Network Security Policy Anna Nash MBA 737
Agenda Overview Goals Components Success Factors Common Barriers Importance Questions
Overview A Network Security Policy: Provides rules for access to and proper use of computer and network resources Defines procedures to prevent and respond to improper use of network components, including associated data and systems
Goals The goal of Network Security Policy is to: Strategically align network controls with enterprise business objectives in a value added fashion Provide the appropriate mechanisms for effectively managing risk related to the network infrastructure and network-accessible assets Provide the metrics needed to ensure that network security risks are appropriately mitigated and access policies effectively followed
Components Network security policies are subjective, developed to meet the specific goals and risks of each individual organization However, there are components common to all successful network security policies, including: Asset Management HR Security Physical Security Communications/Operations Management Access Control Software Security Incident Management Business Continuity Management Compliance
Components: Asset Management Asset Management is the set of policies and procedures designed to protect organizational assets Assets include information, software assets, physical assets, people and intangibles such as reputation Typical Asset Management Policies include: Inventory Ownership Assignment Defined Acceptable Use
Components: HR Security HR Security is the set of policies and procedures designed to ensure employees, contractors and third party users understand their responsibilities and are an appropriate fit for their role(s) within the organization. HR policies can be targeted to different timeframes Prior to employment During employment Termination / Change of employment Typical HR Security Policies include: Screening / Background Checks Security Awareness Training Disciplinary Processes Termination Responsibilities Removal of Access Rights
Components: Physical Security Physical Security is the set of policies and procedures designed to prevent unauthorized physical access, damage and interference to the organization’s physical premises and information Should also prevent loss or theft of physical assets Typical Physical Security Policies include: Physical entry policies Security of offices, rooms and facilities Equipment maintenance procedures Security of equipment off-premises Disposal or removal of property
Components: Communications/Operations Mgt. Communications and Operations Management policies and procedures are designed to ensure the correct and secure operation of IT facilities This encompasses a broad set of controls including: Malicious code protection Back-Ups Network Controls Handling and Disposal of removable media Protection of information exchange including Protection of on-line transactions Logging and Monitoring of systems to record security events
Components: Access Control Access Control policies and procedures are designed to control access to the organization’s information Access Control policies typically include: User access management User permission management Password management Reviews of access Authentication mechanisms Network separation and associated controls Telework controls and restrictions
Components: Software Security Software security policies and procedures are designed to ensure security is an integral part of IT systems (both those systems provided by third parties, and those developed in-house) Typical Software Security policies include: Security requirements Input data validation Output validation Integrity Checks Encryption Requirements Change Control Security Patching / Vulnerability Management
Components: Incident Management Incident Management policies and procedures are designed to ensure that security events are discovered, communicated and corrected in a timely manner Typical Incident Management policies include: Reporting of events Reporting of vulnerabilities and weaknesses Incident Handling and Recovery Reporting of lessons learned after incidents
Components: Business Continuity Management Business Continuity Management policies and procedures are designed to minimize the impact of system failures or disasters and to ensure timely recovery of critical systems Scope includes both preventative and recovery controls Organization must understand the business impact of failures and disasters prior to formulating policies for prevention and recovery Typical Business Continuity Management policies include: Scope definition (requirements for critical business continuity) Continuity Plan Testing and maintenance of plan
Components: Compliance Compliance policies and procedures are designed to help the organization avoid breaches of any relevant laws or regulatory requirements. Should also focus on avoiding contractual breaches and security requirements or policy violations Typical Compliance policies include: Documentation of applicable legislation Data protection (organization trade secrets, private personal information) Information System Audit controls
Network Security Policy: Success Criteria The success of a Network Security Policy is directly related to: Policy’s alignment with business objectives Support from management Employee awareness & acceptance of policy Enforceability of the policy Corporate dedication to treat the policy as a living document
Network Security Policy: Common Barriers Barriers common to unsuccessful Network Security Policies include: Lack of funding Lack of alignment with business objectives and organizational risk Idiots
Importance The risks surrounding network based operations are increasing: Cyber attacks are growing both in frequency and severity There is a growing gap between the rate of technology adoption and the rate of controls adoption Convergence of technologies has led to a convergence of risk, increasing the potential impact of attaches The dependence on technology, particularly network operations, is similarly increasing
Questions ?