For an organization to be efficient requires the proper alignment of people, processes, and technology. As with most technology problems that are enormous in size, scope, and complexity, the best approach to finding a solution is to break down the problem into manageable pieces. In this case, the goal for business is to have this alignment to produce consistent, repeatable, high-quality results. The challenge is that humans are not always predictable and consistent. So, any process that relies on humans must reinforce good behavior and verify results often. This reinforcement of education, monitoring, and adjusting behaviors is a never-ending cycle in implementing security policies.

Employee efficiency starts with well-defined policies that reflect the organization’s reasonable expectations. Security policies must closely align with business requirements. This situation allows employees to understand the importance of the policy to the organization. It also ensures that security policies support business goals. One of the major business challenges is getting employees to follow policies. There are several ways good security policies can mitigate this risk, as follows:

• Awareness—Policies require employees to receive formal security awareness training. Most importantly, this training lets employees know where to go for help when the unexpected arises. The training also sets expectations on the handling of sensitive information that needs to be protected, such as ensuring customer privacy.
• Enforcement—Security controls flow from security policies. These controls are designed to enforce how the business wishes to operate. Among the most important security controls are those that enforce segregation of duties. Segregation of duties, or separation of duties, means a single person cannot execute a high-risk transaction, for example, wiring large sums of money out of a bank. Typically, this requires one person to request the wire and a manager to approve the transfer.
• Reward—Refers to how management reinforces the value of following policies. An organization should put in place both disciplinary actions for not following policies and recognition for adhering to policies. This could be as simple as noting the level of compliance to policies in the employee’s annual review.
• Monitoring—It’s not enough to publish well-defined security policies. You have to know they are working. Monitoring can take many forms. Typically, it is a combination of quality assurance and quality control. Quality assurance is about verifying and approving actions before they occur. Quality control is about sampling work that has already been done to ensure that, collectively, actions meet standards. This combination of two types of monitoring can be used to drive enforcement and improve awareness.

Another business concern is handling sensitive information in physical form, such as reports. As noted earlier, many organizations have a clean desk policy. This policy generally requires employees to lock up all documents and digital media at the end of a workday and when not in use. Compliance checks are relatively easy because any report or CD left out overnight is a violation of policy. This protects customer privacy and reminds employees of the sensitivity of company information. It also sets the right image for customers and vendors who may be visiting the office.

Security policies also ensure that contractors and consultants are properly vetted before gaining access to company information. This includes performing background checks. Employees and nonemployees alike must follow security policies.

Not all business processes can be standardized. Employees sometimes transfer knowledge by word of mouth, such as how to run some nonstandard transaction. The potential for significant failure in these processes may exist. At a minimum, when a failure occurs, the security policies ensure the process and related data can be restored.

Locking your front door but leaving your window wide open is not good security. Let’s assume you have good authentication and you know who is signed onto your network. However, if a workstation is breached, you could have malicious software compromising your network whenever the authorized user connects.

The ramifications of a security breach are more severe for some organizations that are regulated. The expectation is that leading practices are being applied to prevent such breaches. Security policies help identify those practices and ensure they are applied to protecting the workstation. That includes ensuring that all workstations that access the network are patched and have antivirus software installed. The business may not be aware of many of these basic common controls expected by regulators. The security policies ensure such controls are in place and help ensure regulatory compliance.

Effective security is often a matter of determining some basic security configuration rules and applying them consistently across your enterprise. Applying such security without disrupting the business is a concern. For most organizations, the days of sending a technology person to each desk to configure a workstation are long past. Security policies can help establish a reliable automated patch management process. Security policies can specify the type and frequency of patches to apply. The policies often require IT to test patches in a lab setting before applying them to workstations. Changes are made at night so there is a minimal impact on the company’s day-to-day operations.

Security policies also reduce the risk of malware by limiting access to workstations. Usually an end user does not have administrative rights on a workstation. This means the end user cannot inadvertently install programs like malware that could launch a botnet attack.

If they cannot breach your company’s network directly, hackers often attempt to breach a workstation and infect it in some manner. The attempt is to either capture information from the workstation or use the workstation as a way to access the protected network. Security policies are good at outlining the rules for protecting workstations. One good example is encrypting laptop hard drives. This has become standard practice in many industries. With the increase in mobile computing, sensitive data leaves networks more easily and more often. As a result, many companies that handle sensitive information encrypt their employees’ laptop hard drives. In that way, if the laptop is lost or stolen, the sensitive data is protected.

Many security policies require the encryption of data whenever the information leaves the protection of the network. This include encrypting data over the Internet; in emails; and on mobile devices such as universal serial bus (USB) drives, CDs, smart phones, tablets, and laptops. Despite these efforts, 2019 was a record year for data losses due to breaches, according to a study published in February 2020. The study noted 3800 recorded incidents, resulting in 4.2 billion records being exposed. This illustrates the need to have strong policies, monitoring, and enforcement.

