You just received the task to define a network security policy for your network. You need to think about several topics before defining your new network security policy. A good way to start is to think about your organization. How well do you know your organization’s business processes, both as an individual company and the needs and requirements of its industry as a whole?

Sometimes, when an information security engineer or a consultant is asked to design a network security policy, he or she realizes that it is imperative to develop a better understanding of the organization before beginning. To be able to design a useful network security policy, you need to know what the network is designed for.

You need to design and deploy a network security policy that secures a company’s resources, while still allowing people to do their jobs. Therefore, think about the department, the business, what the company produces or sells, whether the business is seasonal or cyclical, or if its activity remains roughly the same year round. Does the company have any business with foreign customers, vendors, or business partners?

Are any governments involved in the operations of the business, and does the business require any kind of government security accreditation or clearance? For example, imagine an organization that uses a remote access server that’s based on passwords.

Does the network security policy reference the proper procedures in case of a forgotten password, or do users know whether they should call their boss, the IT department, or even the Information Security office for a new password?

In an organization with a well-defined network security policy, users will have a procedure to follow to get a new password. That procedure needs to be secure enough to guarantee the password is being given to the right person and not to an intruder! It is nearly impossible to define a “typical” organization, as all are different. As such, you need to develop a way to define your own organization.

You can choose several criteria, such as the size of the company, its geographical location, the different activities it performs, and so forth. Regardless of any idiosyncrasies that make your organization different from one down the street or across the country, you should always develop your network security policy as a means to protect your company’s assets while allowing it to perform its needed tasks—not simply focus on closing ports, denying Internet access, and the like.

Before you can begin to create a network security policy, you should perform a security assessment of your organization and its assets. There are two distinct parts to this process: audit and assessment. An assessment is intended to look for issues and vulnerabilities that can be mitigated, remediated, or eliminated prior to a security breach.

An audit is normally conducted after an assessment with the goal of measuring compliance with policies and procedures. Typically, someone is held accountable for audit results. Some people don’t like the term auditing; perhaps it’s too reminiscent of ol’ Uncle Sam scouring through your tax return from three years ago when you claimed that one vacation as a business trip because you talked to your boss on your cell phone while waiting for the shuttle to your beachfront hotel.

Although the terms assessment and audit are often used interchangeably, in this chapter we focus on assessments. Throughout the audit and assessment phase, remember that there are three primary components of IT security: people, process, and technology. A balanced approach addresses all three areas; focusing on one area to the exclusion of others creates security holes.

People, including senior management, must buy into the importance of security, and must understand and participate in maintaining it.The process includes all the practices and procedures that occur and reoccur to keep the network secure. Technology obviously includes all hardware and software that comprises the network infrastructure.

Part of the technology assessment required to assess and harden infrastructure security includes deploying the right technological solutions for your firm and not the “one size fits all” or the “it was all we could afford” solution. In IT, we often focus a disproportionate amount of time and energy on securing the technology and overlook the importance of people and process to the overall security environment.

To secure your infrastructure, you need to understand its building blocks. These include:

• Network perimeter protection
• Internal network protection
• Intrusion monitoring and prevention
• Host and server configuration
• Protection against malicious code
• Incident response capabilities
• Security policies and procedures
• Employee awareness and training
• Physical security and monitoring

Security assessments should begin by looking at the overall environment in which security must be implemented. Looking at the relative importance of your company’s information is a good starting point, because you need to find the right balance between security and information criticality. As part of that analysis, you also need to look at the impact of a network infrastructure intrusion and what it would cost to defend and repair.

You need to define the various systems you have in place and look at how information flows through your organization to understand the infrastructure you’re trying to protect. Finally, you need to create an initial assessment of scope to define what is and is not included in your project.