10 steps to a successful security policy
Computerworld - There are two parts to any security policy. One deals with preventing external threats to maintain the integrity of the network. The second deals with reducing internal risks by defining appropriate use of network resources.
Addressing external threats is technology-oriented. While there are plenty of technologies available to reduce external network threats -- firewalls, antivirus software, intrusion-detection systems, e-mail filters and others -- these resources are mostly implemented by IT staff and are undetected by the user.
However, appropriate use of the network inside a company is a management issue. Implementing an acceptable use policy (AUP), which by definition regulates employee behavior, requires tact and diplomacy.
At the very least, having such a policy can protect you and your company from liability if you can show that any inappropriate activities were undertaken in violation of that policy. More likely, however, a logical and well-defined policy will reduce bandwidth consumption, maximize staff productivity and reduce the prospect of any legal issues in the future.
These 10 points, while certainly not comprehensive, provide a common-sense approach to developing and implementing an AUP that will be fair, clear and enforceable.
1. Identify your risks
What are your risks from inappropriate use? Do you have information that should be restricted? Do you send or receive a lot of large attachments and files? Are potentially offensive attachments making the rounds? It might be a nonissue. Or it could be costing you thousands of dollars per month in lost employee productivity or computer downtime.
A good way to identify your risks can be through the use of monitoring or reporting tools. Many vendors of firewalls and Internet security products allow evaluation periods for their products. If those products provide reporting information, it can be helpful to use these evaluation periods to assess your risks. However, it's important to ensure that your employees are aware that you will be recording their activity for the purposes of risk assessment, if this is something you choose to try. Many employees may view this as an invasion of their privacy if it's attempted without their knowledge.
2. Learn from others
There are many types of security policies, so it's important to see what other organizations like yours are doing. You can spend a couple of hours browsing online, or you can buy a book such as Information Security Policies Made Easy by Charles Cresson Wood, which has more than 1,200 policies ready to customize. Also, talk to the sales reps from various security software vendors. They are always happy to give out information.
3. Make sure the policy conforms to legal requirements
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!