We've examined security mechanisms throughout this book, but to be able to successfully protect an organization, security must start at the topmost level and filter down throughout the organization. Executive management must define at a high level what security policies should be put in place, the type of information to be protected, and the level of protection that is required. Employees, especially IT personnel, must be made aware of these organizational security policies and adhere to them or otherwise deal with the consequences for noncompliance. Employing security policies and the tools used to enforce the policies is the first step in keeping the organization secure; these elements provide the framework for the amount of security that the business requires. Without them, some areas may be protected, whereas others are neglected. This can ultimately jeopardize the organization by leaving security holes in which external and internal users can take advantage and compromise security. This chapter outlines what security policies are and how they are used by organizations to create a security framework using administrative, physical, and technical controls. In addition, this chapter covers general and Windows Server 2003 security-focused technologies that can be applied as controls for a security framework. |