Security policies that set encryption standards need to ensure the vendors and contractors follow the same policies that employees are required to follow.

Many organizations have discovered that granting mobile access to business applications can increase productivity and revenue. A LAN is all about connectivity for the business. The more easily you can be connected to a LAN, the faster you can start accessing and exchanging data. Wireless and mobile computing have changed the way people understand LANs. This new view affects the perception of LAN and Remote Access domain issues.

Wireless connectivity allows you to view the LAN more broadly than the computer on your desktop. Handled devices allow you to extend your LAN network out of the office and into the business. In other words, you can connect to the network and access or exchange information where the product or service is being made or delivered. Here are a few examples of how using wireless technology can extend the LAN into the business:

• Health care—Healthcare providers can access real-time patient information or medical research from a patient’s bedside. These devices enhance collaboration for more accurate diagnoses. These devices can also track medical equipment to ensure availability at critical times.
• Manufacturing—Wireless connectivity allows employees to share real-time data on the factory floor.
• Retail—Wireless access to a LAN helps retailers place intelligent cash registers where there is no network wiring. This network access allows retailers to manage inventory, check customers out faster, and print the latest promotion coupons from the register.

Extending the LAN has many advantages over just connecting a standard PC. LANs today can carry voice, video, and traditional computer traffic. Voice over Internet Protocol (VoIP) allows you to place and receive phone calls over a LAN or WAN. This has become popular for both home and business because of the cost savings over traditional telephone systems. Rather than incurring high flat-rate fees and per-minute call charges, most VoIP services charge a low flat-rate fee. New companies continue to enter the market offering less expensive voice and video solutions over the Internet.

Organizations often view LANs much like utilities such as electricity, water, or gas. The organization expects the LAN to always be available and always have capacity. It’s also thought of as a commodity that should be inexpensive to install and run. This puts tremendous pressures on LAN resources. Bandwidth within the LAN, for example, decreases as new services such as VoIP and video are offered.

It’s not uncommon to have security policies limit the use of live video, music feeds, and social media sites. They can represent hours of lost employee and contractor productivity. These feeds also take up significant bandwidth. For example, as far back as 2012, Procter & Gamble, with 129,000 employees, used security policies to stop video and music feeds. Many such policies can be enforced at the firewall, cutting off the source of video and music from the Internet. However, with the Covid-19 pandemic in 2020, many companies depended on video for remote workers.

Even with these business challenges, the benefits of extending a LAN beyond the workstation are enormous and include enhanced productivity, collaboration, and responsiveness.

A major concern of organizations is protection of the servers in the DMZ. In other words, are the website servers protected? Organizations are particularly concerned about website availability and integrity. The websites for many organizations represent their public image and, for companies, their major sales channel.

Security policies set strict rules on how DMZ traffic should be limited and monitored. Security policies outline how the DMZ server should be configured and how often security patches should be applied. Security policies also outline how often external penetration testing is conducted. Penetration testing probes the network for weaknesses and vulnerabilities from the outside looking in. Penetration testing is required by many standards and is considered a best practice; for example, if you accept or process credit cards, PCI DSS requires penetration testing.

However, these rules and limitations put onto the DMZ create their own risks. DDoS attacks typically attempt to overwhelm the DMZ capability, resulting in the servers crashing and becoming unavailable. So, the more limits put on the traffic, the more you have to test whether the systems can withstand a DDoS attack. It’s not enough just to limit traffic; the policy must also ensure that systems stay available.

When it comes to WANs, an organization is generally concerned about cost, reliability, and speed. As discussed earlier in the chapter, many organizations use virtual private networking to protect and secure communications over the Internet. With most organizations having already incurred the cost of Internet connectivity, the use of secure communications over the Internet is now seen as a de facto standard.

Cost-wise, a VPN over the Internet is the right choice. The cost is modest. Because most organizations already have Internet connectivity, IT can quickly deploy VPN technology. It could be as easy as installing devices and synching keys to establish a VPN tunnel.

The reliability of a VPN depends on your Internet service provider (ISP). You can experience reliability issues even if your ISP guarantees a level of service while you’re traveling over a public network. Think of the Internet like a road system. You have local roads, main arteries, and superhighways. Some ISPs advertise how many hops away from the Internet backbone they are. The Internet backbone represents the superhighway in our road system and can handle the fastest traffic. In theory, the fewer hops it takes to get to the backbone, the faster your access. A hop is a term meaning generally how many routers you have to pass through to get to your destination. If you have to go through a lot of back roads to get to your destination, it takes a lot longer than if you live close to a superhighway. The same holds true for the Internet traffic. Many large organizations will connect to multiple ISPs. This will give the redundancy needed in the event a single ISP fails to deliver the needed connection speed.

