Lesson 1: Defining a Security Policy | MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

Defining an organization's security policy is the first step in designing an organi-zation's security. The security policy defines the attitude that the organization will take toward security of its resources. This includes the value placed on resources held by the company and what the organization deems to be acceptable risk for the protection of those resources.

After this lesson, you will be able to

Define the function of a security policy

Estimated lesson time: 30 minutes

A security policy defines an organization's security expectations. Once a security policy is developed, an organization can use it as a guideline for developing future security plans.

The security policy defines the security needs of an organization by identifying the following:

Resources to be protected. Several resources in an organization may require protection, including hardware, software, and data. In some situations resources may include the people who know the security designs implemented for an organization.
Threats faced by the resources. By identifying the threats that an organi-zation's resources face, an organization can assign a value to the potential loss if the resource is compromised. Typical threats include unauthorized access to a resource and denial of service where the resource can't be accessed.
Probability of the threat occurring. Before developing a security plan to minimize the effect of a specific threat, an organization must evaluate how likely the threat is.

By identifying the resources, the threats, and the probabilities of the threats, your organization will be able to design a security policy that addresses each threat and recommends a course of action to take if the threat occurs.

While it seems that organizations would assign maximum security to all their resources, costs often limit security implementations. These costs aren't only financial costs, but also performance and ease-of-use costs.

Evaluating the True Cost of a Threat

You determine the true cost of a threat by comparing the cost of the resource and the probability of the threat for each resource that must be secured. For example, say that an organization has two resources: a pro- cessing machine worth $20 million and an information database valued at $2 million. At first glance, resources should be directed to securing the more expensive processing machine.

If you then add in the probability of a threat taking place against the two resources, you get a better idea of the true costs associated with each resource. If the probability of an attack against the processing machine is 4 percent and the probability of an attack against the database is 50 percent, the values of the resource risks change. In this case the processing machine's value would be $800,000 and the database's value would be $1 million.

When comparing the value of resources in order to determine the threats those resources face, always factor in the probability that the threat will occur.

Generally, you define the security policy based on trade-offs between

Functionality versus security. Sometimes an organization requires the use of a service on the network. The service provides some form of functionality to the organization even though the service introduces security risks. In this case the security plan costs must not outweigh the benefit received by the service's added functionality.
User convenience versus security. The policy must identify when security becomes a barrier to users performing their jobs. For example, if smart cards are required for logon and a user forgets her smart card, the user won't be able to connect to the network.
Cost and functionality. The policy must propose security plans that fall into the organization's budget. If the security level required by the policy isn't affordable, the policy can't be followed and must be revised.

After defining a security policy, you must make the policy visible throughout the organization. All employees in the organization must be aware of the policy so that they can help ensure that the principles outlined in the security policy are upheld. Employees must feel that management supports the security policy. If management doesn't appear to support the policy, employees will hesitate to follow the policy guidelines.

The organization must use the security policy for guidance when designing all security plans. If the policy doesn't provide this guidance, the organization should reevaluate its security policy to ensure that it reflects its security goals. For example, if your organization's security policy dictates that the strongest forms of encryption must be used to protect all transmitted data, you should design Secure Socket Layer (SSL) configuration to require 128-bit encryption in your security design.

NOTE
RFC 2196 contains best practices for designing security policies. You can obtain a copy of this RFC by going to www.rfc-editor.org/rfc.html and searching for "RFC 2196."

Making the Decision

You make the following decisions when designing a security policy for an organization:

Identify resources that require protection. You must identify which resources are critical to the organization's operation or contain sensitive data that shouldn't be revealed to outside entities.
Determine the value of the resources. Sometimes a resource's value is more than its actual worth in dollars. If a resource is the only product that a company produces, the loss or exposure of this resource's details could lead to the company's demise.
Determine the acceptable level of risk for the organization. Each organization has different levels of acceptable risk. Generally an organization determines an acceptable risk by weighing the risk's probability and the cost associated with mitigating the risk.
Develop recommendations for mitigation. The security policy should include actions that must be taken if a threat occurs.
Ensure that the policy is distributed throughout the organization. For the policy to be effective, all personnel in an organization must be familiar with it.

Applying the Decision

Fabrikam has problems because it doesn't have a security policy. Fabrikam must develop a security policy that defines the methods the company will use to protect its resources. For example, Fabrikam's security policy should clearly define what levels of encryption must be used to encrypt stored and transmitted data. The resources that require protection are the data related to the projects that the company develops with its clients, including the Department of Defense. Fabrikam must ensure that its security policy defines how it will handle break-ins. Whatever security policy it develops, the company must ensure that its employees receive that information so they know what actions to take to uphold the policy.

Without a security policy, it's difficult to develop a functional security plan. The policy guides the security plan's developers to ensure that the organization's security goals are met.

NOTE
For Microsoft's recommendations on what to include in a security policy, please see the Security Planning white paper by going to http://www.microsoft.com/technet and searching for "Security Planning."

Lesson Summary

An organization must develop a security policy that defines the organization's view on security issues. The policy helps the organization define appropriate levels of security for all security plans. Without such a policy, there's no conformity in the security configuration of resources. And the lack of conformity brings the potential for security weakness.