How to develop a Network Security Policy

by Singapore IT Security Techno Portal [Published on 16 Oct. 2002 / Last Updated on 23 Jan. 2013]

Almost all steps.

1.1   Introduction

The world of computers has changed dramatically over the past 25 years. Twenty-five years ago, most computers were centralised and managed in data centres.  Computers were kept in locked rooms and links outside a site were unusual.  Computer security threats were rare, and were basically concerned with insiders These threats were well understood and dealt with using standard techniques: computers behind locked doors and accounting for all resources. Twenty-five years later, many systems are connected to the Internet. The Internet is a huge network and has no boundaries. Businesses find an increasing need to connect to the internet to take advantage of the business opportunities.

The security framework for systems with internet connections is however very different. Information on the internet can be accessed from anywhere in the world in real time. While this is good for the spread of information, it has also allowed for the proliferation of ‘malicious information’. Hacker tools are now widely available on the internet. Some web sites even provides tutorials on how to hack into a system, giving details of the vulnerabilities of the different kinds of systems. It does not take an expert programmer to break into a system. Anyone with malicious intentions can search the internet for programs to break into a system which is not properly secured.

It is hence vital for businesses with connections to the internet to ensure that their networks are secure. This is important to minimise the risk of intrusions both from insiders and outsiders. Although a network cannot be 100% safe, a secure network will keep everyone but the most determined hacker out of the network. A network with a good accounting and auditing system will ensure that all activities are logged thereby enabling malicious activity to be detected.

1.2   Need for Network Security Policy

Before a network can be secured, a network security policy has to be established. A network security policy defines the organisation's expectations of proper computer and network use and the procedures to prevent and respond to security incidents. A network security policy is the foundation of security because it outlines what assets are worth protecting and what actions or inactions threaten the assets. The policy will weigh possible threats against the value of personal productivity and efficiency and identify the different corporate assets which need different levels of protection. Without a network security policy, a proper security framework cannot be established. Employees cannot refer to any established standards and security controls would be circumvented for the sake of increasing efficiency.

A network security policy should be communicated to everyone who uses the computer network, whether employee or contractor..

1.3   Risks of Network Connectivity

Before a network security policy can be established, a risk analysis has to be studied. Risk analysis is the process of identifying what you need to protect, what you need to protect it from, and how to protect it.  It is the process of examining all of your risks, and ranking those risks by level of severity.

A good way of assessing the risks of network connectivity is to first evaluate the network to determine which assets are worth protecting and the extent to which these assets should be protected. In principle, the cost of protecting a particular asset should not be more than the asset itself. A detailed list of all assets, which include both tangible objects, such as servers and workstations, and intangible objects, such as software and data should be made. Directories that hold confidential or mission-critical files must be identified. After identifying the assets, a determination of how much it cost to replace each asset must be made to prioritise the list of assets.

Once the assets requiring protection are identified, it is necessary to identify the threats to these assets. The threats can then be examined to determine what potential for loss exists. Examples of threats might include:

i) Unauthorised access/use of resources (authentication)
ii) Denial of Service (availability)
iii) Leakage of information (confidentiality)
iv) Corruption/unauthorised change of data (integrity)
v) Natural disasters

A thorough risk assessment will be the most valuable tool in shaping a network security policy. The risk assessment indicates both the most valuable and the most vulnerable assets. A security policy can then be established to focus on security measures that can identify these assets.

1.4   Components of a Network Security Policy

Although network security policies are subjective and can be very different for different organisations, there are certain issues that are relevant in most policies. This section explains some of the common components of a network security policy.

Physical Security

Network security interacts with physical security because the size or shape of the network "machine" or entity can span a building, campus, country or the world due to interconnections and trust relationships. Without physical security, the other issues of network security like confidentiality, availability and integrity will be greatly threatened. The physical security section states how facilities and hardware should be protected. This section will also define which employees should be granted access to restricted areas such as server rooms and wiring closets.

Network Security

The network security section states how assets stored on the network will be protected. This section might include security measures regarding access controls, firewalls, network auditing, remote access, directory services, Internet services, and file system directory structures.

Access Control

Access control determines who has access to what. There must be a proper procedure to ensure that only the right people have access to the right information or services. Good access control includes managing remote access and enabling administrators to be efficient in their work. It should not be so complex that it becomes easy to commit errors.

Authentication

Authentication is how users tell the network who they are. The type of authentication used varies depending on from where users are authenticating. From their desk, a simple user id and password may be sufficient because of the accompanying physical security. When connecting from the Internet, a more secure 2-factor authentication (token-based authentication) may be necessary.

Encryption

Encryption can ensure data integrity or protect sensitive information sent over insecure lines. Such protection is usually essential for remote access to important assets or as an extra protection when using the organisation’s intranet.

