compliances , policies , security

Why should I bother with a Security Policy?

February 14, 2009

The image that most frequently comes to mind when discussing security is that of the great firewall standing guard at the opening to your network, fending off attacks from malevolent hackers. Although a firewall will play a crucial role, it is only a tool that should be part of a more comprehensive strategy that will be necessary in order to responsibly protect the data on your network. For one thing, knowing how to set up a firewall to allow the communications you want to come through while safeguarding other data is a very tough nut to crack. Even if you do have the skills and expertise necessary to set up the firewall correctly, it may be impossible to know the risks management is willing to take with the data and to determine the amount of inconvenience to withstand in order to protect it. You also must consider how to secure the hosts being accessed? Even with firewall protection, there is no guarantee that some vulnerability won’t develop. And most likely there is than the one device at stake.

Modems, for example, may provide an access point for your network that completely bypasses your firewall. In fact, a firewall may increase the likelihood that someone will set up a modem for access to the Internet through another Internet service provider (ISP), because of the restrictions that your firewall may impose upon them, (something to keep in mind when you are setting up your firewall to begin with).

You may be providing restrictions or “protection,” that can turn out to be unnecessary once the consequences are clearly understood as a business case. On the other hand, the risks may justify the increased restrictions and ensuing inconvenience. But, unless the user has some awareness of these dangers and understands clear consequences for adding risk, there may not be much you can do.

Legal issues also arise. What legal obligations do you have to protect your data? If you are in a publicly traded company you have some definite responsibilities in this regard.

Securing your data involves more than plugging in a firewall with a slick GUI interface. What you need is a comprehensive plan of defense. And you need to communicate this plan in a manner that will be meaningful to management and end users. This requires education and training along with clearly spelled out consequences for violations. It is called a “security policy” and is the first step to responsibly securing your network. The policy may include installing a firewall, but you will want to define your security policy first. You should not have to design your security policy around the limitations of your firewall.

Writing the security policy is not a trivial task. It not only requires that technical personnel understand all the vulnerabilities that are involved, but also requires that they effectively communicate with management. Management must ultimately decide how much risk should be taken with the company’s assets, and how much expense should be incurred both in real dollars and inconvenience, in order to minimize the risks. It is the responsibility of technical personnel to make sure that management understands the implications of adding access to the network and to applications on the network, so that management has enough information to make these decisions. If the security policy does not come from the top, it will be difficult to enforce even minimal security measures.

For instance, if employees may become upset if they suddenly have to supply logins and passwords where they did not before, or are prohibited from particular types of Internet access. It is better to deal with these issues ahead of time and put the policy in writing.

The policies can then be communicated to the employees by management. Otherwise, employees will not take it seriously, or you will have constant political battles within the company regarding this issue. Not only will these battles have a negative impact on productivity, it is less likely that rational decision-making will be able to prevail in the heat of political turf wars.

The development of a security policy can be a highly charged political process, but once such a policy is in writing you’ll find that less time will be spent debating it. This does not mean that it can be done in a vacuum and imposed upon the organization. The needs of all groups within the company most be realistically considered. Employing the services of a reputable outside contractor may help to provide some needed objectivity that can overcome some of these difficulties.

https://www.bestitdocuments.com/Samples