I opened Chapter 1 by saying, Hardening your network infrastructure is a long process that, if done properly, never really ends; rather, it becomes part of your routine. A well-designed and well-written security policy is the guide you will use along that process to ensure that hardening your network becomes a part of your daily routine. A popular self-help book called The 7 Habits of Highly Effective People: Powerful Lessons in Personal Change (Stephen R. Corey, Fireside, 1989) details how effective folks form habits that contribute to their success. These aren t tasks or actions they just do some of the time; rather, they incorporate these ideals into their daily lives and make it a habit to do these things.
Your security policy should be approached from that perspective. It should become habit for you to design and implement technologies and processes on your network using the guidelines defined in your security policy. In fact, a well-written security policy should become a standard operating procedure of sorts that can be used by anyone in the organization as a reference of what to do and how to do it.
Before you make any changes to your network ”be it adding new devices or simply rearranging devices ”you should review your security policy to make sure that whatever you are undertaking is in compliance with it. If it isn t, either the security policy needs to be updated or the changes you are making need to be reviewed.
In this chapter, we are going to look at the following aspects of a security policy:
What the role of a security policy is
What the components of a security policy are
What specific points your security policy should addresses
Why security policies fail and how to ensure yours won t
In addition to this chapter, you should read RFC 2196, Site Security Handbook, located at http://www.ietf.org/rfc/rfc2196.txt, and RCF 2504, Users Security Handbooks, located at http://www.ietf.org/rfc/rfc2504.txt. In addition, ISO 17799 is a detailed standard covering ten sections that provide detailed information about what your security policy should contain. Unfortunately, like many ISO standards, this document is only available by purchase at www.iso.org. Virtually all security policy concepts have a foundation and basis in the concepts and recommendations of these two RFCs and the ISO standard.