Establishing a Security Policy

Previous page
Table of content
Next page
 < Day Day Up > 

Every corporation and organization should have a security policy that outlines the acceptable uses of computing resources and processes that are in place to protect the systems and their included data. Security policies are important because their included specifications allow you to define how the various security mechanisms in your organization are implemented. The next sections discuss the need for security policies.

Understanding the Need for a Security Policy

An organization s security policy may be the single most important document the entity maintains. A security policy is a comprehensive set of rules defining the acceptable use of computing resources. These rules may be related to how devices are physically secured, which individuals are allowed to access specific types of information, types of allowed access into and out of the network, and any other facet that pertains to information security.

The state of the security policy at many organizations is dismal. Policies are either generic, having been downloaded or copied from another company s policy, or poorly written. Because the policy does not match the business, the business needs, and the specific computing environment, it is not completely valid and is often ignored or dismissed as invalid. Some companies have no written policy at all. The reasons for these problems are manifold, one being that written policies are often crafted in the following way:

  1. An IT manager or employee, tired of addressing crises caused by security issues, realizes that a policy is needed. This person tries to create one through the proper channels, but cannot get anyone interested. As a result, the manager or employee searches the web and finds an example policy somewhere, downloads it, fills in some blanks, prints it out, and calls it the company s policy.

  2. This policy is posted on the company s intranet site, and an e-mail is sent to the rest of the company notifying everyone of its existence. There might even be a voicemail announcement.

  3. The IT manager or employee then finds that no one follows the policy and may at first be puzzled, then dismayed, and finally resigned to this fact as more violations of the policy occur. Calls to other departments are met with stonewalling and outright defiance. Management does not back the policy. In the end, the IT department finds itself with a dusty, worthless tome about which no one cares.

What went wrong here? Why did the policy fail? Why is the IT department still running around putting out fires caused by common and repeated security issues?

The answer is that the pile of paper on the IT manager s desk labeled "Security Policy" is not the policy at all, and never was. The company s real security policy is the collected security beliefs of its decision makers. This is a crucial point. Companies with real and effective policy documents realize this fact and attempt to codify these beliefs and then change them where prudent or necessary. An effective policy is a living document, signed and supported by the company s principals and reviewed and modified on a regular basis by a committee representative of the entire organization and its interests.

When an organization has a security policy in place, it can begin to apply the document and its rules to their particular environment. Organizations with truly comprehensive security policies find that what they have created is a roadmap that helps them implement the correct security appliances, mechanisms, and controls that satisfy their particular security needs. The organization will also quickly begin to find the weaknesses in their security posture through the process of identifying important resources and associated policies and tying that information to current inadequate security controls. This documentation is sure to change over time as the computing and physical environments change, which should be expected and accepted as normal security policy maintenance.

Compliance Versus Enforcement

Any security policy no matter how comprehensive is only valuable to an organization if compliance with the policy is mandatory and enforceable. The policy or specific portions of the policy document must be clearly explained to the necessary individuals on a need-to-know basis and in some cases acknowledged by signature.

Any action contrary to the policy should have associated disciplinary actions that are non-negotiable, because the desired end result of the document is to provide a secure and consistent computing environment. Although employees are not typically held accountable by laws regarding certain security of information such as personal health information (PHI) and financial information of individuals and organizations, laws such as Sarbanes-Oxley (SOX), California s SB1386, and HIPAA have stipulated both high financial penalties and possible jail time for executive-level personnel found in violation of the various laws. Throughout the remaining portion of this book, you will learn how CSA can help you secure data and protect resources, maintain access to available resources with assurance of data integrity, and enforce your organization s written and accepted security policies.

NOTE

Two great places to locate security policy information are http://www.sans.org and the ISO 17799 document.


     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan
    BUY ON AMAZON
    ERP and Data Warehousing in Organizations: Issues and Challenges
    Inside Network Security Assessment: Guarding Your IT Infrastructure
    Cisco IOS in a Nutshell (In a Nutshell (OReilly))
    Data Structures and Algorithms in Java
    Quantitative Methods in Project Management
    Understanding Digital Signal Processing (2nd Edition)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy