tailieunhanh - PRODUCING YOUR NETWORK SECURITY POLICY

Criminals (thieves, terrorists, competitors, employees, etc.)—Criminal scenarios in- clude simply gathering information that would give knowledge of the buildings and how to break in, or maybe getting into the security system and having doors open. DoS attacks could be used for a variety of purposes including: making a political statement, interfering with business, etc. Terrorists could use low security on a net- work to shut down facility operation (. as a smokescreen or disruption) that facili- tates other destructive activity. When considering a US government building inter- network, this seems a very real threat. . | PRODUCING YOUR NETWORK SECURITY POLICY JULY 2007 Frederick M. Avolio Avolio Consulting Steve Fallin D. Scott Pinzon CISSP NSA-IAM Watchguard Technologies Inc. WatchGuard Technologies Inc. Producing Your Network Security Policy Executive Summary Network security experts agree that well-run corporations need a written security policy. The policy sets appropriate expectations regarding the use and administration of corporate IT assets. However the conventional w isdom holds that composing and maintaining these documents bog down in a morass of bureaucratic inefficiency and pointless wrangling which never ends and produces nothing useful. This paper lays out a common-sense approach to writing corporate security policies that makes them easier to draft maintain and enforce. Our question and answer approach requires no outside consultants. Instead you can use your in-house knowledge and resources to yield a brief usable and - most importantly -understandable policy document in a reasonable amount of time. To help you generate such a policy this paper clears away some misconceptions about the purpose of network security details the process of writing the policy then explains how to keep refining the drafted policy. Introduction It is the rare organization that is happy with its security policy. Many will admit to not even having one. But security policies are like noses everyone has one. Every organization follows either a formal or an informal security policy even if it is what we jokingly refer to as the Primordial Network Security Policy Allow anyone in here to get out for anything but keep people out there from getting in. Realistically many security policies are ineffective. Sometimes an organization gets lucky and has a security policy that is pretty good - but not usually. To be effective a security policy and let s reset that right now to security policies because we are talking about a set of policies should be consistent relevant and useable.