< Back to Article List
Security Policies 101
By: Laura Taylor
January 6, 2003
If you are trying to keep your network secure from unauthorized access, creating security policies is an exercise in understanding what needs to be secured. Security policies serve many purposes and are the foundation of your security framework.
Why Your Organization Needs Security Policies
Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference point to numerous security tasks in your organization including:
Without security policies, no enforcement of security configurations or standards can be made. By establishing a policy, you are implying that enforcement can or will follow. Without security policies, enforcement of them is not possible.
Security Policy Basics
Security policies are high-level laws of the land regarding your security infrastructure. They are not procedures. (Procedures tell you how to implement security policies.) Upper management needs to hold someone accountable for drafting the security policies, overseeing their review, and implementing them. Without support from upper management, security policies often fall by the way side and never get written, understood, or implemented. The person being held responsible for security policies could be the Director of Information Security, the Chief Security Officer, the Director of Information Technology, the Chief Information Officer, or a knowledgeable employee appointed to be the information security officer.
Security is typically distributed, and security mechanisms should be built into all layers of the enterprise infrastructure. Security policies should describe the rules of the road for the following types of technology systems:
All security policies need to be written down. Policies that exist in someone's head are not really policies. When your organization has finished developing security policies, and right when you think you can breathe easy, it will be time to update your security policies. Since most IT organizations are deploying new technology continuously and retiring old systems, you will have to make sure your security policies still make sense for your new infrastructure. Similarly, when you are evaluating new equipment for possible procurement, you will want to make sure that the new equipment can properly be configured to meet your security requirements — if it can't, you may want to consider procuring alternative products.
Some products and modules built into operating systems are designed specifically to configure and enforce security policies. Windows 2000 uses security templates (also called .inf files) to automatically configure security policies on servers and desktops. There are also third-party enterprise management tools that are designed specifically for security policy configuration, distribution, and enforcement. These products should undergo a thorough evaluation and analysis process before expensive procurement decisions are made.
Security controls are mechanisms put into place to enforce security policies.
Administrative Policies vs. Technical Policies
Technical security policies describe how technology should be configured and used, and administrative security policies describe how people (end-users and management) should behave. The intended security rules for technology systems and data should be explicitly described in technical security policies. Technical security policies describe a rule or regulation pertaining to a piece of equipment, facility, or data.
Administrative security policies describe the intended behavior rules for people. Serving as a guide for both end-users and management, administrative policies should spell out the roles and responsibilities for all users of technology systems in the organization. It is very important to inform end-users and other management team members of administrative security policies. Users cannot be expected to follow policies if they do not know what they are. After reviewing the administrative policies, it is a good idea to get the user to sign the policy document attesting to the fact that they have read it, understand it and will abide by it.
Many organizations take the time to define technical security policies, while administrative security policies are often overlooked. While many technical security policies can be audited with online scanning tools, administrative security policies can only be audited with an in-person review. Auditors who review administrative policies will typically ask to see the actual formal policy document. Efficient auditors will also interview end-users and management to see if they understand their roles and responsibilities.
Administrative Security Policy Samples
If your organization was being audited, here are some questions that an auditor might ask in regards to your administrative security policies:
Technical Security Policy Samples
If your organization was being audited, here are some questions that an auditor might ask in regards to your technical security policies:
A Word to the Wise
Writing security policies take a long time and a lot of thought. It may be useful to have your human resources department review the administrative policies since many of these policies are associated with employee behavior. It is possible that human resources will want to include some of the administrative policies into job descriptions or other employee policies.
The technical teams that are responsible for administering servers, routers, switches and applications should review the appropriate technical policies that are related to their respective responsibilities. Before etching the security policies in stone, the security officer should make sure that they undergo sufficient peer review. Organizations without security policies are putting themselves at risk and exposing themselves to numerous liabilities. If your organization has anything at stake as far as proprietary information goes, financial information, customers or shareholders, writing security policies are worth the trouble.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: firstname.lastname@example.org | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759