Popular Posts
Implementing An Enterprise Security Policy.
Enterprise Security Policy
By David.K
A security policy is a formal statement of rules by which people who are given access to an organization's technology and information must abide by.
A security policy should not determine how an enterprise operates; instead, the business of the enterprise should dictate how a security policy is written. Business opportunities are what drive the need for security in the first place. The main purpose of a security policy is to inform anyone that uses the enterprise's network of the requirements for protecting the enterprise's technology and information assets.
The policy should specify the mechanisms through which these requirements can be met. Of all the documents an organization develops, the security policy is one of the most important.
Risk assessment:
Prior to developing the security policy, you should conduct a risk assessment to determine the appropriate corporate security measures. The assessment helps to determine areas in which security needs to be addressed, how the security needs to be addressed, and the overall level of security that needs to be applied in order to implement adequate security controls. A risk assessment is a process whereby critical assets are identified and values are placed on the assets.
You determine how much each asset is at risk of being compromised and how much you need to upgrade or add to it to meet your business needs.
To develop a security policy that is not overly restrictive for users, that balances ease of use with a certain level of security, and that is enforceable both technically and organizationally, the policy should contain, at a minimum, some of the topics in the following list:
Acceptable use policy: Spells out what users are allowed and not allowed to do on the various components within the network; this includes the type of traffic allowed on the network. The policy should be as explicit as possible to avoid any ambiguity or misunderstanding.
Remote access policy: Spells out to users acceptable or unacceptable behavior when they have connected to the enterprise via the Internet, a dial−up connection, a virtual private network (VPN), or any other method of remote connectivity.
Incident handling policy: Addresses planning and developing procedures to handle incidents before they occur. This document also creates a centralized group to be the primary focus when an incident happens. The incident handling policy can be contained within the actual security policy, but due to corporate structure, this document often actually exists as a sub-document to the security policy.
Internet access policy: Defines what the enterprise considers to be ethical, proper use of its Internet connection.
Email policy: Defines the acceptable use of the enterprise's email systems, including personal emails and Web−based email.
Physical security policy: Defines controls that pertain to physical device security and access.
Audits
After you've completed the enterprise security policy, the last step is to perform regular audits.
Audits not only give you a baseline by which to judge what is deemed as normal activity or network behavior, they also, in many cases, produce results that will be the first alert in the detection of a security breach. Noticing unusual events within the network can help to catch intruders before they can cause any further damage.
Tags: A Enterprise Security Policy