Chapter 4. Developing Security Policies
In information security, everything we do, or at least everything we should do, is about risk management. All the security tweaks we make, all the patches we install, the firewalls we buildit all boils down to risk management. Almost every day, we get a question from someone about some particular security- related setting and whether to turn it on or not. We always respond by asking what their security policy says about it. Usually the response is that they do not know or do not have one.
Without a security policy, you cannot have an effective network protection strategy. The security policy is what tells you what threats you are facing, which ones you are willing to accept, and which ones you want to mitigate. Far too often these days, people do not stop to think about the threats they are facing , and how likely they are, before they start applying security measures. Usually, they try to justify these security measures as "defense in depth." Defense in depth has become a catch-all phrase referring to security (and sometimes, nonsecurity) measures that we cannot justify otherwise .  As covered in Chapter 1, "Introduction to Network Protection," security measures very often end up interfering with usability. Therefore, implementing security measures that do not mitigate any realistic threats is undesirable. Only by having a security policy that lays out the risk management strategy you should follow can you decide which threats must be accepted (we will live with it), transferred (we will buy insurance), or mitigated (we will deploy some security technology or process). After you have that policy in place, you can start applying defense in depth. In this chapter, we take a look at the basics of creating a security policy.