Security Policies 101

Events Jobs Premium Services Media Kit

Network Map

E-mail Offers

Vendor Solutions

Webcasts

Intranet Journal Subjects

Home

Administration

Collaboration

Compliance

Development

Knowledge Management

Security

Special Reports

Tutorials

Discussion Board

How Do I...

Glossary

Events Calendar

Products

Spyware Guide

IT Management Blog

Search Earthweb

Privacy Policy

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet commerce

Be a Commerce Partner

Security Policies 101

Laura Taylor

1/6/2003

Go to page: 1 2

Printer Friendly Version

If you are trying to keep your network secure from unauthorized access, creating security policies is an exercise in understanding what needs to be secured. Security policies serve many purposes and are the foundation of your security framework.

Why Your Organization Needs Security Policies

Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference point to numerous security tasks in your organization including:

Securing applications
Configuring user access controls
Defining management duties and responsibilities
Assuring standardization and consistency
Retaining confidential and proprietary information
Designing enterprise architecture
Mitigating risk
Responding to security incident investigations
Disciplining employees for breach of policy
Minimizing liabilities to customers and shareholders
Assisting auditors in understanding security intentions
Establishing a sense of awareness and training
Avoiding disputes with different technical teams
Expediting procurement and deployment of new systems

Without security policies, no enforcement of security configurations or standards can be made. By establishing a policy, you are implying that enforcement can or will follow. Without security policies, enforcement of them is not possible.

Security Policy Basics

Security policies are high-level laws of the land regarding your security infrastructure. They are not procedures. (Procedures tell you how to implement security policies.) Upper management needs to hold someone accountable for drafting the security policies, overseeing their review, and implementing them. Without support from upper management, security policies often fall by the way side and never get written, understood, or implemented. The person being held responsible for security policies could be the Director of Information Security, the Chief Security Officer, the Director of Information Technology, the Chief Information Officer, or a knowledgeable employee appointed to be the information security officer.

Security is typically distributed, and security mechanisms should be built into all layers of the enterprise infrastructure. Security policies should describe the rules of the road for the following types of technology systems:

Encryption mechanisms
Access control devices
Authentication systems
Virtual Private Networks (VPNs)
Firewalls
Messaging systems
Anti-virus systems
Web sites
Gateways
Mission critical applications
End-user desktops
DNS servers
Routers and switches

All security policies need to be written down. Policies that exist in someone's head are not really policies. When your organization has finished developing security policies, and right when you think you can breathe easy, it will be time to update your security policies. Since most IT organizations are deploying new technology continuously and retiring old systems, you will have to make sure your security policies still make sense for your new infrastructure. Similarly, when you are evaluating new equipment for possible procurement, you will want to make sure that the new equipment can properly be configured to meet your security requirements — if it can't, you may want to consider procuring alternative products.

Some products and modules built into operating systems are designed specifically to configure and enforce security policies. Windows 2000 uses security templates (also called .inf files) to automatically configure security policies on servers and desktops. There are also third-party enterprise management tools that are designed specifically for security policy configuration, distribution, and enforcement. These products should undergo a thorough evaluation and analysis process before expensive procurement decisions are made.

Security controls are mechanisms put into place to enforce security policies.

Go to page: 1 2

Printer Friendly Version

Of Interest

Intranet eXchange Discussion Board
Anti-Virus Protection 101
Secure FTP 101

email this page

Tutorials

and more at:
Intranet Journal's Tutorials

Intranet Journal Favorites

Creating a PHP-Based Content Management System

The Spyware Guide

Introduction to Microsoft SharePoint Portal

Intranet Journal

Part of the EarthWeb Network

Managing Editor
Intranet Journal
Tom Dunlap

EarthWeb Home Page
Jupitermedia Home Page

Media Kit

The Network for Technology Professionals

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Solutions

Whitepapers and eBooks

Intel Whitepaper: 2010 Intel Core vPro Processors Overview
Article: Adobe Helps PHP Developers Create Rich Internet Applications
Article: Reduce Your Infrastructure Costs with Microsoft System Center
Intel Brief: Five-Star IT Support--Intel Core 2 processor with vPro Delivers ROI of 524 Percent
Article: Security Enhancements Abound in Windows Server 2008
Intel Whitepaper: Implementing Intel vPro Technology to Drive Down Client Management Costs
Microsoft Whitepaper: Improve Communications and Collaboration

Intel Article: Intel Core i5 vPro Brings Intelligence to the Processor
Microsoft Personalized Whitepapers and Resources for You
Microsoft Articles: Visual Studio 2010
Adobe Article: Java Developers Finding a Home at Adobe Flex
Microsoft Whitepaper: Make Better Decisions - SQL Server 2008 Business Intelligence.
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Micro Focus Webcast: Boosting the Impact and Effectiveness of Software Development QA and Testing
Microsoft Webcast: Simplified Access and Single Sign-On

Intel Video: 2010 Intel Core Processor Technologies
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Adobe Download: Tour de Flex Application and Explore Flex
HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us

Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Free Adobe Online Flex Training: Check Out this Video Training Course Here
Learn Unified Communications
Learn SQL Server 2008
Learn Windows Server 2008 R2
Internet.com Hot List: Get the Inside Scoop on IT and Developer Products

Learn Forefront
Learn System Center
All About Botnets
Learn SharePoint
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES