52 2.5 Plans and policies
The next step is to compile a list of high-level threats to the organiza-
tion. Here are a few examples.
• Management does not encourage or support security measures.
(Management must be involved in security from day one.)
• There are no security policies or procedures, or the policies and pro-
cedures have not been updated for months or years.
• There are no formal user training procedures.
• The trusted network is not defined.
• There is no DMZ (although not required in all cases).
• There is a direct connection to the Internet and no filters or firewalls.
• There are no monitoring systems in place. (This can be deadly for
public utility companies.)
• No physical security is in place for the server room; anyone can just
walk in.
2.5 Plans and policies
This is an area where many companies fall short of the mark. Check your
environment to see if you have any existing security plans, policies, and/or
procedures. These can include physical security, LAN security, Internet
access, and even disaster recovery. At this point, you have decided which
threats pose an unacceptable risk to your computing environment and what
level of action you are willing to take to defend against them. Studying the
security plans that your company has and their implementation may help
you decide which security measures are most important for your environ-
ment. One of the most important parts of this review is the identification of
policy compliance. Policies are only good if they are implemented; a thor-
ough implementation plan is required. Part of your security implementa-
tion plan should be a review of any existing policies that concern security.
• Policy goals and objectives
• Scope
• Responsibilities
• Physical security
• Network security
2.5 Plans and policies 53
2.5.1
• Data classification (data categorization)
• Access control
• Password change and enforcement policies and procedures
• Incident handling procedures
• Acceptable use policies
• Change control
• Training
• Compliance
Policy goals and objectives
Define what you are trying to accomplish with your policies. The objective
defines your approach to Internet security. These approaches could include
the use of tools, systems, and employee/user training.
2.5.2
Scope
The scope specifies the assets that will be protected by security policy. The
scope could define a specific policy or a body of policies. The scope should
include who is impacted by the policy: end-users, employees, customers,
vendors, and so on.
2.5.3 Responsibilities
The responsibilities section of the policy document describes how the indi-
viduals defined in the scope section will be responsible for the security of
your environment. Detail the security responsibilities as needed by region,
department, or groups. Depending on the company size, responsibility may
be assigned to the following personnel.
Executives
The top directors~the CxOs~are responsible for high-level security strat-
egy and must make the necessary resources available to combat security
threats to the business.
I Chapter 2
Get Internet Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
