Intranet Journal
The online resource for intranet professionals

Back to Article | Home | Discussion Board | Tutorials ]

Security Policies 101

Laura Taylor

1/6/03

Go to page: 1 2

If you are trying to keep your network secure from unauthorized access, creating security policies is an exercise in understanding what needs to be secured. Security policies serve many purposes and are the foundation of your security framework.

Why Your Organization Needs Security Policies

Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference point to numerous security tasks in your organization including:

Without security policies, no enforcement of security configurations or standards can be made. By establishing a policy, you are implying that enforcement can or will follow. Without security policies, enforcement of them is not possible.

Security Policy Basics

Security policies are high-level laws of the land regarding your security infrastructure. They are not procedures. (Procedures tell you how to implement security policies.) Upper management needs to hold someone accountable for drafting the security policies, overseeing their review, and implementing them. Without support from upper management, security policies often fall by the way side and never get written, understood, or implemented. The person being held responsible for security policies could be the Director of Information Security, the Chief Security Officer, the Director of Information Technology, the Chief Information Officer, or a knowledgeable employee appointed to be the information security officer.

Security is typically distributed, and security mechanisms should be built into all layers of the enterprise infrastructure. Security policies should describe the rules of the road for the following types of technology systems:

All security policies need to be written down. Policies that exist in someone's head are not really policies. When your organization has finished developing security policies, and right when you think you can breathe easy, it will be time to update your security policies. Since most IT organizations are deploying new technology continuously and retiring old systems, you will have to make sure your security policies still make sense for your new infrastructure. Similarly, when you are evaluating new equipment for possible procurement, you will want to make sure that the new equipment can properly be configured to meet your security requirements — if it can't, you may want to consider procuring alternative products.

Some products and modules built into operating systems are designed specifically to configure and enforce security policies. Windows 2000 uses security templates (also called .inf files) to automatically configure security policies on servers and desktops. There are also third-party enterprise management tools that are designed specifically for security policy configuration, distribution, and enforcement. These products should undergo a thorough evaluation and analysis process before expensive procurement decisions are made.

Security controls are mechanisms put into place to enforce security policies.

Go to page: 1 2



Back to Article | Home | Discussion Board | Tutorials ]

Copyright 2002 Jupitermedia Corporation, All Rights Reserved.
Legal Notices | Licensing, Reprints, & Permissions | Privacy Policy | Advertising on Intranet Journal
Home | eXchange | F A Q | Find | Register |