What can be more important than having a secure Network? That’s right – “A Network Security Policy” or simply call it IT policy. Every organization; may it be an Enterprise or SMB; which has an IT infrastructure is bound to have a Network Security Policy which in simple terms describes acceptable computer, network and internet usage as well as steps to protect network resources and organizational assets.
Security policies have to be long, detailed and complex – says who? The point of having policies is to make the target audience aware not only about the rules and regulations that govern your organization but also make sure that end-users know the hierarchy of access permissions. In the end, it is a manual written primarily to address IT needs. I want my end-users to actually read and understand the policy/s. Though we have a fairly compressed version (4 single-sided pages) specifically related to IT/Network, it is a part of larger handbook that has set of regulations for operating policies, general security policies, standard operating procedures, safety policies and so on. I am not referring to documentations which have plans and procedures or further drill down to guidelines or processes. I have specifically mentioned the word policy as against plan or guidelines. This is because when we write network security policy, it is mostly high-level strategy for target audience who don’t need to know the technical details. For example, letting end-users know that their internet usage is controlled and monitored.
When it comes to Network Security policies, can you ever say that you have completed writing the policy? Every day there are new security risks, so as the threats evolve as does your policy over the period of time. I have been working on our policy since I have started work here at my current organization which has been 2 years now.
Coming to the components of a Network Security Policy – let’s see if I have successfully covered the basics. This is what I have as a high-level security policy – acceptable usage, access control, authentication (password), software compliance, monitoring, remote access, incident response, email and web, and last but the most important – end-user awareness. While most of this is what all of you might already have in your policies, I mentioned end-users as most important because these are those users who may or may not be IT literate but either ways, are the most serious threat to your organization’s network security – unintentionally or otherwise. Though the above mentioned components would probably best describe small and medium business, they all would be included in the policy for large businesses as well.
I am not writing this article to teach any one about what needs to be in their security policy, you already know that but I am simply trying to assess the need for one. Before thinking about the fact if your network is secure, please take a minute to evaluate if your network security policy is feasible and how far does it extend. Have you written this policy only for your internal users or have you considered contract-based employees or 3rd party vendors who provide specialized support. We have both and I needed to include them in our policy, to safeguard our data and control their access; but that becomes a part of the larger plan. Who makes decisions when it comes to writing or updating the policy? As an IT person, are you able to involve higher management in policy creation? Are you able to successfully enforce the policy – what is the reaction of the general masses? There has always been an unspoken rule about following the policy but how do we penalize those who rebel against such policies.
As a conclusion, I believe that such a policy must be regularly evaluated so as to achieve a realistic business environment and not just regulate user-driven outcome.
You can find a refined (proof-read by experts) version of this article here. This article was originally written for “Spotlight on IT” series on Spiceworks Community Forum.
techcity 