Security Policies

Security Policies
Security policies are created based upon the security philosophy of the organization. The
policy should be a “top-down” policy that is consistent, understandable (nontechnical),
widely disseminated within the organization, and fully supported by management. The
technical team uses the security policy to design and implement the organization’s security
structure. The security policy is a formal statement that specifies a set of rules required for
gaining access to network assets. The security policy is not a technical document; it is a
business document that lays out the permitted and prohibited activities and the tasks and
responsibilities regarding security. The network security policy is the core of the network
security process. Every organization that maintains networked assets should have a written
network security policy. At a minimum, that policy should fulfill the following objectives:
■ Analyze the threat based on the type of business performed and type of network
exposure
■ Determine the organization’s security requirements
■ Document the network infrastructure and identify potential security breach points
■ Identify specific resources that require protection and develop an implementation plan
12 Chapter 1: Network Security
The security process is the implementation of the security policy. It is broken into four steps
that run continuously, as shown in Figure 1-1. It is important to emphasize that this is a
continuous process, that each step leads to the next, and that you should evaluate the results
of each step and constantly improve your security posture.