• RSS
  • Twitter
  • FaceBook

10 Tips for Creating a Network Security Policy

Very short.
  1. Identify and locate your assets.

      This pertains to both information and material goods. Assess the importance and value of these assets.

      Example: A computer may cost $3000 to replace. The information on that computer might cost $60K to replace. In the hands of a competitor, the losses might be even higher.


  2. Perform a Threat Risk Assessment.
      Categorise the likelihood of these assets being stolen and identify the resulting damage to the organisation if such an occurrence comes to pass.

      Example: If a company has a public web server which is used to distribute information, the cost of it going down from a "denial of service" attack might be the time required to bring the system back online (e.g. two hours from the MIS department). If this web server is used to perform financial transactions then the cost must also include the number of purchases lost while the server is down.


  3. Adopt a "Need to Know" philosophy.
      Things like Access Control and privilege should not be a measure of rank or importance in other areas. As the number of people with access to restricted areas (or information) increases.

      Example: The CEO does not need a password to enable him to gain access to the accounting system. If he has access and someone finds out his password (e.g. he uses one password for all systems) it can be misused.


  4. Perform an informal site survey of your organisation.
      In accordance with your asset descriptions (step 1), you can either relocate valuable assets to more secure areas or take extra measures (additional locks, smart cards, security personnel, etc.) to guard these assets. Pay close attention to "drop Ceilings" (a locked door is no deterrent in this case) and assets in very remote or unoccupied areas. Also be sure to look at cable drops and other wiring routes.

      Example: It’s often a good idea to locate all your important servers in a separate room with physical access constraints. This reduces the possibility of malicious or illegal activity occurring by happenstance (e.g. somebody with no access privileges glancing over and stealing a password while it is being input or making copies of classified information that happens to come out the printer).


  5. Institute a standard for classifying all information
      Is it confidential, private, unclassified, etc., and a means to identify which employees, or group of employees have access to this information.

      Example: An Advertising Plan might be restricted to specific people in the Marketing and Business Development departments. An Engineering document that details trade secrets would be restricted to specific engineers. It might even be necessary to control and account for each document that is released, i.e. only one person has the ability to print the document and a limited number of photocopies are made and distributed to specific people only. Company policy would ensure that these people do not make unauthorised photocopies.


  6. Ascertain who needs access to external resources
      (via Internet, modem, WAN, etc.) and what resources need to be made available. Ascertain who, amongst external users (employees, partners, customers, the general public), needs access to internal resources and what resources need to be made available. This is an extension of the "Need to Know" philosophy. Although painful, it may be necessary to adopt strict policies regarding the downloading of third-party software form unknown sites. If this can’t be done, then anti-virus software must be run on all network computers on a very timely basis.

      Example: Not all employees need access to the external World Wide Web. Aside from being a great time waster, it also increases the possibility of malicious software and ties up network bandwidth. A good alternative might be to restrict WWW access to specific times (e.g. lunchtime)


  7. Create a disaster recovery plan.
      This will force you to think of how you do system backups and perform off-site storage. It should address the loss of information and equipment/material.

      Example: Pick a worst case situation (usually you building burns down) and consider how you would stay in business and service you customers. This exercise will serve to highlight the data and equipment that is critical to your operation. It will also make you think about how long your operation can be "down" without suffering irreparable harm.


  8. Appoint a someone to be responsible for security policy enforcement.
      Can be one person, a group or a group of individuals.

      Example: The Network Administrator may be the person responsible for Internet access and other IT related functions, while a person in the HR department may take ownership of site security (alarm system maintenance, access card distribution). No two situations are identical.


  9. Review the impact of any intended procedural changes on your employees.
      Will they be capable of shutting off alarm systems, changing passwords every month, locking their drawers every night and using password enabled screen

      Example: If the employees aren’t reliable, then it may be necessary to institute mechanisms to automatically force password changes and run screen saver programs. Obviously, there will always be a situation where the employees need to be responsible, i.e. education is a necessity and security policy enforcement is a co-operative effort.


  10. Understand that the implementation of any security policy needs regular validation.
      Security audits need to be performed to determine if the policy is meeting it’s objectives. If it isn’t, then the problems must be addressed.

      Example: Reviewing the security policy six months after it was written will frequently uncover a few major deficiencies. If an assumption was made that only a few people need to access a protected area and this really isn’t the case, a change is in order. Perhaps some of the material in the protected area isn’t really that sensitive and can be moved to another location.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the WindowSecurity.com Monthly Newsletter, written by George Chetcuti, BSc in Computing & IS (Honors), containing news, the hottest tips, security links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Event Log Monitoring solution?