Security Policy Overview

Simplistic Overview of a Security Policy

A security policy is used to build an effective security infrastructure.
Without an effective security policy, a firewall implementation is ineffective.

An infrastructure with an effective security policy:
–> Secures resources, including information and systems
–> Improves employee performance
–> Determines what traffic your firewall will allow or deny.

A security policy is the first line of defense in establishing a secure
systems infrastructure. It must be effective in providing guidelines for the
entire organziation.

To reduce risk, the following steps should be followed:
–> Classify your systems (If a system was breached, what effect would this have
on the network? Example: A exposed server poses a much greater risk then an
exposed User Desktop)
–> Determine security policies for each system.
–> Assign risk factors.
–> Define acceptable and unacceptable activities.
–> Educate employees about security.
–> Determine administrator of policy.

After a determination is made as to the risks and priorties of all resources,
the security policy should be documented on a resource-by-resource basis, with
the most critical resources requiring the most detailed and stringent

Systems Classifications

Level I:
Systems that are centralized to the business’ operation. Ex: Email
server, web server, employee database, user account database.

Level II:
Systems that are needed but not critical to daily operation. A system
that could be offline for a day or two without crippling the company is an
example of Level II Classification.

Level III:
A local desktop is an example of this, as long as this computer does
not affect Level I or Level II systems.

  Related Posts