Key Management

Keys are used to encrypt and decrypt data. A serious issue with encryption is the management of keys. A proper policy has to be established to address the following issues as these will affect the effectiveness of using encryption.

i) Key length – how long
ii) Key change – how often
iii) Key escrow – to have or not, if yes, how
iv) Key generation – who, how
v) Key distribution – who how

Compliance

The compliance section explains how enforcement of the network security policy will be done. It might also state the methods that will be used to investigate breaches of the policy. Penalties on violations of the policy can also be state here.

Auditing and Review

Once a security policy has been implemented, it must be checked to ensure that all components and employees are in compliance. Without sufficient auditing, an organisation may have no legal recourse if there is a security breach. Auditing can also identify problems before they turn into security breaches. The policies must also be reviewed regularly to ensure that they are still relevant.

Security Awareness

"Clueless users" are widely recognised as the most serious threat to network security. If employees do not understand the power and proper use of the network, they can unintentionally compromise security (or be duped into it). In particular, employees must manage passwords properly and be aware of "social engineering" attacks.

Incident Response & Disaster Contingency Plan

An organisation is most vulnerable when it detects an intrusion or when it is faced with a disaster. What happens in the next few minutes and hours can determine if billions of dollars in intellectual property is recoverable. The disaster contingency plan explains how an organisation will recover from any type of natural disaster or attack, including attacks from hackers and employees. For example, it might include security measures for backing up servers, detailing how often backups must be performed and how backups must be stored off-site. The disaster contingency plan might also list the members of an emergency response team that will handle a natural disaster or attack. In addition, the plan might include security measures for conducting drills to ensure that all users and the emergency response team know what to do when a disaster or attack occurs.

Acceptable Use Policy

The acceptable use policy section states how users will be allowed to use network resources. For example, it might describe the types of information that can be included in Internet e-mail messages and explain when e-mail messages must be encrypted. This section might also address issues such as whether or not users can play computer games or use resources such as e-mail and Internet access for personal use.

Software Security

The software security section explains how the organisation will use commercial and non-commercial software on servers, workstations, and the network. This section might also identify who is allowed to purchase and install software and the security measures for downloading software from the Internet.

1.5   Steps to developing a Network Security Policy

Objective

Before starting work on the policy, a clear idea of the objectives of the policy must be defined. This will ensure that the policy does not stray from its initial objective. The objective defines the approach to network security. A typical objective might be that information is an important asset and that the organisation will implement security measures to protect that asset.

Scope

The scope defines the assets that will be protected by the network security policy. Network security can cover a wide range of issues from physical security to personnel security to procedural security. A scope might define whether the policy addresses only network security or includes other areas of security. The scope also defines who must follow the network security policy. Does the policy pertain only to the employees? Or does the policy extend to contractors, customers, and vendors, who might be required to follow the policy if they connect their network to the organisation’s network?

Support from upper management

After defining the scope and objectives. Support should be obtained from the upper-level managers before actual work on developing the policy. Without the support of upper management, it will be very difficult to ensure compliance of a network security policy. If possible, the security committee should also include some upper-level managers

Reference of Other Policies

In order to get a feel of how a network security policy should look like. References to other policies should be made. This will also help in redefining the scope and objectives of the policy.

Risk Assessment

Before starting the actual writing of the policy, a thorough risk assessment must be done. An assessment of the risks will determine what are the issues that need to be addressed. The risk assessment report will be valuable tool in the shaping of the network security policy.

Determination of Components and Writing of Policy

The components of the Security Policy should be determined. These will be dependent on the risk assessment report. Not all components must be included. These will depend on the network structure, the location and structure of the organisation. The policy should aim to address all the risks stated in the risk assessment report. Where certain risks cannot be address, they should be noted.

Evaluation

After the policy is developed, an evaluation of the policy should be done to ascertained if the objectives of the policy has been achieved.. Some of the questions to be addressed might include:

i) Does your policy comply with law and with duties to third parties?
ii) Does your policy compromise the interest of your employees, your organisation or third parties?
iii) Is your policy practical, workable and likely to be enforced?
iv) Does your policy address all the different forms of communication and record keeping within your organisation?
v) Has your policy been properly presented and agreed to by all concerned parties?

1.6  Conclusion

Developing a network security policy is not something which can be done in a day or two. It is also not merely a technical issue which can be left to the technical personnel. Success of the policy will depend largely on the support of the upper management and the awareness of employees of the organisation.

Going through the whole process of developing a security policy is not enough. Threats change, vulnerabilities change, business requirements change and the available counter-measures change. All of these must be periodically and routinely re-evaluated to achieve a network security policy that is feasible, practical, enforceable and at the same time protects the network.

Featured Links