15.1 Enforcing Security Policies

After a security policy has been put in place and a network has been secured a good deal of time should be spent ensuring the security policy is enforced throughout the organization. Obviously, this means that senior management has to express full support of the security policy. It also means that security education of employees should be an ongoing task. Education can be accomplished through security seminars , e-mail newsletters, or other forms of communication. The point is that users should be reminded, at regular intervals, about the importance of security within the network.

Such reminders, or detailed explanations about certain policies, will help keep network security on the mind of all employees. This is not to suggest that reminders need to be daily, or weekly; once a month is a good interval. These updates do not have to cover all aspects of network security; instead, they can focus on one area and give details about the potential security problems with that area. For example, a monthly e-mail security newsletter could be sent to all employees. Each newsletter can focus on a different topic that directly affects users. Topics discussed might include e-mail security, virus scanning, web server security, and so on.

E-mail newsletters are especially effective when changing or introducing a new security policy. Keeping users informed about why a policy is being implemented or changed will cut down on the number of complaints that the help desk has to field. Security policy cannot be implemented based on popular opinion, but security policies are more likely to be adhered to if users, and management, understand the reasoning behind the policies.

In addition to communicating security policies to users, security administrators should work with management and the human resources department to develop a set of repercussions for violating security policies.

Different violations should have different repercussions, depending on the severity of the breach of security. But each policy should clearly state the punishment, or stepped punishment , for violating it. Some violations, such as plugging nonstandard networking equipment into a network, may result in a verbal warning. Other violations, such as sniffing traffic on the network, should result in immediate termination.

Management and human resources will ultimately have to determine how violations of security should be handled, but security administrators will need to explain the severity of violating each policy, so an intelligent decision can be made.

After policies have been communicated, and procedures for violations developed, the next step is enforcement. Once again, this requires support from both management and human resources.

A violation may first be noticed by either a manager or a coworker. A policy should be put in place so anyone who notices a security violation can report it and have it quickly investigated. Quickly being the operative term . If reports of security violations are responded to 24 or 48 hours after they are reported , users will get the impression that security is not a high priority and will not bother to report future incidents.

If a violation is reported, there should be clear procedures in place to escalate the incident. It should be investigated, and if the incident turns out to indeed be a violation of security policy, the procedures in place should be followed. Oftentimes the manager of the offender should be notified, as well as the human resources department.

15.1.1 Personnel Management

Proper personnel management is important, but network management is equally important. If a serious violation is reported, the user 's account should be suspended immediately, and the switch port to which they are connected should also be disabled. This is why a centralized authentication system makes sense in an enterprise network environment. Removing a user from the network only requires a two-step process, as opposed to removing multiple accounts from different machines ”increasing the margin for error.

Assuming proper server logging is in place, there should be no additional accounts created on servers for the internal attacker to use to gain access to the server remotely. If there is concern that a rogue account exists, a thorough audit of servers the attacker had access to should be performed, especially if the employee is ultimately dismissed. Shared accounts, such as router or switch usernames and passwords, should also have their passwords changed.

These same steps should be followed if an employee leaves the company for whatever reason. Again, it is important to work with management and the human resources so that security administrators are notified when an employee leaves the company. The employee's network account, or accounts, should be deleted and their network port disabled. Shared passwords should also be changed.

In addition, when an employee leaves the company, his or her workstation should be audited to ensure there is no company information on it. After the audit, the workstation should be formatted and a fresh install of the operation system completed before it is assigned to a new user. If there are any programs or documents in violation of the security policy found on the machine, a record should be kept of the information.

If a security violation is first noticed by the security staff through one of the monitoring tools in place, extensive documentation of the violation should be completed. This process is discussed further in Chapters 16 and 17. The employee's account should be disabled, and the network port disabled, then either the employee's manager or the human resources should be notified ” unless other escalation procedures are specified.

Not all violations of an organization's security policy will, or should, result in termination. However, the security staff should always err on the side of caution. In addition to protecting the network, a very strong response demonstrates an organization's commitment to security and will help users realize that they should take security seriously as well.