Defining an organization's security policy is the first step in designing an organi-zation's security. The security policy defines the attitude that the organization will take toward security of its resources. This includes the value placed on resources held by the company and what the organization deems to be acceptable risk for the protection of those resources.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
A security policy defines an organization's security expectations. Once a security policy is developed, an organization can use it as a guideline for developing future security plans.
The security policy defines the security needs of an organization by identifying the following:
By identifying the resources, the threats, and the probabilities of the threats, your organization will be able to design a security policy that addresses each threat and recommends a course of action to take if the threat occurs.
While it seems that organizations would assign maximum security to all their resources, costs often limit security implementations. These costs aren't only financial costs, but also performance and ease-of-use costs.
Evaluating the True Cost of a Threat
You determine the true cost of a threat by comparing the cost of the resource and the probability of the threat for each resource that must be secured. For example, say that an organization has two resources: a pro- cessing machine worth $20 million and an information database valued at $2 million. At first glance, resources should be directed to securing the more expensive processing machine.
If you then add in the probability of a threat taking place against the two resources, you get a better idea of the true costs associated with each resource. If the probability of an attack against the processing machine is 4 percent and the probability of an attack against the database is 50 percent, the values of the resource risks change. In this case the processing machine's value would be $800,000 and the database's value would be $1 million.
When comparing the value of resources in order to determine the threats those resources face, always factor in the probability that the threat will occur.
Generally, you define the security policy based on trade-offs between
After defining a security policy, you must make the policy visible throughout the organization. All employees in the organization must be aware of the policy so that they can help ensure that the principles outlined in the security policy are upheld. Employees must feel that management supports the security policy. If management doesn't appear to support the policy, employees will hesitate to follow the policy guidelines.
The organization must use the security policy for guidance when designing all security plans. If the policy doesn't provide this guidance, the organization should reevaluate its security policy to ensure that it reflects its security goals. For example, if your organization's security policy dictates that the strongest forms of encryption must be used to protect all transmitted data, you should design Secure Socket Layer (SSL) configuration to require 128-bit encryption in your security design.
RFC 2196 contains best practices for designing security policies. You can obtain a copy of this RFC by going to www.rfc-editor.org/rfc.html and searching for "RFC 2196."
You make the following decisions when designing a security policy for an organization:
Fabrikam has problems because it doesn't have a security policy. Fabrikam must develop a security policy that defines the methods the company will use to protect its resources. For example, Fabrikam's security policy should clearly define what levels of encryption must be used to encrypt stored and transmitted data. The resources that require protection are the data related to the projects that the company develops with its clients, including the Department of Defense. Fabrikam must ensure that its security policy defines how it will handle break-ins. Whatever security policy it develops, the company must ensure that its employees receive that information so they know what actions to take to uphold the policy.
Without a security policy, it's difficult to develop a functional security plan. The policy guides the security plan's developers to ensure that the organization's security goals are met.
For Microsoft's recommendations on what to include in a security policy, please see the Security Planning white paper by going to http://www.microsoft.com/technet and searching for "Security Planning."
An organization must develop a security policy that defines the organization's view on security issues. The policy helps the organization define appropriate levels of security for all security plans. Without such a policy, there's no conformity in the security configuration of resources. And the lack of conformity brings the potential for security weakness.