An overview of security policies

Security policies are critical to any security infrastructure, but they are often the last item on the to-do list. When the project is finally started, managers do not know what policies their organization needs or how to develop policies for their company. Finally, once the policies are completed, they usually sit in a desk drawer, only to be pulled out for the auditors. So, what are some of the basic policies in place at most organizations, and -- most importantly -- once the policies are created, how do you manage and enforce them?

Most organizations have several policies, including Acceptable Use, Remote Access, User Account/Password, Firewall and Network Policies. Often, these policies are combined to create a single Corporate Security Policy.

The Acceptable Use Policy outlines what is deemed acceptable activity on the corporate network or on a corporate-owned system. This policy addresses activities such as sending offending e-mails to co-workers, running password crackers or other malicious applications on the network, installing unlicensed/pirated software, running file-sharing or streaming-media applications and infringing on copyrighted material. This policy is also where corporations may state that all activity is subject to monitoring.

The Remote Access Policy describes what responsibilities users have if granted remote access. This usually includes a discussion on due care of the asset being used if it belongs to the organization, who can use the system remotely and how the system should be protected (such as antivirus, personal firewall, etc). This policy can state that company-owned machines can only provide remote access; no other system is allowed to connect to the corporate network. If you can include this statement in your remote access policy, you now have control over the systems that connect to the network. If you allow users to connect with their own home machines, you have no idea if their system is secured.

The User Account/Password Policy discusses password policies, such as how long passwords must be, what characters they should contain and how often they must be changed. This policy can also include comments on user accounts, such as new account requests must be approved by a manager or vice president or that accounts with special access, such as root or administrator privileges, must be approved by a vice president.

The Firewall Policy discusses how changes and new rules can be added to the firewall. For example, any request to add or modify a firewall rule must be approved by the requestor's manager and reviewed by the security administrator to address the implication this change may have on the organization's security infrastructure. The Network Policy is similar to the Firewall Policy, but addresses the addition of new systems or devices on the network.

Once these policies have been written, how do you communicate them to users, and how do you enforce them? To communicate the policies, many organizations post them on an intranet site and e-mail copies to all employees. Initially, all employees must sign a document that states they have read and understood the policies. This document is then placed in their HR file. For new employees, the security policies are included in their welcome packet. As the policies are updated, copies of the new policy should be distributed for review, whether by e-mail, hard copy or a simple post on the intranet site. The key point is that all employees need to be aware of the policy and where it is located. If they are fired or otherwise reprimanded for failing to adhere to the policy, the organization needs to show that the policy was clearly communicated to all employees.

Technically enforcing security policies is often difficult. Network monitoring is often helpful because it provides a way of showing who is doing what on the network, such as downloading streaming video or using Morpheus. Using Web proxies is also helpful if your organization wishes to limit the Web sites employees can visit from the corporate network.

Account and Password Policies can be enforced through your network configuration. If using Windows 2000 and Active Directory, you have a lot of control over end-user systems through Group Policy.

Some organizations take a less proactive approach and do not actively enforce their security policy unless someone blatantly defies it. Other organizations are very proactive and will dismiss someone at the first hint of impropriety. How your organization chooses to address and enforce corporate security policies depends a lot on the corporate culture. Whatever your culture, though, make sure you adequately communicate the policy and any changes to all employees, as well as maintain a consistent enforcement level with policy violations. Once this infrastructure is in place, you are well on your way to building world-class security organization.

Share your thoughts on this column in our Letters to the Editors discussion forum.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Information Security Policies, Procedures and Guidelines,   Information Security Management,   Risk Management Strategies,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Risk Management Strategies How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.