Enhanced security, as a field of business, is still relatively young. Security audit firms are burgeoning, swiftly heeding the call of urgency in many organizations. The auditing process can reveal many evils, not the least of which is an insufficient security policy framework. Given the threats that exist today, organizations would be well served with security policies that take the corporation's unique structure into account and create procedures that work to increase its business flexibility.
Making the business case for network security requires acute awareness of process flow. The course of business must not only be protected, but business processes should also be improved upon with every policy formulated.
Corporations are beginning to place greater emphasis in this area, recognizing that security policies are the backbone in substantiating a well-formed business case. The widest possible array of security equipment might still struggle to protect a system if its employees are not versed in preventive safety techniques. A policy should reflect the needs of an organization and encourage those elements that could help to grow its business. In essence, security, and its policies, should act as business enablers.
This chapter is the precursor to formal policy formulation (which is covered in detail in Chapter 10, "Essential Elements of Security Policy Development"). It explores key areas that policies should address, from equipment utilization and employee awareness programs to querying senior management on internal best practices. Most importantly, it can serve as a benchmark for ascertaining an organization's current security posture.
This chapter covers the following topics:
Securing the organization: equipment and access
Managing the availability and integrity of operations
Implementing new software and privacy concerns
Regulating interactivity through information and equipment control
Mobilizing the human element: creating a secure culture
Creating guidelines through the establishment of procedural requirements
Determining rules and defining compliance
Securing the future: business continuity planning
Ensuring a successful security policy approach
Securing the Organization: Equipment and Access
After equipment is installed and personnel are trained, spotting vulnerabilities demands the incessant task of analyzing minutiae. Whether it is log analysis, password control, physical building access, or strict rules governing departing employees, to name only a few, concentrating on details can help to ensure that security cracks are revealed and handily rectified.
The discussion in this section centers on the following topics:
Many organizations use job categories to determine the scope of system access to grant individual users. A field salesperson with remote access might need to regularly check e-mail and search for marketing tools, but she should not necessarily be able to generate finance reports from the accounting department. Defining access by job category can help to preserve data integrity and ensure that unauthorized users, whether internal or external, cannot make unlawful contact with applications, operating systems, and networks.
Recently departed employees can pose a risk if their access is not summarily terminated. In the flurry of activity that can surround a departure, laptops, keys, credit cards, and other physical property are collected, and the local manager might arrange to change the front door lock and forward the company credit card to the finance department. But a long-distance calling card might struggle to find its way back to the communications division. Similarly, advising the IT department to sever access privileges is not always high on a manager's alert list. Given the potential for damage that a recently departed employee could inflict, IT notification of user de-access should be prioritized appropriately. Outlining a procedure for departing employees, even those transferring departments, ensures that unlawful, yet still authorized, access does not occur.
The process of disseminating user passwords needs to be securely controlled. Users should be instructed, if not required, to change passwords on a regular basis and to choose words or characters that are not easily identifiable. Equally important, users should extend the same respect to passwords as they do their personal bank card PINs. The sanctity of passwords is of paramount importance; mishandled, they can represent the weakest link in a once-formidable chain.
Physical access continues to play a significant role in network security. Installing floor-to-ceiling barriers might be deemed appropriate to protect a server room and, depending on the organization, securing air ducts leading to the room might also need to be considered. Certain organizations might find it appropriate to institute a clean-desk policy, ensuring that employees remove all paper and books from their desktops before they leave work for the day. Similarly, a closed-blind policy can ensure that wandering eyes outside a building cannot view its interior.
Sensitive areas must be defined and access appropriately restricted, and visitors or noncompany persons must never be left to wander a building alone. A branch office of a large enterprise, the former workplace of one of the authors, was visited late on a Friday afternoon by a photocopier service technician. He approached the receptionist and informed her that he needed to perform regular maintenance on the office copier. Not wanting to disturb her any more than necessary, he asked her to point him in the direction of the copier. She gratefully complied and returned to planning her weekend, and the technician wandered down the hall to service the equipment. Moments later, the receptionist attempted to place an outgoing call, but she could not get a dial tone. She walked over to a nearby phone, but still no dial tone was available. She consulted a manager, and together they walked to the telephone equipment room. The photocopier was located in the same room, but the technician was nowhere to be seen. They immediately noticed that the rack holding the PBX telephone switching equipment was empty. The technician had made quick work of snatching the PBX and had apparently exited through a rear door. Maintaining a strict visitor policy through the use of badges, visitor accompaniment, and employee vigilance can help to better ensure a secure environment.
Security issues can vary markedly by organization, ranging from the handling of hazardous materials to ensuring that IT equipment is protected against widespread power disruptions. Planning sessions that fully consider an organization's unique requirements can aid in forming the foundation of a well-constructed security policy.