At its core, a security policy is what defines the security posture of an organization. This posture should include protecting an organization's information, information systems, and people in a manner that reduces or manages the risk to these assets. To perform this role, a security policy must define the rules for expected behavior and what the consequences are for violations of the policy, and it must provide a method to authorize security personnel to monitor, investigate, and respond to intruder alerts. In all cases, a security policy should provide a clear directive that provides a path for reaching an objective through procedures or actions that must be carried out. Security policies vary from organization to organization, and they may depend on laws and regulations as well as liability issues for the industry or specific organization. For instance, healthcare-related companies have stricter security policies for keeping medical information private to conform to the Health Insurance Portability and Accountability Act (HIPAA), whereas financial institutions must ensure compliance with the Gramm-Leach-Bliley Act (GLBA). Note For more information on HIPAA and GLBA, go to http://cms.hhs.gov/hipaa/ and http://www.senate.gov/~banking/conf/, respectively. Security policies incorporate standards, guidelines, procedures, and other mechanisms. These elements can be organized on how they apply to the organization. No matter what security policies are in place, they should be well documented, reviewed, taught, and practiced. Policy LevelsAn organization's security policies are not all the same. Many different types of policies apply to different levels within an organization. The level at which a policy applies in an organization is defined by a policy hierarchy. Because of differences between organizations, policy hierarchies might differ. Regardless, three policy levels are almost always included within all policy hierarchies: enterprise, issue-specific, and procedures and checklists. Enterprise Policy HierarchyThe intention of developing enterprise policies is to address security requirements for the entire organization rather than a specific system or group of systems. Many of these security policies relate to employees, their education, and the enforcement of security policies. Issue-Specific Policy HierarchyIssue-specific policies address specific security needs within an organization. Examples of issue-specific policies are password policies, Internet usage policies, and antivirus policies. Procedures and Checklists Policy HierarchyProcedures and checklists are not actually policies, but instead are designed to eliminate errors with policy compliance by providing a clear path for making decisions. To do this, procedures and checklists are created to define the how, where, and when of policies. Roles and ResponsibilitiesWhen a security policy is created, the roles and responsibilities of individuals associated with the security policy must be defined. Defining roles and responsibilities dictates how individuals are to interact with a policy. For example, the creation and update of, enforcement of, or adherence to a policy are all responsibilities that must be assigned to individuals within an organization. If these roles are not defined, a policy effectively doesn't apply to anyone and becomes just another document. Desktop Security PolicyDesktop security policies vary between organizations as well as within an organization. Predominately, specific desktop security policies are managed with GPOs to control or lock down the client machines. It's also important to have clearly defined security policies documented in the employee forms mentioned earlier in this chapter. Security policies relating to the desktop that may be enforced using a GPO or other means must support the formal, documented security policies for the organization. For more information on GPOs and how they can be applied to network clients, refer to Chapter 29, "Group Policy Management for Network Clients." Another variance in how desktop security policies apply may depend on what the users' responsibilities and roles are within the organization. For example, you may require more control of the desktop for data entry workers than for knowledge workers. Some possible desktop security policies to consider implementing include, but are not limited to, the following:
Application Security PolicyThe basic reason you should consider application security policies is that any invoked application or code can potentially identify or exploit security holes. A human resources (HR) application, for example, may unintentionally give access to confidential information after a specific key sequence is pressed. As a best practice, consideration should be made for reviewing and documenting the following application-level security policies:
An organization can benefit from many other possible application security policies. The type of security policy that you have will depend on business requirements. In any case, thoroughly reviewing and documenting these application security policies can benefit the network environment by tightening application security. Network Security PolicyNetwork security policies are intended to provide specific and often detailed guidelines and rules to keep the network environment running optimally and securely. Specific policies should be set regarding network access, firewalls and required filtering, specific address or time restrictions, and much more. Note In addition to evaluating the best practices and recommendations regarding security in this book, it is also recommended to use the recommended best practices compiled by the National Institute of Standards and Technologies (NIST) and the National Security Agency (NSA). Both agencies provide security lockdown configuration standards and guidelines that can be downloaded from their Web sites (http://www.nist.gov and http://www.nsa.gov, respectively). Both LAN and WAN environments should have security policies in regard to how and when the network is accessed. LAN and WAN environments are typically protected by firewalls or other security devices, but placing security policy restrictions on how and when users can access the network further tightens security. If the network access security policy states that users are required to use virtual private network (VPN) connections or Terminal Services instead of dial-up to gain remote access, a possible intruder's options are further limited. Additional policies may also limit how VPN or Terminal Services connections can be made and what specific configurations are required (for example, every VPN must use L2TP and IPSec). Network access auditing policies are also a recommended measure to monitor the environment. Reviewing audit logs on a predetermined schedule can identify possible attempts and security breaches. |