Security policies are critical to any security infrastructure, but they are often the last item on the to-do list.
When the project is finally started, managers do not know what policies their organization needs or how to develop policies for their company. Finally, once the policies are completed, they usually sit in a desk drawer, only to be pulled out for the auditors. So, what are some of the basic policies in place at most organizations, and -- most importantly -- once the policies are created, how do you manage and enforce them?
Most organizations have several policies, including Acceptable Use, Remote Access, User Account/Password, Firewall and Network Policies. Often, these policies are combined to create a single Corporate Security Policy.
The Acceptable Use Policy outlines what is deemed acceptable activity on the corporate network or on a corporate-owned system. This policy addresses activities such as sending offending e-mails to co-workers, running password crackers or other malicious applications on the network, installing unlicensed/pirated software, running file-sharing or streaming-media applications and infringing on copyrighted material. This policy is also where corporations may state that all activity is subject to monitoring.
The Remote Access Policy describes what responsibilities users have if granted remote access. This usually includes a discussion on due care of the asset being used if it belongs to the organization, who can use the system remotely and how the system should be protected (such as antivirus, personal firewall, etc). This policy can state that company-owned machines can only provide remote access; no other system is allowed to connect to the corporate network. If you can include this statement in your remote access policy, you now have control over the systems that connect to the network. If you allow users to connect with their own home machines, you have no idea if their system is secured.
The User Account/Password Policy discusses password policies, such as how long passwords must be, what characters they should contain and how often they must be changed. This policy can also include comments on user accounts, such as new account requests must be approved by a manager or vice president or that accounts with special access, such as root or administrator privileges, must be approved by a vice president.
The Firewall Policy discusses how changes and new rules can be added to the firewall. For example, any request to add or modify a firewall rule must be approved by the requestor's manager and reviewed by the security administrator to address the implication this change may have on the organization's security infrastructure. The Network Policy is similar to the Firewall Policy, but addresses the addition of new systems or devices on the network.
Once these policies have been written, how do you communicate them to users, and how do you enforce them? To communicate the policies, many organizations post them on an intranet site and e-mail copies to all employees. Initially, all employees must sign a document that states they have read and understood the policies. This document is then placed in their HR file. For new employees, the security policies are included in their welcome packet. As the policies are updated, copies of the new policy should be distributed for review, whether by e-mail, hard copy or a simple post on the intranet site. The key point is that all employees need to be aware of the policy and where it is located. If they are fired or otherwise reprimanded for failing to adhere to the policy, the organization needs to show that the policy was clearly communicated to all employees.
Technically enforcing security policies is often difficult. Network monitoring is often helpful because it provides a way of showing who is doing what on the network, such as downloading streaming video or using Morpheus. Using Web proxies is also helpful if your organization wishes to limit the Web sites employees can visit from the corporate network.
Account and Password Policies can be enforced through your network configuration. If using Windows 2000 and Active Directory, you have a lot of control over end-user systems through Group Policy.
Some organizations take a less proactive approach and do not actively enforce their security policy unless someone blatantly defies it. Other organizations are very proactive and will dismiss someone at the first hint of impropriety. How your organization chooses to address and enforce corporate security policies depends a lot on the corporate culture. Whatever your culture, though, make sure you adequately communicate the policy and any changes to all employees, as well as maintain a consistent enforcement level with policy violations. Once this infrastructure is in place, you are well on your way to building world-class security organization.About the author
Mandy Andress (firstname.lastname@example.org) is a Network Security Engineer for Tivo, Inc. and the President of ArcSec Technologies. As a member of SearchSecurity's team of experts, Mandy answers user questions on security policies. Submit a question to her, or read the questions she has already answered.
Share your thoughts on this column in our Letters to the Editors discussion forum.