Most organizations have some sort of high level security policy that addresses different types of information, how that information should be handled, and who should be handling it. To expand, this security policy is essentially a set of rules and practices that control network assets, the information within the network, and how this information is managed, protected, and distributed within an organization. Refinement of this policy is necessary to see what is acceptable behavior with respect to the information, which mitigates risks and threats.
The process of refining an implementable security policy involves many choices and decisions, from executive-level decisions concerning organization objectives to network and computer hardware implementation choices. Through this process, there will be many representations of the policy. At the higher levels, the policy is likely to be written in a natural language, which is easy to understand in a general way. At some point, a precise formal or technical language restatement in a security policy model may be done.
The security policy cycle involves three phases: Phase One: vulnerability assessment, Phase Two: creation of the security policy, and Phase Three: compliance monitoring and evaluation.
Phase 1
The vulnerability assessment is the largest portion of the cycle and involves a lot of information gathering, which spans asset and threat identification, vulnerability appraisal, and risk assessment and mitigation.
Vulnerability assessments can be long and grueling, but they’re very important when developing a security policy. All assets that are critical to the organization’s processes must be identified. Assets include physical assets like servers, firewalls, switches, and workstations. An asset can also be the data that travels over the network. Next, a value must be placed with each asset, whether it be a $10,000 rack server, to an office desk, or even a $5 USB flash drive.
A careful analysis of these assets and processes will help to identify threats and vulnerabilities. The use of a security baseline tool will help analyze your systems for vulnerabilities and give you a risk probability for that specific type of attack or exploit. Having this baseline will help an organization continually improve and compare results to ensure that anything has not been overlooked. Threats do not only exist externally, such as hackers, but they can be internal also. These can be anything that will post a threat against an organization and its assets. Resolving and attempting to mitigate the risk of the highest threat must be top priority.
Risk assessment and mitigation are the final steps in Phase One. This involves the possible risks that would result from a threat or vulnerability and how to remedy or minimize the damage from this risk. Although most risks can never be entirely avoided, knowing what actions to take will help to improve security and processes.
Phase Two
This is a compilation of information from Phase One which is used to create the security policy. As mentioned at the beginning, a security policy is essentially a document that will help an organization securely manage their information systems. The security policy will present the organization with threat prevention actions, proper handling of sensitive data and also set rules and guidelines that all employees must follow to ensure that security is being met.
Phase 3
The final phase of the cycle involves the review of the policy and continual improvement once it has been implemented and tested. A security policy will constantly change as new threats are identified. Having employees that are vigilant and report security issues will help the organization. Auditing can be a powerful tool for those who enforce the security policies and ensure that everything is compliant. Constant monitoring and evaluation of the policy and the organization’s network from a security standpoint is a must. Also, the security policy should outline how often it is reviewed.
In the end, it is the job of the employees to follow the security policy and it’s the job of the IT personnel to enforce that policy. Along with the development and implementation of the security policy, awareness and training are essential. The security policy will determine what needs protection, what threats we are protecting it from, and how to protect it. Constant review of the policy will ensure that an organization is able to adapt to the ever-changing threats.
(Image Source: iCLIPART)