The Enterprise Security Policy.


What is a Security Policy?
A security policy is a set of guidelines established to safeguard the network from attacks, both from inside and outside a company. Forming a policy starts with asking questions. How does the network help the organization achieve its vision, mission, and strategic plan? What implications do business requirements have on network security, and how do those requirements get translated into the purchase of specialized equipment and the configurations loaded onto devices?
A security policy benefits an organization in the following ways:
Provides a means to audit existing network security and compare the requirements to what is in place.
Plan security improvements, including equipment, software, and procedures.
Defines the roles and responsibilities of the company executives, administrators, and users.
Defines which behavior is and is not allowed.
Defines a process for handling network security incidents.
Enables global security implementation and enforcement by acting as a standard between sites.
Creates a basis for legal action if necessary.
A security policy is a living document, meaning that the document is never finished and is continuously updated as technology and employee requirements change. It act as a bridge between management objectives and specific security requirements.
Functions of a Security Policy
A comprehensive security policy fulfills these essential functions:
Protects people and information
Sets the rules for expected behavior by users, system administrators, management, and security personnel
Authorizes security personnel to monitor, probe, and investigate
Defines and authorizes the consequences of violations
The security policy is for everyone, including employees, contractors, suppliers, and customers who have access to the network. However, the security policy should treat each of these groups differently. Each group should only be shown the portion of the policy appropriate to their work and level of access to the network.
For example, an explanation for why something is being done is not always necessary. You can assume that the technical staff already know why a particular requirement is included. Managers are not likely to be interested in the technical aspects of a particular requirement; they may want just a high-level overview or the principle supporting the requirement. However, when end users know why a particular security control has been included, they are more likely to comply with the policy. Therefore, one document is not likely to meet the needs of the entire audience in a large organization.
Components of a Security Policy
The SANS Institute (http://www.sans.org) provides guidelines developed in cooperation with a number of industry leaders, including Cisco, for developing comprehensive security policies for organizations large and small. Not all organizations need all of these policies.
The following are general security policies that an organization may invoke:
Statement of authority and scope-Defines who in the organization sponsors the security policy, who is responsible for implementing it, and what areas are covered by the policy.
Acceptable use policy (AUP)-Defines the acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization corporate resources and proprietary information.
Identification and authentication policy-Defines which technologies the company uses to ensure that only authorized personnel have access to its data.
Internet access policy-Defines what the company will and will not tolerate with respect to the use of its Internet connectivity by employees and guests.
Campus access policy-Defines acceptable use of campus technology resources by employees and guests.
Remote access policy-Defines how remote users can use the remote access infrastructure of the company.
Incident handling procedure-Specifies who will respond to security incidents, and how they are to be handled.
In addition to these key security policy sections, some others that may be necessary in certain organizations include:
Account access request policy-Formalizes the account and access request process within the organization. Users and system administrators who bypass the standard processes for account and access requests can lead to legal action against the organization.
Acquisition assessment policy-Defines the responsibilities regarding corporate acquisitions and defines the minimum requirements of an acquisition assessment that the information security group must complete.
Audit policy-Defines audit policies to ensure the integrity of information and resources. This includes a process to investigate incidents, ensure conformance to security policies, and monitor user and system activity where appropriate
Information sensitivity policy-Defines the requirements for classifying and securing information in a manner appropriate to its sensitivity level.
Password policy-Defines the standards for creating, protecting, and changing strong passwords.
Risk assessment policy-Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the information infrastructure associated with conducting business.
Global web server policy-Defines the standards required by all web hosts.
With the extensive use of e-mail, an organization may also want to have policies specifically related to e-mail, such as:
Automatically forwarded e-mail policy-Documents the policy restricting automatic e-mail forwarding to an external destination without prior approval from the appropriate manager or director.
E-mail policy-Defines content standards to prevent tarnishing the public image of the organization.
Spam policy-Defines how spam should be reported and treated.
Remote access policies might include:
Dial-in access policy-Defines the appropriate dial-in access and its use by authorized personnel.
Remote access policy-Defines the standards for connecting to the organization network from any host or network external to the organization.
VPN security policy-Defines the requirements for VPN connections to the network of the organization.
It should be noted that users who defy or violate the rules in a security policy may be subject to disciplinary action, up to and including termination of employment.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog