Deploying a network security policy is a significant and serious undertaking. Making good decisions in this matter will save a great deal of money and prevent many future security issues on your network, while making incorrect or hasty decisions will lay the foundation for an insecure network infrastructure. Creating a network security policy will affect your organization in a number of ways, including (but not limited to):

- Financial A new network security policy may require you to purchase new equipment and software, such as firewalls, IPS (intrusion protection/prevention system), anti-virus software, new routers, and more. You’ll likely also incur additional salary costs for security personnel trained to manage the new hardware and software.

- Network availability You may have to install new hardware and software on your network to comply with a new network security policy, which may impact your overall network availability as you install and configure this infrastructure.Therefore, the process needs to be well planned to reduce risks, costs, and downtime for your clients and internal users.

- Usability In almost every case, the security of a computer system is inversely related to its usability. As a result of your network security policy, you may reach a state where the usability of the network is drastically reduced.Your network security policy needs to balance security against usability, so that your security policy does not become so rigid that your users cannot perform their job functions.

- Legal Depending on your country and the activity of your business, you may be required to comply with legislative measures such as HIPPAA or Graham-Leach-Bliley.You need to consider these regulations when designing your network security policy. Before you can begin to implement a new network security policy, you need to perform extensive planning and preparation before writing documents and configuring new hardware or software. It is important to know your network, to understand the reasons for every network device, to know the vulnerabilities of every technology in use, the strength of each device, and the way devices are connected to each other. It’s also crucial to understand how your network is going to be used, to know the requirements of your business, how many and what kind of users will have access to the network.You should also understand why the network was installed (or is going to be installed) and whether you have sufficiently trained staff and budget to manage the network.

In any case, every network has its own requirements and objectives. Every network is different, and not many countermeasures applied in one network to reduce the risks to it will be directly applicable to another network. It is easy to find the differences between a campus network in a large university and the network of a small office, the network of a big enterprise or that of a small home network.They are all networks, and they will perform the same basic operations; however, the security requirements may vary greatly. As with most matters relating to Information Technology, the budget available to you to enforce network security is a real issue when designing and implementing your policies and procedures.Your requirements need to be sufficiently affordable for your company or client. Sometimes, it is better to generate a procedure that every user will need to know and follow, rather than try to implement a complex and expensive technical control. Many organizations now realize the need to have an articulated information security policy, to be more effective in their preventative, detective, and responsive security measures. Moreover, because of government regulations, organizations in certain vertical industries are required to have formally documented information security policies. In addition, an information security policy is also extremely beneficial to the security manager because it provides, at an executive level, a mandated framework for ensuring the confidentiality, integrity, and availability of an organization’s information assets. What this means is that the security manager has some weight in his or her corner for budget requests when he or she has an approved information security policy.

Finally, for the security administrator, having a written and approved policy can ensure that you are able to deploy different technologies in a way that minimizes disruption to business.Think of the written policy as a recipe to ensure you configure everything correctly. Moreover, a policy is the best way to ensure you will keep your job, should something happen. When tackling this issue, it’s also critical to keep in mind the differences between a security policy and a security procedure.Your network security policy needs to be a high-level and fairly stable document that can withstand a certain amount of change to the operating systems your clients and servers are running, so you are not issuing changes to the policy every time Microsoft releases a new service pack.You can implement network security procedures to support the security policy; these procedures will discuss specific operational or procedural details that will allow you to comply with the high-level security policy. “All Internet-connected computers must be secured against malicious intrusion” is an example of an edict you might find in a network security policy, whereas “all Windows XP computers must have Service Pack 2 installed and the Windows Firewall enabled” is an example of a specific procedure you might put in place.

Defining Your Organization

You just received the task to define a network security policy for your network. A good way to start is to think about your organization. How well do you know your organization’s business processes, both as an individual company and the needs and requirements of its industry as a whole? Sometimes, when an information security engineer or a consultant is asked to design a network security policy, he or she realizes that it is imperative to develop a better understanding of the organization before beginning. To be able to design a useful network security policy, you need to know what the network is designed for.You need to design and deploy a network security policy that secures a company’s resources, while still allowing people to do their jobs. Therefore, think about the department, the business, what the company produces or sells, whether the business is seasonal or cyclical, or if its activity remains roughly the same year round. Does the company have any business with foreign customers, vendors, or business partners? Are any governments involved in the operations of the business, and does the business require any kind of government security accreditation or clearance? For example, imagine an organization that uses a remote access server that’s based on passwords. Does the network security policy reference the proper procedures in case of a forgotten password, or do users know whether they should call their boss, the IT department, or even the Information Security office for a new password? In an organization with a well-defined network security policy, users will have a procedure to follow to get a new password.That procedure needs to be secure enough to guarantee the password is being given to the right person and not to an intruder!

NOTE

A password recovery procedure needs to be secure, but sufficiently flexible to allow your users to recover a password and continue working even if they are away from the office or working remotely. Consider using telephone security checks or other offline methods for password resets. It is nearly impossible to define a “typical” organization, as all are different. As such, you need to develop a way to define your own organization.You can choose several criteria, such as the size of the company, its geographical location, the different activities it performs, and so forth. Regardless of any idiosyncrasies that make your organization different from one down the street or across the country, you should always develop your network security policy as a means to protect your company’s assets while allowing it to perform its needed tasks not simply focus on closing ports, denying Internet access, and the like. Before you can begin to create a network security policy, you should perform a security assessment of your organization and its assets.There are two distinct parts to this process: audit and assessment.An assessment is intended to look for issues and vulnerabilities that can be mitigated, remediated, or eliminated prior to a security breach. An audit is normally conducted after an assessment with the goal of measuring compliance with policies and procedures. Typically, someone is held accountable for audit results. Some people don’t like the term auditing; perhaps it’s too reminiscent of ol’ Uncle Sam scouring through your tax return from three years ago when you claimed that one vacation as a business trip because you talked to your boss on your cell phone while waiting for the shuttle to your beachfront hotel.

Although the terms assessment and audit are often used interchangeably, in this article we focus on assessments. Throughout the audit and assessment phase, remember that there are three primary components of IT security: people, process, and technology. A balanced approach addresses all three areas; focusing on one area to the exclusion of others creates security holes. People, including senior management, must buy into the importance of security, and must understand and participate in maintaining it.The process includes all the practices and procedures that occur and reoccur to keep the network secure. Technology obviously includes all hardware and software that comprises the network infrastructure. Part of the technology assessment required to assess and harden infrastructure security includes deploying the right technological solutions for your firm and not the “one size fits all” or the “it was all we could afford” solution. In IT, we often focus a disproportionate amount of time and energy on securing the technology and overlook the importance of people and process to the overall security environment. To secure your infrastructure, you need to understand its building blocks.These include:

- Network perimeter protection

- Internal network protection

- Intrusion monitoring and prevention

- Host and server configuration

- Protection against malicious code

- Incident response capabilities

- Security policies and procedures

- Employee awareness and training

- Physical security and monitoring

Security assessments should begin by looking at the overall environment in which security must be implemented. Looking at the relative importance of your company’s information is a good starting point, because you need to find the right balance between security and information criticality. As part of that analysis, you also need to look at the impact of a network infrastructure intrusion and what it would cost to defend and repair.You need to define the various systems you have in place and look at how information flows through your organization to understand the infrastructure you’re trying to protect. Finally, you need to create an initial assessment of scope to define what is and is not included in your project.