Deploying a network security policy is a significant and serious undertaking. Making good decisions in this matter will save a great deal of money and prevent many future security issues on your network, while making incorrect or hasty decisions will lay the foundation for an insecure network infrastructure. Creating a network security policy will affect your organization in a number of ways, including (but not limited to):
- Financial. A new network security policy may require you to purchase new equipment and software, such as firewalls, IPS (intrusion protection/prevention system), anti-virus software, new routers, and more. You’ll likely also incur additional salary costs for security personnel trained to manage the new hardware and software.
- Network availability. You may have to install new hardware and software on your network to comply with a new network security policy, which may impact your overall network availability as you install and configure this infrastructure. Therefore, the process needs to be well planned to reduce risks, costs, and downtime for your clients and internal users.
- Usability. In almost every case, the security of a computer system is inversely related to its usability. As a result of your network security policy, you may reach a state where the usability of the network is drastically reduced. Your network security policy needs to balance security against usability, so that your security policy does not become so rigid that your users cannot perform their job functions.
- Legal. Depending on your country and the activity of your business, you may be required to comply with legislative measures such as HIPPAA or Graham-Leach-Bliley. You need to consider these regulations when designing your network security policy.
Before you can begin to implement a new network security policy, you need to perform extensive planning and preparation before writing documents and configuring new hardware or software. It is important to know your network, to understand the reasons for every network device, to know the vulnerabilities of every technology in use, the strength of each device, and the way devices are connected to each other.
It’s also crucial to understand how your network is going to be used, to know the requirements of your business, how many and what kind of users will have access to the network. You should also understand why the network was installed (or is going to be installed) and whether you have sufficiently trained staff and budget to manage the network.
In any case, every network has its own requirements and objectives. Every network is different, and not many countermeasures applied in one network to reduce the risks to it will be directly applicable to another network. It is easy to find the differences between a campus network in a large university and the network of a small office, the network of a big enterprise or that of a small home network.
They are all networks, and they will perform the same basic operations; however, the security requirements may vary greatly. As with most matters relating to Information Technology, the budget available to you to enforce network security is a real issue when designing and implementing your policies and procedures.
Your requirements need to be sufficiently affordable for your company or client. Sometimes, it is better to generate a procedure that every user will need to know and follow, rather than try to implement a complex and expensive technical control. Many organizations now realize the need to have an articulated information security policy, to be more effective in their preventative, detective, and responsive security measures.
Moreover, because of government regulations, organizations in certain vertical industries are required to have formally documented information security policies. In addition, an information security policy is also extremely beneficial to the security manager because it provides, at an executive level, a mandated framework for ensuring the confidentiality, integrity, and availability of an organization’s information assets.
What this means is that the security manager has some weight in his or her corner for budget requests when he or she has an approved information security policy. Finally, for the security administrator, having a written and approved policy can ensure that you are able to deploy different technologies in a way that minimizes disruption to business.
Think of the written policy as a recipe to ensure you configure everything correctly. Moreover, a policy is the best way to ensure you will keep your job, should something happen. When tackling this issue, it’s also critical to keep in mind the differences between a security policy and a security procedure.
Your network security policy needs to be a high-level and fairly stable document that can withstand a certain amount of change to the operating systems your clients and servers are running, so you are not issuing changes to the policy every time Microsoft releases a new service pack.
You can implement network security procedures to support the security policy; these procedures will discuss specific operational or procedural details that will allow you to comply with the high-level security policy.
“All Internet-connected computers must be secured against malicious intrusion” is an example of an edict you might find in a network security policy, whereas “all Windows XP computers must have Service Pack 2 installed and the Windows Firewall enabled” is an example of a specific procedure you might put in place.