A security policy is the most important component of any security architecture. For example, before you plug in a firewall and arbitrarily use the Internet, a few steps need to be followed—security policies list these steps.

Although each organisation’s security needs are unique, most security policies address a handful of common elements. These are:

• Objectives outline the reasons for drafting the security policy

• Scope identifies the people and systems that are affected by the security policy

• Protected Assets identifies the assets such as mail servers, databases, websites, etc. that the policy protects

• Responsibilities identifies the groups or individuals responsible for implementing the conditions of the policy

• Enforcement discusses the consequences of violating the policy. Some authorities recommend referring to the appropriate location in the employee handbook as opposed to carrying enforcement directly in the security policy to avoid legal issues.

• Remote Access Policy outlines acceptable methods for remotely connecting to the internal network, such as giving employees the permission to connect to the network from their home computers.

• Information Protection Policy provides guidelines to users on the processing, storage, and transmission of sensitive information.

• Virus Protection Policy provides baseline requirements for the use of anti-virus software as well as guidelines for reporting and containing virus infections.

• Password Policy provides guidelines to managing and changing user-level and system-level passwords.

• Firewall Security Policy describes how firewalls are configured and maintained, and by whom.

Create a Security Plan

You need a plan. Security is not a one-off task but an overlapping mesh of technology, people, policies, and processes.
A plan coordinates the whole security effort to match your company’s security policy and make sure there are no gaps.
There are four steps to creating a good security plan: assess, plan, execute, and monitor. Before you begin these steps, though, your organisation needs to develop a simple security policy.

A good plan today is better than a perfect plan tomorrow. Planning for security is a cyclical and repetitive process, so it makes sense to execute a quick plan now and refine it later.

Assess

Before you implement, assess your business.

• Review your own skills and knowledge. Decide whether outside help or training is required. If the answer is in the affirmative, find a consultant.

• Analyze your current state of security. Check the network for common system mis-configurations and missing security updates. Identify assets that need to be protected, such as hardware, software, data, documentation, and people. Also identify account information, administrative procedures, and legal compliance.

• Categorise your information according to its sensitivity. Use the following scale: public (website data), internal (marketing data), confidential (payroll), and secret (patents).

• Identify required services. Include services such as remote access and e-mail.

• Predict threats. Include threats such as spoofing, tampering, repudiation, information disclosure, DoS, and elevation of privilege. Consider using trusted third parties to test exposure.

• Calculate exposure for each asset and service against each threat. Use this formula:
  Probability x Impact = Exposure to generate an ordered list of security priorities.

Plan

Remember not to rush into implementation.

• Remember that the objective is not to eliminate all risk regardless of the cost, but to minimize the risks as much as possible. There are three main tradeoffs:
  - Functionality versus security required
  - Ease of use versus security
  - Cost of security versus risk of loss

• For each risk, plan how to transfer, avoid, mitigate, or live with it.

• Create a plan that:
  - includes a policy defining the organization’s security
  - requirements and acceptable use
  - has procedures for preventing, detecting, and responding   to security incidents
  - provides a framework for enforcing compliance
  - reflects the culture of the organization and the resources
  - available for implementation

• Create a plan for dealing with a security breach (for example, a virus attack):
  - What are the goals and objectives in handling an incident?
  - Who should be notified in case of an incident?
  - How will you identify an incident and determine how   serious it is?
  - What should happen when an incident occurs?

• Create a project team. Include management and staff. Give everyone clearly defined roles and responsibilities.

• Create a project timeline.

• Write it all up, and make sure everyone agrees to it.

Execute

Though quite a time-consuming task, it needs to be done.

• Communicate with the staff and provide regular training whenever necessary.

• Test measures for technical adequacy and obtain participant feedback.

• Modify the plan, if necessary.

• Carry out the plan.

Monitor

You want all your efforts to bear fruit. So, monitor.

• Research new threats, and include new risks as you become aware of them. Subscribe to security bulletins and train users.

• Modify the plan when changes occur in personnel, the organization, hardware, or software.

• Conduct ongoing maintenance, such as virus updates, new user training, and backups.