A security policy is a document that outlines the protections that should be enacted to ensure that the organization’s network stability and assets face minimal risks. It defines how an organization plans to protect the company’s network.
The primary purpose of a network security policy is to inform users and staff the requirements for protecting various assets.
These assets take many forms, including passwords, documents, or even servers. These policies also lay guidelines for acquiring, configuring, and auditing computer systems and networks.
–Threat: a type of action that has the potential to cause harm to a computer network.
–Threat agent: a person or element that has power to carry out a threat.
–Vulnerability: a flaw or weakness in a company’s network security (ex: authentication methods, back door, etc.)
–Risk: likelihood that the threat agent will exploit the vulnerability
Some classifications of network security risks:
1. Compliance – Following a regulation or standard on a network.
2. Strategic – Action that affects long-term goals of organization, such as unauthorized access to intellectual property on a company database.
3. Technical – Events that affect network systems, such as DDoS or SQL injection
Three strategies for controlling risks in an organization…
1. Privilege Management: process of assigning and revoking privileges to users on a network
2. Change Management: methodology for making modifications and keeping track of changes, such as new servers or routers being introduced to a network.
3. Incident Management: framework and functions required to enable incident response
Things companies consider when creating a network security policy include…
1. What do you have on the network that others want?
2. What processes, data, or information systems are critical to your organization?
3. What would stop your company from functioning?
The answers to these questions identify network assets in a wide range.
– Including critical databases
– Vital applications
– Personal data
– Shared network storage
– E-mail servers
– Web servers
Network security policies must consider all entities that deal with your network. Not only employees, but end users and anyone who has confidential data on your networks.
Employees are considered potential threats in security policies.
This structure of a corporate policy is aimed at effectively meeting the needs of all audiences on the network.
– Governing Policy: Policy is a high-level treatment of security concepts that are important to the company. Managers and technical staff are the intended audience. This policy section controls all security-related interaction among business units and supporting departments in the company.
– End User Policy: This document covers all security topics important to end users. This policy answers the “what”, “who”, “when” and “where” network security policy questions for end users.
– Technical Policies: Security staff members use technical policies as they carry out their security responsibilities for the network or system. These policies are more detailed than the others, and are system or issue specific.