| Lesson 3 || Security policies and plans |
| Objective || Identify the characteristics of a good security plan. |
Security Policies and plans
Just as homeowners would protect themselves against home invasion by buying home security protection,
there are security policies and plans that protect networks. However, network security policies and security plans are not the same. Security policies and security plans differ in purpose and content as follows:
- A security policy defines the configuration, procedures, and technology necessary for effecting the level of security an organization requires.
- A security plan is the implementation of a security policy.
In a nutshell, the security policy demonstrates what
you are going to do; the plan demonstrates how
you are going to do it.
A good security policy addresses:
- Data confidentiality
- System integrity
- User authentication
- System access control
- User behavior
A good security policy sets organization-wide strategic directions for security issues and assigns resources for its implementation.
It is intended to address the computer security from a general perspective by broadly identifying areas and levels of desired protection from external and internal threats.
(Such as worker privacy, intellectual assets, and real or intangible property).
The security plan is an outcome of the policy and defines the scope, resources, and specific duties and responsibilities for all members of the organization.
When properly developed, the plan also provides clear procedures for routine behavior along with procedures for non-routine events (such as missing files, data theft, or hacker attack).
You will learn more about the major sections of a security policy in the Slideshow below.
Network Security Policy
Leading causes of computer vulnerability
At a meeting of the SANS99 and Federal Computer Security Conferences in 1999, 1,850 computer security experts and managers named the following
as the seven leading causes of computer vulnerability:
- Assigning untrained people to maintain security and providing neither the training nor the time to help them do the job properly.
- Failing to understand the relationship between information security and the business need; also, understanding physical security,
but failing to see the consequences of poor information security.
- Failing to deal with the operational aspects of security--making a few fixes, but not following through to ensure that the problems are fixed.
- Relying on a firewall.
- Failing to realize how much money an organization's information and reputation are worth.
- Authorizing reactive, short-term fixes, with the consequence that new problems emerge rapidly.
- Pretending the problem will go away if it is ignored.
In the next lesson, you will learn about the purpose of access control.