A decade ago, all you heard about everywhere was, “Does your organization have a written network security policy?” Books were written and courses developed to assist managers and business owners in planning, developing, and making effective use of network security policies.
Then the world changed as the Internet became a more dangerous place and cloud computing became the focal point of IT activities for many businesses. The network security policy went out of vogue as a key part of an in-depth defense strategy. The focus of information security shifted to more exciting stuff like hackathons and penetration testing exercises. Network security policies weren’t abandoned; many organizations simply stopped paying attention to them and stopped updating them.
‘Not urgent’ can also be urgent
This was a bad mistake as many of my colleagues in the IT profession have now realized. By focusing our time and energy on the “Important / Urgent” aspects of network security while ignoring the “Important / Not Urgent” corner of the Covey Time Management Matrix, we’re undercutting our efforts to secure our IT infrastructures, particularly with regard to the most dangerous threat vector: the insider threat.
Let’s start rectifying this today by dusting off our organization’s network security policy (if we can find it) and surfacing it to the front of our users’ attention to make our information systems more secure. For while developing and maintaining a comprehensive network security policy for your company isn’t very exciting compared to mock battles between red teams and blue teams, it’s still a crucial step in ensuring your IT assets and business data are protected.
To help us refocus our attention on network security policies I recently picked the brains of Chris Brandow, an IT professional who has been working with computers since 1987 and as a network administrator since 1993. From December 1993 to December 1996, he was the network administrator for the No. 1 1 communications software developer in the world, Datastorm Technologies, Inc. Then in December 1996, Chris began his consulting career serving a diversity of clients. In July 2001, Chris, along with Tim Blakley and Keith Powell, created Invision, which provides IT support for smart businesses in Lenexa, Kansas. I’ve edited some of Chris’s communications with me below for clarity.
I began by asking Chris to review what exactly a network security policy is because you can’t hit a target if you don’t know what you’re aiming at. Chris explained the concept and nature of a network security policy as follows: “Generally, the network security policy is a document or set of documents that explain the accepted use of, protection of and consequences for abusing the information technology assets at the organization. This set of evolving documents should be visited periodically and updated per technology changes and employee requirements. Sub-topics in this top-level policy document might include your acceptable use policy, computer use policy, internal access policy, external access policy, mobile device policy, and so on.”
Do you really need a network security policy?
Does every business or organization regardless of their size actually need a network security policy? “Even a small company should have some guidelines of expectations for the network and resources,” Chris says. “Those expectations are in regards to the managers, employees and even outside vendors that have access to those resources. They may not all have the same guidelines, but they should all be defined for what is and what is not acceptable use. What should be protected and how. It should define the consequences for ignoring the guidelines, and what to do in case of a data breach.”
But let’s say we are a really small company. Is a network security policy still something we absolutely need to have? “Well, every company nowadays has digital assets,” Chris replied. “Defining your assets and then setting up a plan to protect those assets is always in your best interest. Even if you don’t have an internal IT department, you can still consult with your outsourced IT management company to help you develop a policy. Trust this, someone somewhere wants what you have. What are you doing to prevent them from stealing it?”
Good point! OK, you’ve convinced me, what should I do now? “Now that you realize you need an NSP,” says Chris, “where should you begin? There are many guides online that can help you with a starting place. Determining what kind(s) of policies you actually need should be your first step. For example, your AUP (Acceptable or Appropriate Use Policy) is generally a good cornerstone to start off with. This document will spell out what the users of your network can and shouldn’t do with the network resources. Note that it should be as explicit as possible to prevent misinterpreted guidelines.”
What about enforcement? How do you go about ensuring your network security policy is followed and not ignored? “Well,” says Chris, “as part of the guidelines, determining the appropriate level of disciplinary action against abusers is vital to the effectiveness of your policy. Disciplinary procedures and penalties should be spelled out and enforced when abuse happens. After all, this is your company’s data and infrastructure we are talking about. If it were gone, would your business survive? That’s serious and should be enforced as such!”
Where to find out more
I finished off by asking Chris where one could go to find more info on creating a network security policy and he responded by pointing me to this article on ZDNet which was written almost two decades ago but which still provides a good overview of how to implement an effective security policy for your organization. He also recommended a book from Cisco Press that is now out of print, but there’s a sample chapter online here that covers basic network security policy concepts.
I also checked around for other more recent books that include helpful content on crafting network security policies and found this title I can recommend and which I think may well be worth checking out: Information Security Policies, Procedures, and Standards.
Featured image: Shutterstock