Establish a Bullet-Proof Security Policy

With worldwide connections, someone can get into your system in the middle of the night when your building is locked up. In this two-part article, you'll learn how create a comrehensive security policy for your network or enterprise. You'll get a template for identifying assets, how to determine what resources you'll require, end-user education, and handle violations.

 By Elizabeth Ferrarini
Page 1 of 4
Print Article

A remote access e-mail gateway will enable your employees to get to their e-mail while they're away from the office. However, this same gateway can also provide intruders with a side door to your network. Likewise, a FTP server will enable customers anywhere in the where instantly to get fixes for your software products. On the other hand, intruders might use your ftp server as an electronic tunnel to valuable corporate data.

With worldwide connections, someone can get into your system in the middle of the night when your building is locked up. The Internet allows the electronic equivalent of an intruder who looks for open windows and doors. Now, a person can check for hundreds of vulnerabilities in just a few hours.

Every organization requires some type of a network site security policy. This will serve to protect its valuable assets -- everything from systems to data. The policy guidelines presented here will help you to establish an enterprise-wide program of how both internal and external users interact with a company's computer network, how the corporate computer architecture topology will be implemented, and where computer assets will be located.

To create a good site policy for computer security, you'll need to do two things: determine the expectations of proper computer and network use, and the procedures to prevent and respond to security incidents. To this end, you, working with your policy committee, need also to consider and to agree upon the following:

  • The organization's goals and direction. A university with building spread across a large campus will have different security concerns than a corporation in an office park.
  • The site security policy has to conform to existing policies, rules, regulations, and laws the organization must adhere to. You'll, therefore, have to identify and consider these things while you develop the policy.
  • If your network extends outside your facility, you'll have to consider security on perhaps a global scale. The policy should address local security issues caused by a remote site, as well remote system security issued caused by a local host or user.

Next, you'll need to look at whom, besides yourself, will devise the network site security policy. Policy creation should consist of a representative group of decision makers, technical personnel, and day-to-day users from different levels within the organization. Decision makers should have the power to enforce the policy. Technical personnel should advise on the ramifications of the policy. Likewise, day-to-day users should have a say in how easy or difficult the policy will be to carry out.

Developing a security policy requires that you identify the organizational assets, identify the threats, evaluate the risk, evaluate and implement the tools and technologies available to meet the risks, and develop a usage policy. In addition, you'll need to devise audit procedures for how to do timely reviews of the network and server usage, and how to respond to violations or breakdown. Finally, you'll need to communicate information the policy to everyone (both employees and contractors) who uses the computer network. Plan to review the policy regularly.

This article was originally published on Oct 4, 2001
Get the Latest Scoop with Networking Update Newsletter