Security Policies

Previous page
Table of content
Next page

At its core, a security policy is what defines the security posture of an organization. This posture should include protecting an organization's information, information systems, and people in a manner that reduces or manages the risk to these assets. To perform this role, a security policy must define the rules for expected behavior and what the consequences are for violations of the policy, and it must provide a method to authorize security personnel to monitor, investigate, and respond to intruder alerts. In all cases, a security policy should provide a clear directive that provides a path for reaching an objective through procedures or actions that must be carried out.

Security policies vary from organization to organization, and they may depend on laws and regulations as well as liability issues for the industry or specific organization. For instance, healthcare-related companies have stricter security policies for keeping medical information private to conform to the Health Insurance Portability and Accountability Act (HIPAA), whereas financial institutions must ensure compliance with the Gramm-Leach-Bliley Act (GLBA).

Note

For more information on HIPAA and GLBA, go to http://cms.hhs.gov/hipaa/ and http://www.senate.gov/~banking/conf/, respectively.


Security policies incorporate standards, guidelines, procedures, and other mechanisms. These elements can be organized on how they apply to the organization. No matter what security policies are in place, they should be well documented, reviewed, taught, and practiced.

Policy Levels

An organization's security policies are not all the same. Many different types of policies apply to different levels within an organization. The level at which a policy applies in an organization is defined by a policy hierarchy. Because of differences between organizations, policy hierarchies might differ. Regardless, three policy levels are almost always included within all policy hierarchies: enterprise, issue-specific, and procedures and checklists.

Enterprise Policy Hierarchy

The intention of developing enterprise policies is to address security requirements for the entire organization rather than a specific system or group of systems. Many of these security policies relate to employees, their education, and the enforcement of security policies.

Issue-Specific Policy Hierarchy

Issue-specific policies address specific security needs within an organization. Examples of issue-specific policies are password policies, Internet usage policies, and antivirus policies.

Procedures and Checklists Policy Hierarchy

Procedures and checklists are not actually policies, but instead are designed to eliminate errors with policy compliance by providing a clear path for making decisions. To do this, procedures and checklists are created to define the how, where, and when of policies.

Roles and Responsibilities

When a security policy is created, the roles and responsibilities of individuals associated with the security policy must be defined. Defining roles and responsibilities dictates how individuals are to interact with a policy. For example, the creation and update of, enforcement of, or adherence to a policy are all responsibilities that must be assigned to individuals within an organization. If these roles are not defined, a policy effectively doesn't apply to anyone and becomes just another document.

Desktop Security Policy

Desktop security policies vary between organizations as well as within an organization. Predominately, specific desktop security policies are managed with GPOs to control or lock down the client machines. It's also important to have clearly defined security policies documented in the employee forms mentioned earlier in this chapter. Security policies relating to the desktop that may be enforced using a GPO or other means must support the formal, documented security policies for the organization. For more information on GPOs and how they can be applied to network clients, refer to Chapter 29, "Group Policy Management for Network Clients."

Another variance in how desktop security policies apply may depend on what the users' responsibilities and roles are within the organization. For example, you may require more control of the desktop for data entry workers than for knowledge workers.

Some possible desktop security policies to consider implementing include, but are not limited to, the following:

  • Limit the number of applications a user has access to use.

  • Restrict users from using company resources to play games, or even restrict them from installing any software.

  • Remove the username of the person who logged on last to the client machine. This keeps people from discovering other usernames and passwords.

  • Require users to change their passwords periodically. You may also want to consider tightening password history, length, and strength requirements. Also, users must not keep this information on sticky notes on their computers.

  • Mandate keeping documents on the file servers so that they are backed up every night. You can help alleviate concerns that documents aren't being backed up by using folder redirection.

Application Security Policy

The basic reason you should consider application security policies is that any invoked application or code can potentially identify or exploit security holes. A human resources (HR) application, for example, may unintentionally give access to confidential information after a specific key sequence is pressed.

As a best practice, consideration should be made for reviewing and documenting the following application-level security policies:

  • Establish Windows Server 2003's software restriction policies. This service provides a transparent, policy-driven means to regulate unknown or untrusted applications.

  • Support only those applications that are approved and are critical to the business.

  • Routinely update antivirus definition files to improve resilience against getting a virus.

  • Provide the least privilege principle to what data an application has access to.

  • Use Group Policy Objects (GPOs) to lock down the desktop so that users aren't given full access to the system. For example, disable the Run command or disallow use of the command prompt.

  • Thoroughly test Windows Server 2003 service packs and updates (especially the security-related updates) in a lab environment before deploying them in production.

  • Test and review application updates and patches to determine how they may affect application security and reliability.

An organization can benefit from many other possible application security policies. The type of security policy that you have will depend on business requirements. In any case, thoroughly reviewing and documenting these application security policies can benefit the network environment by tightening application security.

Network Security Policy

Network security policies are intended to provide specific and often detailed guidelines and rules to keep the network environment running optimally and securely. Specific policies should be set regarding network access, firewalls and required filtering, specific address or time restrictions, and much more.

Note

In addition to evaluating the best practices and recommendations regarding security in this book, it is also recommended to use the recommended best practices compiled by the National Institute of Standards and Technologies (NIST) and the National Security Agency (NSA). Both agencies provide security lockdown configuration standards and guidelines that can be downloaded from their Web sites (http://www.nist.gov and http://www.nsa.gov, respectively).


Both LAN and WAN environments should have security policies in regard to how and when the network is accessed. LAN and WAN environments are typically protected by firewalls or other security devices, but placing security policy restrictions on how and when users can access the network further tightens security.

If the network access security policy states that users are required to use virtual private network (VPN) connections or Terminal Services instead of dial-up to gain remote access, a possible intruder's options are further limited. Additional policies may also limit how VPN or Terminal Services connections can be made and what specific configurations are required (for example, every VPN must use L2TP and IPSec).

Network access auditing policies are also a recommended measure to monitor the environment. Reviewing audit logs on a predetermined schedule can identify possible attempts and security breaches.



Previous page
Table of content
Next page
Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499
Authors: Rand Morimoto, Michael Noel, Alex Lewis
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Metrics and Models in Software Quality Engineering (2nd Edition)
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy