Computer security is not an absolute. No sane person will tell you, “Your network is secure.” There are various levels of assurance and threats that can be mitigated, but ultimately all security is a trade-off. We decide how much time and money we want to spend to provide a given level of security, and then we determine whether the user experience will be acceptable with that security. Time, money, and user experience have nothing to do with security, but they shape the security design.

One of the most common misconceptions is that computer security should be entirely technology-based. Security must be a combination of technology and policy. The technology enables security, but only well-defined policies can ensure the security is employed, maintained, and scrutinized properly. The remainder of this chapter will discuss how these policies can be created and put in place to help ensure the ongoing security of the network. Then I’ll discuss the two most important ongoing security tasks: auditing and patching.