A security policy is an important element of the overall security of the computer or network being protected. In general, the more security that is applied to a system or network, the more inconvenient the system will be for users.
A security policy and security procedures help to define what you are trying to protect and how to protect it. Because of different goals, each type of industry or organization has different security needs. An e-commerce site needs a different security policy from that of an accounting firm or government agency. Before you begin securing your site, it is wise to see if a security policy has been established. If not, develop one.
Most technology decisions should be based on policy. To develop a security policy, take the following guidelines into consideration:
- In preparing a risk analysis, ask yourself, "What am I trying to protect, and from whom?"
- Determine the probability of risk with a cost/benefit analysis of resource(s) protection.
- Determine who is responsible for protecting the resources.
- Define how you will respond during a security event.
Security policies should not be made in a vacuum, but should be approved and supported by persons with authority. To be effective, they should not be too difficult to implement. Once the security policy is in place, procedures and guidelines should be established to ensure that they can be monitored and enforced. Large companies may have compartmentalized security that has different needs between sites, divisions, or departments.
There are some general considerations that will determine how security will be implemented and enforced. This list is by no means all-inclusive, but is here to give examples of the questions that should be asked.
- Is there an Internet connection, and how can the users utilize it?
- How are disks or information shared?
- Is data backed up? If so, what data, and how often?
- Do the users know their responsibilities?
- Is remote access needed?
- How will you know if security has been compromised?
- Is there a firewall in place, and if so, what is permitted to go through it?
Once these questions have been answered, it is necessary to apply them to categories of effort. These questions can be broken down into the following general areas:
- Confidentiality. How will you protect information from being read by unauthorized sources? Confidentiality includes consideration of technologies such as encryption, file permissions, and network sniffing.
- Integrity. How will you ensure that your data will not be deleted or modified, and if it is, that you know the source? You must decide how to deal with file permissions, unsecure programs, digital signatures, and viruses.
- Availability. How will you ensure that your systems remain available? The plan must involve issues such as denial of service, acceptable system use, and employment of redundant systems.
- Recoverability. How will you recover if you have been compromised? You will need to decide how best to utilize data backups, hard copies, and remote data stores.
- Audit. Can you tell if a security event has happened? The use of log files, system auditing, event monitors, and alarms in guarding against abuse must be factored into the plan.
Implementing security can be a full-time job, and monitoring it and maintaining it can be an even larger time commitment. When designing security policies and procedures, it is important to consider the necessary resources that must be available to implement, monitor, and enforce them.
In the next article, we will examine computer system lockout issues and recommendations.