Policy plays an integral role in security effectiveness. Educating users on their responsibility to enhance security can have a twofold effect: It ensures that deployed equipment can perform tasks with greater effectiveness, and it creates an environment that encourages and supports individual responsibility.
The business case for network security requires that soft elements be acknowledged, considered, and ultimately weighted through adoption of an analytical process. Risk, and aversion to it, must be quantified before effective programs can be developed and put in motion. It is a fundamental step in the process of formulating concrete ROP results.
This chapter focused its discussion of policy on the following topics:
Outlining steps to secure the physical organization, both equipment and access
Understanding the importance of operations management of physical and logical equipment
Safely deploying new software and understanding privacy concerns
Promoting the need for consistent confidentiality labeling and equipment tagging
Understanding the need to mobilize the human element within an organization to create a security culture
Defining policies, detailing pertinent processes, and assigning ownership
Exploring corporate and user compliance
Developing a process to work through crises, using business continuity planning
Acknowledging common vulnerabilities in security policies
Introducing a fundamental step to quantify soft issues: surveying senior management
The next chapter advances the discussion by focusing on the board and presenting the issues inherent in security governance. Chapter 7 focuses on the IT manager, providing him with an overview of the business side of the organization and equipping him with the necessary tools to effectively lobby his senior-management colleagues on the merits of investing in security. Chapter 7 also introduces the next survey, the Infosec Operational (IO) survey, the results of which are explored in Chapter 8.