Although speed over the Internet continues to improve, it’s not an unlimited resource. To control usage, many ISPs limit bandwidth. As upper limits are reached, some customers may be transferred to slower network connections. This may be acceptable for a home user; however, for a business this could be devastating. Businesses often require consistent response times for the customer. To achieve that, they pay a premium to the ISP. This premium places the business on a less crowded network connection that has excess capacity to ensure the response level does not fall below a prescribed level. This makes predicting reliability less of a challenge.

Deciding on a public or private WAN solution for your organization depends on your requirements and budget. Small organizations have few options. For large enterprises, both WAN options are available.

Security policies outline how each connection type should be configured and protected. The security policies also outline roles and responsibilities. Keep in mind that the service provider typically configures private WAN security. Therefore, your security policies need to include how to deal with the vendor and how to validate the security configuration. Companies of any size can manage security for Internet-based VPN solutions in-house.

When it comes to remote access, organizations are concerned about flexibility, reliability, and speed. As discussed, extending the LAN into the business where products are produced and services delivered has tremendous benefits. This is also true for extending the LAN anywhere in the world. This is where remote access concerns need to be addressed.

When it comes to flexibility, employees cannot be tethered to their desktops. Laptops have broken that tie, allowing employees to connect to the company network wherever there is an Internet connection. Wireless connections further extend the flexibility of laptops. Today, travelers and mobile employees often use a laptop with a mobile hotspot to access the Internet and work network. A mobile hotspot can be a personal device that acts like a cell phone for a laptop, allowing the end user to obtain a broadband Internet connection. These personal hotspots often support connections for typically four to eight devices. Hotspot can also refer to a fixed Internet access point available to the public; for example, coffee shops often provide hotspot access to the Internet for their customers.

Mobile devices and broadband are becoming very reliable; however, the speed and reliability with which they can access and exchange data depend on location and carrier. Much like cell phone coverage, mobile broadband coverage is spotty at times. Despite their drawbacks, mobile devices offer many business benefits, including:

• Increased customer responsiveness
• Quick reaction to news and business-related events
• Advantage of real-time data access

Bring your own device (BYOD) was mentioned previously in this chapter and is a current trend within many organizations. Recall that BYOD refers to allowing employees to bring their own devices to work to access the organization’s data. For example, it could allow employees to access their company email through their personal smartphones. Businesses embrace BYOD to reduce cost and expand connectivity options. Costs are reduced because a company does not have to buy and deploy company-owned mobile devices.

Security depends on your business requirements—how much data you need to send and how fast you need it to arrive. Some good examples are the use of smartphones and iPads and other tablet computers. They are very efficient for gaining access to well-defined applications such as email; however, they do introduce risks and policy questions that must be addressed. Some security policy questions that must be addressed for handheld device use include:

• Who owns the device?
• Who has the right to wipe the device if it’s lost or stolen?
• How do you encrypt data on the device?
• How do you apply patches?
• Who’s allowed to have such a device connected to the company network?

With any emerging technology, well-defined security policies help an organization think through these risk decisions. Security policies ensure risk assessments are performed and leading practices are reviewed. This is vital so the organization can understand not only the benefits of new technology, but also the risks.

Security policies should not focus on specific products, but on broader capability. A smartphone can access email but also has a camera. Rather than addressing smartphones, a well-defined policy deals more broadly with mobile email access and acceptable use of digital recordings. By taking this approach as new technology is introduced, the organization covers the capability in the policy. Perhaps the most effective way to address BYOD is through the use of Network Access Control (NAC), which was also briefly mentioned earlier in this chapter.

An organization has two main concerns when it comes to information collected, stored, and processed: Is the information safe? Can you prevent confidential information from leaving the organization? These seem like fairly easy questions, but they are complicated to answer.

This chapter has discussed many ways to keep information safe. Security policies ensure risks are evaluated throughout the seven domains. Security policies ensure alignment to business requirements. When risks exist, security policies ensure a risk assessment is performed so that management can make a balanced decision.

In this section, you will focus on the second business concern of how to prevent confidential information from leaving the organization. Security policies define what’s often called either a data loss protection (DLP) program or a data leakage protection (DLP) program. Both terms refer to a formal program that reduces the likelihood of accidental or malicious loss of data.

Company managers worry about secret business information ending up in competitors’ hands. Managers must also protect customer privacy as required by law. A hacker does not have to be physically present to steal your business secrets, especially if he or she is a disgruntled employee who might work in a data-sensitive area of the company. Your top salesperson might leave the company to work for a competitor and email your entire sales database to his home Internet account. These are not theoretical losses to a business. You must ensure that all of your potential data leaks, both physical and digital, are plugged.

The concept of DLP comes from the acknowledgment that data changes form and often gets copied, moved, and stored in many places. This sensitive data often leaves the protection of application databases and ends up in emails, spreadsheets, and personal workstation files. Business is most concerned about data that lives outside the hardened protection of an application.

A typical DLP program provides several layers of defense to prevent confidential data from leaving the organization, including:

• Inventory
• Perimeter
• Device management