![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
THE POLICY PROCESS A network security policy should be predicated on certain basic assumptions:
Because a weakly protected component of a networked system can compromise the security of the entire network, the organizational communications policy should assume that all networked components will adhere to certain fundamental controls. Risk Assessment Because enterprisewide networks consist of diverse network components and operating systems, it would be an exercise in futility to require a risk assessment prior to implementing fundamental controls. It is more productive for the communications security policy to promote implementation of good business practices and due diligence (i.e., uniform, consistent baseline controls across all platforms within the enterprise). Individual systems or network administrators should be encouraged to perform a risk assessment to determine the need for additional levels of protection. For example, network security provided by the network operating system generally protects only as far as the directory and file levels. A risk analysis of a particular application may determine that additional protection is warranted (e.g., implementation of a third-party encryption product). Senior Management Support and Consensus A good security policy should be aligned with the objectives of the company and the practical business conditions of the organization. If the policy conflicts with managements goals, controls will be met with indifference or outright resistance. To ensure management support, the policy-making group should work with a senior management advisory council. Enforcement will be guaranteed because the buy-in has come from the very top of the organization. Additionally, annual reviews by such a council provide a broader perspective on how the security policy affects the organizations plan. Distributed Roles and Responsibilities Communications and distributed systems cut across lines of ownership, authority, and responsibility. Traditional organizational infrastructures do not lend themselves to the proper management of distributed systems and are not conducive to the establishment and enforcement of security policies. In addition, organizational politics tends to create isolated processing domains, in which traditional security is neglecteduntil an audit compels users to comply with policy. It is important that systems managers be aware of security issues and be diligent in securing their systems. However, these managers usually do not possess the skills needed to protect against threats to communications systems. Consequently, it is recommended that the security policy assign responsibility for communications security to the communications function. Technological developments during the past several years have resulted in a significant increase in the computing capability of desktop and laptop systems. Along with this power shift has come a responsibility shift. When systems are diffused throughout the organization, mainframe-oriented security organizations lose oversight capability. There is also a tremendous broadening of responsibilities for network access management of multiple heterogenous LANs, encryption, software licensing, secure E-mail, Internet browsers, and virus control. Hence, the security policy must also define the users role in security and emphasize the inherent accountability of each computer user. Most organizations already have general security policies in place with appropriate controls for centralized mainframe computing. These policies contain security and control requirements that may still be appropriate in a networked environment and should not be dismissed. Rather, the network security policy should be integrated with the existing control documents. The requirement for strong password management, for example, is also important in a networked environment; the compromise of one password can affect multiple systems. Therefore, a traditional policy that requires the protection of password files becomes even more critical in a networked environment. Accountability The policy should require accountability for the security of computing and communications resources for each employee, whether senior management or staff. The levels of accountability mandated in the policy should reflect the structure of the organization. For example, in a company in which the IS functions is aligned under the finance department, the controller should be assigned ultimate accountability for the security of information. The policy would then dictate that the controller work with the senior management in charge of information systems and security to ensure that adequate controls are established and adhered to. Many organizations require employees to sign a statement of understanding as part of the computer registration process. The registration form can be designed to include a statement to the effect that the employee has read and understands the security policies and agrees to abide by them. By signing the form, the employee acknowledges his or her accountability for system resources. Baselines for Implementation Owners or managers of local computing environments must understand that by connection to other facilities, they are both passing on their own exposures to other resources and accepting the risks that others are introducing. Therefore, without a consistent policy that establishes the criteria for minimizing the exposures, everyone is at risk. Without proper integration, network management will be costly, and productive strategies such as single sign-on will be futile. Therefore, baseline controls that enforce policy by mandating such standards as a common user ID syntax, password expiration, and password length should be implemented.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |