DEVELOPING AN EFFECTIVE NETWORK SECURITY POLICY

DEVELOPING AN EFFECTIVE NETWORK SECURITY POLICY

A study reported by the U.S. General Accounting Office (GAO) (1996) found that the U.S. Department of Defense network computers are extremely vulnerable. A series of security attacks conducted by the Defense Information System Agency (DISA) revealed that of 38,000 attacks DISA could penetrate the protection and gain access to the network computers 65% of time. Of those successful attacks only 4% (988 attacks) were detected by the target organization. Furthermore, of those detected, only 27% (267 attacks) were actually reported to the appropriate security authority. Given the sophisticated computer network at the Department of Defense and the number of computer personnel involved, the statistics are alarming. The goal of network security is to provide maximum security with minimum impact on the user accessibility and productivity. The network



Security policy developed must con-form to the existing organization policies, rules, and regulations. Security policies should reflect constant organization changes in its new business directions, technological changes, and resource allocations. When developing an effective network security policy, the following 11 areas should be addressed (Cisco Systems, 1997):

1. Identify the Network Assets to Protect

The first step is to understand and identify the organization’s network assets and determine the degree to which each of these assets must be protected. Items to be considered include hardware, software data, procedures, personnel and users, documentation and supplies.

2. Determine Points of Risk

Risk analysis includes what you need to protect, what you need to protect it from, and how to protect it. You must understand how and where potential intruders can enter your organization’s network or sabotage network operations.

3. Determine the Cost of Security Measures

Security measures invariably cause inconvenience, particularly to certain personnel or users. They can consume significant computing resources and require dedicated hardware. Another cost of security measures is that they can also delay work and create expensive administrative and educational overhead. If the cost of implementing security measures outweighs its potential benefits and the actual

A danger, then it is a disservice to the organization to implement them.

4. Limit the Scope of Access 

Too much security can be as counterproductive as too little security. Organization can provide higher levels of security to the more sensitive areas of the network. Create multiple barriers within networks such that any authorized access to a part of the system does not automatically grant access to the entire infrastructure.

5. Identify Assumptions

Every network security system has underlying assumptions. For instance, an organization might assume that its network is fairly secure, that its network is not tapped, that intruders are not knowledgeable, that attackers use standard software, or that a locked room is safe. It is essential to identify, examine, and justify your assumptions. NY unmassaged or hidden assumption ay turns out to be a big security hole.

6. Consider Human Factors

It is optimal that a network security policy strikes a balance between productivity and protection. If security erasures interfere with the essential se of the system and the users are not fully informed, the users almost always exist the change. These measures then re either ignored or even circum-vented

All users should be educated n the proper use of their account or workstation, the proper procedure of his security, the detection of unauthorized access, and the accidental release r revelation of passwords or other erects over unsecured telephone lines.

7. Control the Number of Secrets

A properly designed network security policy relies only on a limited umber of secrets. The more secrets

There are, the more difficult it becomes o keep them all.

8. Limit Your Trust

You should know which network evinces you can trust and which software you can rely on. Under no

Circumstances should an assumption be made that all software are bug-free.

9. Understand Typical Network Functions

Understanding how a network system normally functions, being aware of what is expected and unexpected, and knowing how network devices are usually utilized will help you detect any Security problems. System software auditing tools can help detect, log, and track any unusual events.

10. Realize Physical Security

Often times, the most obvious element of security is the one moszeasily overlooked, such as security guards, closed-circuit television, and card-key entry systems. It is essential that physical security, such as the server room or the network administration station be taken into consideration because they are the controlling center to the most sensitive, confidential information.

11. Implement Pervasive and Scalable Security

All personnel and users need to realize the security implications of every change they make. The goal of a network security policy is to create an environment that is not susceptible to every minor change.

if u like the post just say thank u in comment box.