How to Write a Network Security Policy

By: Derek Rogers

Keeping your network up and running is a hardware issue. Keeping your network under control is a sociological one. What used to be the purview of a select group of security professionals and their adversaries has turned into a set of recipes for breaking into, defacing, or stealing information from various computer networks. With the internet, one does not need to be a genius to be a cracker or computer criminal. One needs a certain amorality and access to Google and the wits to follow a step-by-step tutorial. Sadly, targets abound for them.

Fortunately, your network needn't be one of them. No network can be made perfectly safe, but a well-constructed network security policy can weed out the majority of threat vectors. Network security is fundamentally about tracking log files, accounting for logins and user activity and auditing anything that looks suspicious.

Like all things dealing with security, the significant trade-off is security versus ease of use. Anything that's more secure will be intrusive, and one of the most compromised vectors for network security is the human element. If your security policies are onerous, and keep people from doing their work on the network, they will be circumvented by members of your organisation who will resent the put down on their time.

Communication with your organisation's members is important. A good network security policy addresses the human factors in securing your data. It needs to explain what your organisation's policies are, regarding proper use of computer and network equipment, and what procedures must be followed. It should have a clearly listed response chain for security incidents.

Some basic tips:

1) Be very clear in explaining why certain policy decisions have been made and what their costs are. Make people understand why they have to go through strange procedures, or have computers with no optical drives.

2) Understand that one size does not fit all; one of the worst examples of a network security policy is one that presumes that everything needs the same heightened level of security. In addition to driving productivity to a standstill, it often results in worse security, as people attempt to get their work done and leave classified documents out in the open rather than check them in and check them out every time they go to the rest room.

3) Evaluate your hardware as part of the policy. Do triage - what can you live with and live without? What absolutely needs to be restricted access, what needs off site backups to maintain organizational continuity and if an asset were lost, how much would it cost to replace? Will you spend more in employee time than the replacement costs, or are the replacement costs catastrophic?

4) Next, identify possible threats. What ways can someone access or distribute your data?

Once these have been identified, consider aspects such as physical security; who has access to the computers and the facility?, network security; who is to have access to which data sets, and authentication; how do you determine the right level of access per person and that the right people are using their pass codes?