Network Security Policy

Anna Nash

MBA 737

Agenda

Overview Goals Components Success Factors Common Barriers Importance Questions

Overview

A Network Security Policy: Provides rules for access to and proper use of

computer and network resources Defines procedures to prevent and respond to

improper use of network components, including associated data and systems

Goals

The goal of Network Security Policy is to: Strategically align network controls with enterprise

business objectives in a value added fashion Provide the appropriate mechanisms for

effectively managing risk related to the network infrastructure and network-accessible assets

Provide the metrics needed to ensure that network security risks are appropriately mitigated and access policies effectively followed

Components

Network security policies are subjective, developed to meet the specific goals and risks of each individual organization

However, there are components common to all successful network security policies, including: Asset Management HR Security Physical Security Communications/Operations Management Access Control Software Security Incident Management Business Continuity Management Compliance

Components: Asset Management Asset Management is the set of policies and procedures

designed to protect organizational assets Assets include information, software assets, physical assets,

people and intangibles such as reputation Typical Asset Management Policies include:

Inventory Ownership Assignment Defined Acceptable Use

Components: HR Security

HR Security is the set of policies and procedures designed to ensure employees, contractors and third party users understand their responsibilities and are an appropriate fit for their role(s) within the organization.

HR policies can be targeted to different timeframes Prior to employment During employment Termination / Change of employment

Typical HR Security Policies include: Screening / Background Checks Security Awareness Training Disciplinary Processes Termination Responsibilities Removal of Access Rights

Components: Physical Security Physical Security is the set of policies and procedures

designed to prevent unauthorized physical access, damage and interference to the organization’s physical premises and information

Should also prevent loss or theft of physical assets Typical Physical Security Policies include:

Physical entry policies Security of offices, rooms and facilities Equipment maintenance procedures Security of equipment off-premises Disposal or removal of property

Components: Communications/Operations Mgt. Communications and Operations Management

policies and procedures are designed to ensure the correct and secure operation of IT facilities

This encompasses a broad set of controls including: Malicious code protection Back-Ups Network Controls Handling and Disposal of removable media Protection of information exchange including E-Mail Protection of on-line transactions Logging and Monitoring of systems to record security

events

Components: Access Control

Access Control policies and procedures are designed to control access to the organization’s information

Access Control policies typically include: User access management User permission management Password management Reviews of access Authentication mechanisms Network separation and associated controls Telework controls and restrictions

Components: Software Security Software security policies and procedures are

designed to ensure security is an integral part of IT systems (both those systems provided by third parties, and those developed in-house)

Typical Software Security policies include: Security requirements Input data validation Output validation Integrity Checks Encryption Requirements Change Control Security Patching / Vulnerability Management

Components: Incident Management Incident Management policies and procedures are

designed to ensure that security events are discovered, communicated and corrected in a timely manner

Typical Incident Management policies include: Reporting of events Reporting of vulnerabilities and weaknesses Incident Handling and Recovery Reporting of lessons learned after incidents

Components: Business Continuity Management Business Continuity Management policies and procedures are

designed to minimize the impact of system failures or disasters and to ensure timely recovery of critical systems

Scope includes both preventative and recovery controls Organization must understand the business impact of failures

and disasters prior to formulating policies for prevention and recovery

Typical Business Continuity Management policies include: Scope definition (requirements for critical business continuity) Continuity Plan Testing and maintenance of plan

Components: Compliance

Compliance policies and procedures are designed to help the organization avoid breaches of any relevant laws or regulatory requirements.

Should also focus on avoiding contractual breaches and security requirements or policy violations

Typical Compliance policies include: Documentation of applicable legislation Data protection (organization trade secrets, private

personal information) Information System Audit controls

Network Security Policy: Success Criteria The success of a Network Security Policy is

directly related to: Policy’s alignment with business objectives Support from management Employee awareness & acceptance of policy Enforceability of the policy Corporate dedication to treat the policy as a living

document

Network Security Policy: Common Barriers Barriers common to unsuccessful Network

Security Policies include: Lack of funding Lack of alignment with business objectives and

organizational risk Idiots

Importance

The risks surrounding network based operations are increasing: Cyber attacks are growing both in frequency and severity There is a growing gap between the rate of technology

adoption and the rate of controls adoption Convergence of technologies has led to a convergence of

risk, increasing the potential impact of attaches The dependence on technology, particularly network

operations, is similarly increasing

Questions

?