Enterprise Security Policy and Standards
An enterprise’s security policy document provides the framework for the deployment of security technology within the enterprise. It is a key responsibility of the security officer to align business and corporate objectives with security requirements in the development of the security policy document.
The security officer identifies the parts of the network and the systems that are trusted and thus do not require any security services. The enterprise security team must clearly identify restricted network segments as well as the demilitarized zone (DMZ).
The security officer identifies all security requirements for an enterprise. Careful planning and awareness of the types of threats that a system might experience are key to defining a security policy that leads to a secure environment.
An enterprise security document includes sections such as:
- Risk management and security principles
- Security-related organizational roles and responsibilities
- Planning processes and risk assessment
- Information classification
- Non-employee personnel and security
- Application communications
- Viruses and malicious code
- Physical security
- Incident reporting
Enterprise TCP/IP Security Policy
Every organization must develop its own customized TCP/IP security policy to describe corporate policy for each and every protocol and network device that communicates on the enterprise TCP/IP network. Each section of the TCP/IP security policy document must cover three areas: overview (of the protocol), recommendation (for use of the protocol on the enterprise network) and reasoning (justifying the recommendation).
An enterprise TCP/IP security policy includes the following core elements:
- Defining the security perimeter based on an organization’s network topology and security requirements.
- Developing a customized security policy based on business and application requirements.
- Deploying firewall system(s) to implement the specifications of the organizations’ security policy.
Ask the following questions when creating the TCP/IP security policy:
- What is the objective or motivation for this document in your organization?
- Who is the intended audience for this document? Will all or some parts of this document be distributed?
- How frequently will this document be revised?
- Who is responsible for updating the document?
- Are there recommendations in the document that will be enforced?
- Identify the security philosophy that best reflects the belief of the organization.
- Which firewall systems are used to secure your connection to the Internet?
- What is the firewall system and network architecture?
- What is your policy for inbound access to systems? Which specific protocols will be allowed to access nodes on your internal network?
- What is your policy on outbound access to nodes on the Internet? Which specific protocols will be allowed to establish outbound connections to nodes on the Internet?
- Do you have remote offices or branches that connect to the home office? If yes, is the remote office directly connected to the Internet, or does it access the Internet through the home office?
- Are there external networks that are not trusted? Are there external networks that need access to your internal network via the Internet?
- Where are your key servers (Web server, DNS server, FTP server) located on the network?
- What is your policy on consultants and contractors who may have privileged access to systems and networks?
- What is your policy on employees who are no longer with the organization—how do you ascertain that they have no access, privileged or unprivileged, to system resources on the network?
Each organization needs to define a security policy that is specific to its combination of systems, networks and applications. A security policy defines the highest level of a security specification and states what is and what is not authorized in the general operation of a system or network element.
Uday O. Ali Pabrai, CEO of ecfirst.com, created the CIW program and is the co-creator of the Security Certified Program (www.securitycertified.net). Pabrai is also vice-chair of CompTIA’s Security+ and i-Net+ programs and recently launched the HIPAA Academy. E-mail him at firstname.lastname@example.org.
TCP/IP Security Policy Sections
A customized enterprise TCP/IP security policy document typically includes sections.
- Internal and External Networks
- Security Philosophy
- Scope and Deployment
- How to Use the Security Policy Document
- Document Changes and Feedback
- Minimal IP Requirements
- Routing Protocols
Thin Clients Network Protocols
The International Standards Organization (ISO) 17799 is a detailed security standard published in December 2000. The British Standard (BS) 7799 and the ISO 17799 are very similar—the ISO 17799 includes two non-action sections at the start of the document. The standards are organized into 10 major sections, each covering a different topic or area:
- Security policy: The objectives of this section are to provide management direction and support for information security. The information security policy document is a written policy that must be available to all employees responsible for information security.
- Security organization: The objectives of this section are:
- Information security infrastructure: To manage information security within the organization.
- Security of third-party access: To maintain the security of organizational information-processing facilities and information assets accessed by third parties.
- Asset classification and control: The objectives of this section are:
- Accountability of assets: To maintain appropriate protection of corporate assets.
- Information classification: To ensure that information assets receive an appropriate level of protection.
- Personnel security: The objectives of this section are:
- Security in job definition and resourcing: To reduce risk of human error, theft, fraud or misuse of facilities.
- User training: To ensure that users are aware of information security threats and concerns and are equipped to support the corporate security policy in the course of their normal work.
- Responding to incidents: To minimize the damage caused by security incidents and malfunctions and to learn from such incidents.
- Physical and environmental security: The objectives of this section are:
- Secure areas: To prevent unauthorized access, damage and interference to business premises and information.
- Equipment inventory: To prevent loss, damage or compromise of assets and interruption to business activities.
- Computer and network management: The objectives of this section include:
- Operational procedures and responsibilities: To ensure the correct and secure operation of information processing facilities.
- System planning and acceptance: To minimize the risk of systems failures.
- Protection from malicious soft