enables global security implementation and enforcement.
It creates a basis for legal action if necessary.
Computer security is now an enterprise-wide issue and computing sites
are expected to conform to the network security policy.
Developing a
Security Policy A security policy can be as simple as a brief
Acceptable Use Policy for network resources, or can be several hundred pages
long and detail every element of connectivity and associated policies. Although
somewhat narrow in scope, RFC 2196 suitably defines a security policy as
follows
:
"A security policy is a formal statement of the rules by which
people who are given access to an organization's technology and
information assets must abide."
It is important to
understand that network security is an evolutionary process. No single product
can make an organization secure. True network security comes from a combination
of products and services, combined with a comprehensive security policy and a
commitment to adhere to that policy from the top of the organization down. In
fact, a properly implemented security policy without dedicated security
hardware can be more effective at mitigating the threat to enterprise resources
than a comprehensive security product implementation without an associated
policy.
In order for a security policy to be appropriate and effective, it needs to
have the acceptance and support of all levels of employees within the
organization, including the following:
Site security administrator.
Information technology technical staff, such as staff from the computing
center.
Administrators of large user groups within the organization, such as
business divisions or a computer science department within a university.
Security incident response team.
Representatives of the user groups affected by the security policy.
Responsible management.
Legal counsel, if needed.
It is extremely important that management fully support the security
policy process. Otherwise, there is little chance that the process will have
the intended impact.
An effective security policy works to ensure that
the network assets of the organization are protected from sabotage and from
inappropriate access, both intentional and accidental. All network security
features should be configured in compliance with the organization's
security policy. If a security policy is not present, or if the policy is out
of date, the policy should be created or updated before deciding how to
configure security on any devices.
Figure
illustrates the traits that any security policy should include.
Developing Security Procedures Security procedures implement
security policies. Procedures define configuration, login, audit, and
maintenance processes. Security procedures should be written for end users,
network administrators, and security administrators. Security procedures should
specify how to handle incidents. These procedures should indicate what to do
and who to contact if an intrusion is detected. Security procedures can be
communicated to users and administrators in instructor-led and self-paced
training classes.
Complete the quiz question in Figure
for additional
study.
In this lab, students will analyze, offer recommendations, and help improve
the security infrastructure of a fictitious business. Students will be asked to
analyze business application requirements, security risks, and network assets.
Students will also examine security requirements and tradeoffs.