Why do you require security policy?
Why do you require security policy?
Secure system planning and administration is the human side of computer security. Even in a highly trusted system, security isn't automatic. Administrators need a written guideline, spelled out beforehand, that clearly outlines what steps to take and what procedures to follow in the pursuit of security. The assault on trusted systems seems relentless these days, as vulnerability after vulnerability has riddled both the Windows and Linux worlds, and perfidy abounds both inside and outside an organization's walls. If there is safety in the changing world of security, it seems to lie not in what our equipment or software does for us, but in what we do for ourselves. The first step in maintaining security today is to set security policies for our organizations, and then to exercise diligence in promulgating and maintaining them. This effort cuts across all layers. Although the security administrators carry out the security policy in terms of protection, detection, and enforcement, it is the users who must keep the security and the owners and managers who must authorize and sustain it, and administer the required sanctions against those who violate it.
For example, your organization's security policy may require regular backups, but it's the administrator who must actually run the backups. Once administrators train users to copy files to areas that will be protected, managers must deal with noncompliance. Similarly, administrators may tell users to avoid writing down machine-issued passwords and laying them near their keyboards, but management must give the policy teeth.
The most critical area for all layers to come together is likely incident response what to do once a breach occurs. Decisions about evidence preservation, notifying authorities (and which ones), and what to do next must be hashed out before the fact. These should be codified in writing and distributed to all persons likely to be affected.
The security policy is a living document that must be examined and updated regularly. Training users, administrating passwords, backing up system-critical files, setting up and tuning firewalls and intrusion detection systems, and examining audit logs: these are some of the many ways that a system's abstract security policy gets translated into real world defenses. This is the role of the security administrator.
Security grows down into an organization once a written policy dictates it is required. Administratively, this means that management creates and sustains the demand for things to be done according to certain standards and levels. This requires that risks be categorized and prioritized, and the value of the asset to be protected is weighed against the cost of its protection.
Security policies require procedures. Security procedures include holding regular security audits, and implementing rules such as separation of duties and use of two-man controls. To insure people know how execute security procedures requires security training. To make sure people actually follow policies and procedures requires oversight and enforcement. For there to be enforcement, management must be involved. Management, after all, sets the policies.
Secure system planning and administration is the human side of computer security. Even in a highly trusted system, security isn't automatic. Administrators need a written guideline, spelled out beforehand, that clearly outlines what steps to take and what procedures to follow in the pursuit of security. The assault on trusted systems seems relentless these days, as vulnerability after vulnerability has riddled both the Windows and Linux worlds, and perfidy abounds both inside and outside an organization's walls. If there is safety in the changing world of security, it seems to lie not in what our equipment or software does for us, but in what we do for ourselves. The first step in maintaining security today is to set security policies for our organizations, and then to exercise diligence in promulgating and maintaining them. This effort cuts across all layers. Although the security administrators carry out the security policy in terms of protection, detection, and enforcement, it is the users who must keep the security and the owners and managers who must authorize and sustain it, and administer the required sanctions against those who violate it.
For example, your organization's security policy may require regular backups, but it's the administrator who must actually run the backups. Once administrators train users to copy files to areas that will be protected, managers must deal with noncompliance. Similarly, administrators may tell users to avoid writing down machine-issued passwords and laying them near their keyboards, but management must give the policy teeth.
The most critical area for all layers to come together is likely incident response what to do once a breach occurs. Decisions about evidence preservation, notifying authorities (and which ones), and what to do next must be hashed out before the fact. These should be codified in writing and distributed to all persons likely to be affected.
The security policy is a living document that must be examined and updated regularly. Training users, administrating passwords, backing up system-critical files, setting up and tuning firewalls and intrusion detection systems, and examining audit logs: these are some of the many ways that a system's abstract security policy gets translated into real world defenses. This is the role of the security administrator.
Security grows down into an organization once a written policy dictates it is required. Administratively, this means that management creates and sustains the demand for things to be done according to certain standards and levels. This requires that risks be categorized and prioritized, and the value of the asset to be protected is weighed against the cost of its protection.
Security policies require procedures. Security procedures include holding regular security audits, and implementing rules such as separation of duties and use of two-man controls. To insure people know how execute security procedures requires security training. To make sure people actually follow policies and procedures requires oversight and enforcement. For there to be enforcement, management must be involved. Management, after all, sets the policies.