Chapter 7. Establishing Security Policies

It is extremely important to have a well-designed written security policy, have it approved by someone with sufficient authority that it will not be ignored, and enforce it strictly and evenly. The vast majority of users do not have the technical expertise, the time, or the interest to understand how to maintain security, but can be cajoled into following a policy, especially when failure to follow it has unpleasant consequences. The actual policy needs to be tailored to your particular organization. Certainly, a computer that prints checks or runs a factory will need much greater security than, say, someone's lab system (unless the latter contains the company's next big product under development).

The policy should have provisions to allow verification of compliance. Also, it should have provisions to swiftly correct noncompliance. The degree to which corrections may be applied will depend on complex politics that will vary greatly between different organizations. A reference in the Employee Handbook that the computer security policy must be followed is important in order to be able to take action legally against employees in most jurisdictions, such as dismissal.

The security policy should be given to all users whom it affects when it is created or changed and to all new users. It should show boldly "Approved by Dudley S. Portistan, MIS Director" or similar, so people will fear that violating it could be a career-limiting move. The degree of authority that the SysAdmin should have to detect and correct noncompliance should depend on the criticality of the noncompliance. Matters that significantly jeopardize the company's business or the organization's mission should be corrected swiftly.

For example, a computer that provides an unauthorized and insecure bridge to the Internet around the firewall should be disconnected immediately, possibly impounded pending resolution and scanning for intrusions, and the user severely reprimanded or worse. An account used improperly or which contains software that has not been approved or unacceptable images should be disabled immediately by the SysAdmin who then, when the system is secure, can follow up with the user or her management. If policy forbids personal e-mail, a gentle verbal warning following a violation is probably appropriate.

The topics covered in this chapter include:

• "General Policy" on page 336

• "Personal Use Policy" on page 337

• "Accounts Policy" on page 338

• "E-Mail Policy" on page 340

• "Instant Messenger (IM) Policy" on page 341

• "Web Server Policy" on page 342

• "File Server and Database Policy" on page 343

• "Firewall Policy" on page 343

• "Desktop Policy" on page 344

• "Laptop Policy" on page 345

• "Disposal Policy" on page 348

• "Network Topology Policy" on page 349

• "Problem Reporting Policy" on page 352

• "Ownership Policy" on page 352

• "Policy Policy" on page 353