Lack of Effective Network Security Policy

Because a network security policy directs administrators regarding how communications should be enabled and implemented, this policy serves as the basis for all security efforts. Security policies have weaknesses for a number of reasons, including the following:

• Politics Politics within an organization can cause a lack of consistency within the security policies or, worse, a lack of uniform application of the security policies. Many security policies make so many exceptions for management and business owners that they become meaningless.

• Lack of a written security policy The lack of a written security policy is essentially the same as not having any policy. Publishing and widely distributing the security policy prevents confusion about it within the organization.

• Lack of continuity When personnel change too frequently, people often take less care regarding the enforcement of security policies. When a system administrator leaves a position, for example, all the passwords used by that administrator should be changed. In an organization that changes administrators several times each year, there is a natural reluctance to change the passwords because users know they will be changed again soon because of administrator turnover.

• Lack of disaster recovery planning A good disaster recovery plan must include contingencies for security breaches. Confusion that results from a disaster can hamper the success of forensics efforts because administrators might not be careful in their recovery efforts.

• Lack of patch management within the security policy A good security policy allows for frequent hardware and software upgrades. A detailed procedure for implementing new hardware and software ensures that security does not become forgotten while implementing new equipment and software.

• Lack of monitoring Failure to monitor logs and intrusion detection systems (IDS) exposes many organizations to attack without any knowledge that those attacks are occurring.

• Lack of proper access controls Unauthorized network access is made easier when poorly designed access controls are implemented on the network. Improper password length, infrequent password changes, passwords written on sticky notes adhered to monitors, and freely shared passwords are security risks that potentially can lead to security breaches.

0 0

Post a comment