Friday, April 11, 2008

What a Security Policy Should Include

When writing a security policy, you should first perform an inventory of the resources you want to protect. Identify the users who need to access each resource, and determine the most likely place a threat to the resource might come from. With this information, you then can begin to construct a security policy that users will have to follow.

The security policy should not be something that is simply generally understood by everyone. It should be an actual written document. To remind users about the importance of security, you might want to post copies of it around the office so that they will see it on a regular basis.

A good security policy will be composed of several elements, including these:

  • Risk assessment—What are you trying to protect and from whom? Identify your network assets and possible sources of problems.
  • Responsibilities—Describe who in the company is responsible for handling specific matters relating to security. This can include who is authorized to approve a new user account up to items such as who will conduct investigations into security breaches.
  • Legal ramifications—Be sure to get advice from the proper sources about any legal matters that apply to the information you store or generate on your network. Include statements to this effect in the security policy documents.
  • Procedures to remedy security problems—State what procedures will be followed when a security event occurs and what actions will be taken against those who perpetrate them.

These are the five classes of vulnerability vectors:

Internet 2010
  • Hardware—This includes workstations and servers, printers, disk drives, network wiring, and

disk drives. This also includes internetworking devices such as bridges, routers, and switches.

  • SoftwareEvery piece of software you run on any computer in the network is a potential security problem. This includes programs purchased from outside vendors and software created in-house by your own programming staff. Operating systems frequently have to be patched as new bugs are discovered that give an intruder an easy way to infiltrate.
  • Data—The most important asset on your network is probably the data that is generated or used by your business. You can replace software programs and operating systems. When important data, such as customer lists, sales information, or proprietary trade secrets, is compromised, this can have a significant impact on business.
  • People—Users, operators, and anyone else who interacts with your network or any device attached to it is a potential security risk.
  • Paperwork—Often overlooked by many, this is a very valuable resource to hackers. Passwords are written down. Reports are generated that have confidential information contained in them. Often this resource is simply thrown in a dumpster when it is no longer needed. A better approach is to shred or otherwise make it unusable before getting rid of it.

A good security policy that is understood by users will go a long way toward preventing some of the problems you can potentially encounter. Make it a point to review the policy with users periodically, such as at quarterly meetings, and be sure that users understand the responsibilities that go along with having access to the company network.

No comments:

Internet Blogosphere