Security is typically distributed, and security mechanisms should be built into all layers of the enterprise infrastructure. Security policies should describe the rules of the road for the following types of technology systems:

• Encryption mechanisms
• Access control devices
• Authentication systems
• Virtual Private Networks (VPNs)
• Firewalls
• Messaging systems
• Anti-virus systems
• Web sites
• Gateways
• Missioncritical applications
• End-user desktops
• DNS servers
• Routers and switches

All security policies need to be written down. Policies that exist in someone’s head are not really policies. When your organization has finished developing security policies, and right when you think you can breathe easy, it will be time to update your security policies. Since most IT organizations are deploying new technology continuously and retiring old systems, you will have to make sure your security policies still make sense for your new infrastructure. Similarly, when you are evaluating new equipment for possible procurement, you will want to make sure that the new equipment can properly be configured to meet your security requirements — if it can’t, you may want to consider procuring alternative products.

Some products and modules built into operating systems are designed specifically to configure and enforce security policies. Windows 2000 uses security templates (also called .inf files) to automatically configure security policies on servers and desktops. There are also third-party enterprise management tools that are designed specifically for security policy configuration, distribution, and enforcement. These products should undergo a thorough evaluation and analysis process before expensive procurement decisions are made.

Security controls are mechanisms put into place to enforce security policies.

www.bestitdocuments.com