Creating a Corporate Security Policy
A corporate security policy is a necessary piece of any network design effort. Security is as important to a network design as bandwidth requirements and choosing the network protocol. Failing to consider security during the design stage leads to situations where extra efforts must be taken to ensure safety. Security measures incorporated within the design are much easier to implement, generally less expensive, and usually more robust. The corporate security policy is a formal statement that specifies a set of rules that users must follow when gaining access to corporate assets.
You need to differentiate the security policy from the technical design of the security features. For example, a proper security policy does not state that a PIX 515 Firewall will be used on Internet connections. Instead, a well-formed security policy states that a firewall will be used on Internet connections and that this firewall will have certain minimum capabilities. The network security administrator chooses the best equipment and configurations to accomplish the goals, using the policy as a guide.
For a security policy to succeed, some general guidelines must be followed:
Management must support the policy.
The policy must be technically feasible.
The policy must be implemented globally throughout the company.
The policy must clearly define responsibilities for users, administrators, and management.
The policy must be flexible enough to adapt to changing technologies and company goals.
The policy must be understandable.
The policy must be widely distributed.
The policy must be enforceable.
The policy must provide sanctions for users violating the policies.
The policy must contain a response plan for when security breaches are exposed.
Once a security policy is implemented, the company will see a number of benefits. Some of these benefits include:
A framework from which all security efforts are built.
Lessened uncertainty about whether an action is permissible.
A basis for punitive action to be taken in cases of unacceptable network usage.
A comprehensive system for auditing security efforts.
As defined in “The Site Security Handbook” (RFC 2196), a security policy does not dictate how a business runs. Rather, the business needs dictate the security policy. The policy does not dictate the exact equipment or configuration to be used; instead, it gives guidance to the administrator.