Simplistic Overview of a Security Policy
A security policy is used to build an effective security infrastructure.
Without an effective security policy, a firewall implementation is ineffective.
An infrastructure with an effective security policy:
–> Secures resources, including information and systems
–> Improves employee performance
–> Determines what traffic your firewall will allow or deny.
A security policy is the first line of defense in establishing a secure
systems infrastructure. It must be effective in providing guidelines for the
To reduce risk, the following steps should be followed:
–> Classify your systems (If a system was breached, what effect would this have
on the network? Example: A exposed server poses a much greater risk then an
exposed User Desktop)
–> Determine security policies for each system.
–> Assign risk factors.
–> Define acceptable and unacceptable activities.
–> Educate employees about security.
–> Determine administrator of policy.
After a determination is made as to the risks and priorties of all resources,
the security policy should be documented on a resource-by-resource basis, with
the most critical resources requiring the most detailed and stringent
Systems that are centralized to the business’ operation. Ex: Email
server, web server, employee database, user account database.
Systems that are needed but not critical to daily operation. A system
that could be offline for a day or two without crippling the company is an
example of Level II Classification.
A local desktop is an example of this, as long as this computer does
not affect Level I or Level II systems.