Information Technology Reference
In-Depth Information
When you are developing security policies for an organization, RFC 2196 can serve as a
guide for developing security processes and procedures. This RFC lists issues and factors
that an organization must consider when setting its policies. Organizations need to make
many decisions and come to agreement when creating their security policy.
Basic Approach of a Security Policy
To h e l p c r e a t e a s e c u r i t y p o l i c y, h e r e i s a g e n e r a l l y a c c e p t e d a p p r o a c h f r o m R F C 2 1 9 6 :
Step 1.
Identify what you are trying to protect.
Step 2.
Determine what you are trying to protect it from.
Step 3.
Determine how likely the threats are.
Step 4.
Implement measures that protect your assets in a cost-effective manner.
Step 5.
Review the process continuously, and make improvements each time a weak-
ness is found.
Purpose of Security Policies
One of the main purposes of a security policy is to describe the roles and requirements
for s ec ur ing technolo g y and infor mat ion as s ets. The polic y define s the ways in which
these requirements will be met.
There are two main reasons for having a security policy:
It provides the framework for the security implementation:
■
Identifies assets and how to use them
■
Defines and communicates roles and responsibilities
■
Describes tools and procedures
■
Clarifies incident handling of security events
■
It creates a security baseline of the current security posture:
■
Describes permitted and unpermitted behaviors
■
Defines consequences of asset misuse
■
Provides cost and risk analysis
■
Here are some questions you might need to ask when developing a security policy:
What data and assets will be included in the policy?
■
What network communication is permitted between hosts?
■
How will policies be implemented?
■
What happens if the policies are violated?
■
How will the latest attacks impact your network and security systems?
■
