Home » Technology » Security Transformation » Best practice when creating a network security policy
Network security is vital, without it, a stranger, a rival or someone with malicious intent can hack into your system, and do untold damage or even steal secret information. However, just implementing network security is not enough, you need a plan, a policy that is well thought-through.
All companies that employ a network need security for it, and it is rare to find a company that is 100 per cent happy with the security in place. A network security plan can take your security to another level. If you don’t have such a plan, you need to consider producing one, if you do, you may want to consider revising it. Such a plan is not just about securing a network; it is also about securing the business.
A network security policy is a document, or in some cases it can be several documents, each focusing on different needs. The document/documents must clearly show the rules and guidelines for computer network access.
Such a document can be several pages in length, partly about keeping the wrong people out, but also it is about identifying people within your organisation who could pose a risk, either deliberate or by accident.
Such a document is not simple, it needs to be comprehensive and well thought through. It also needs to evolve. Security risk changes, so must update the network security policy.
You should start with why. Why do you have network security, what is its purpose? From this, you may want to eliminate functions from the network that aren’t necessary to be on it. You can also consider who needs remote access, why they need it, and ask if it really is essential. Sometimes that isn’t easy, you can try the patience of a saint when you continually ask, is this necessary? It can make IT unpopular, but it is important.
The policy must describe what needs securing and why. It can refer to firewalls, intrusion detection systems, anti-virus software, restore strategies locked doors and include system administration check lists.
It needs to identify procedure for setting passwords and keeping them confidential.
It must identify criteria by which permission is granted to access the network, and it needs to set down rules by which people use the network.
Network security policy should start with an audit, what technology is there that forms part of the network, what sensitive information is on the network, and how is it vulnerable?
You may decide that certain highly confidential information should not be stored on the network, at all.
Finally, the document needs to set out a hierarchy of access permissions, defining who has access to what.
A report by Watchguard stated that “We believe the well-known security axiom, ‘Complexity and security are inversely proportional.’ Complex systems are usually less secure than simple systems. Complex policies are usually ignored; simple policies might live.”