Once you have a good understanding of how your organization's users and systems need to integrate with resources and services on the Internet, you can start writing your network security policy. The best way to develop a policy is to work from a template or an example policy. Many organizations on the Internet specialize in policy development or overall security issues. The SANS Institute offers numerous templates and examples of security policies. The Internet DMZ Equipment Policy, the Router Security Policy, and the Server Security Policy are particularly useful; each provides an excellent example of a security policy that can be used to define the goals, purpose, and mission of network security within an organization. Tip: Even if you are just setting a security policy for a small practice with a small staff, it's a good idea to review these sample documents so you know what kind of issues you need to address. While you may not have formal processes and procedures in place, you should have a plan for how you want to regulate traffic using your firewall.
To build your own network security policy, start with one or more templates or example policies and customize them to fit your organization's security needs. Although each organization's policy is unique, most security policies address a handful of common elements, such as:
•
Purpose:
A clear statement of the reason(s) the security policy exists. For example: This document discusses the security configuration baseline with which all firewalls deployed at a Clinic should comply.
•
Scope:
Identifies which sections, divisions, or departments of your organization are subject to the policy. The scope can also define or indicate those sections that are exempt from the policy. For example: This document applies to staff employed at a Clinic. The Finance department is exempt from this document if their department specific policy defines a contradictory requirement.
•
Policy:
Clearly defines exactly what requirements, conditions, configurations, and standards must be adhered to, followed, or implemented. Items in this section of the policy might include conditions under which VPN connections are enabled, what Internet services are allowed to cross through the firewall, and what content is filtered.
•
Responsibilities:
Identifies the individual or group responsible for implementing the conditions of the policy.
•
Enforcement:
Discusses the consequences of violating the policy.
•
Definitions:
Defines terms and acronyms to ensure that everyone reading the policy will clearly understand exactly what is being discussed.
•
Revision History:
Documents and dates all changes to the firewall policy after its initial creation and deployment. This essential part of any policy ensures that only the latest and most up-to-date version is actually used.
A security policy, even for a specific issue or area such as firewalls, can become a complex and detailed document. It is important to expend sufficient time and effort to properly research and develop any security policy. Statistics have shown that most security breaches occurred not due to deficiencies in hardware or software security controls, but blatant oversights or errors in the guiding security policy documentation.
Remember that a security policy is a strategic document that helps you carefully define how you want to implement a particular element of security for your office, such as network security. After you develop the document, you can turn to hardware and software systems to implement the rules it defines.
To download the latest Adobe® Reader®, please go to the Adobe website at http://www.adobe.com. Adobe and Reader are trademarks of Adobe Systems Incorporated.
Printable version
