Security Policy Goals

In general, security policy goals can be summarized as five goals, including as a guide used by administrators in planning security efforts and responses; as a guide to the technical team that configures the equipment; as a guide for defining responsibilities and sanctions for users and administrators; as a guide for defining consequences for violating the policies; and as a guide for determining responses and escalations to recognized threats. Each specific goal is as follows:

• Goal 1 The first goal of the security policy is to guide the technical team by defining the requirements for the network and aid in the selection of equipment. The policy should define which functions a solution must perform, but not specify which solutions the technical team should implement. Because the security policy is not a technical document, a good policy does not dictate the exact equipment or configurations employed. For example, a good policy does not state that a Cisco PIX 515E Firewall will be used. Instead, the policy needs to define the minimum requirements for perimeter security, such as using a stateful inspection, proxy-based, or hybrid firewall.

• Goal 2 The second goal of the policy is to guide the technical team in configuring the equipment. For example, a security policy might state that the technical team should use its best effort to ensure that users cannot view websites that violate the acceptable use policy. However, the policy should identify forbidden content without listing which specific websites are acceptable and unacceptable.

• Goal 3 The third goal of the security policy is to define the responsibilities for users, administrators, and managers. Clearly defined responsibilities allow management and technical personnel to measure the performance of security efforts. When people know what is expected of them, they usually respond accordingly. Much of this would be addressed in the organization's acceptable use policy.

• Goal 4 The fourth goal of a security policy is to define consequences for violating the policies. If the security policy states that no programs will be downloaded from the Internet, for example, a stated penalty must apply to violations of that policy. This penalty allows users to understand that consequences apply to their actions.

• Goal 5 The fifth goal of a good policy is to define responses and escalations to recognized threats. Knowing how a threat is to be dealt with enables personnel to plan for the event. Failure to plan for a threat can result in confusion should that threat ever become a reality. Additionally, it is important to define escalation procedures for problems that are more difficult to pinpoint on the network. It is important that each member of the organization understand which steps to take in the event of a problem on the network.

Now that the general goals of the security policy have been discussed, it's time to consider some guidelines for a successful policy.

0 0

Post a comment