IT security policies are critical for organizations to align their security systems and strategies to the overarching strategic plans and objectives of a company. In creating an IT security plan it is essential that the core areas of authentication, managing certification and role-based access be planned and implemented.
Security Policy
IT Security Policy
The following security policy defines how strategic it resources and technologies are aligned to supporting organizational objectives and goals. Implicit in this security policy is the need for accountability, transparency and intensive use of reporting and analytics to track performance against objectives, in addition to compliance against industry and regulatory standards. Best practices in it security policy management requires the integration of analytics, compliance and reporting requirements within an it security policy and it supporting framework (Hone, Eloff, 2002). The intent of this security policy document is to provide prescriptive guidance to attain and surpass best practices in the areas of network, operational, organizational security, access control, cryptography, and compliance to laws and regulations.
Network Security Policy
Ensuring protection of all intellectual property and critical information assets including servers and mission-critical systems is the objective of the network security policy. The strategic it security plan of an enterprise must align to the strategic plan, supporting and accelerating key business functions and strategies to ensure their profitable attainment (Banks, 1990). At the center of the network security policy is the need for aligning auditing, analytics, reporting and compliance to specific requirements at the federal, regional and state level (Eloff, 1988). The intent of the network security policy is to combine the best practices in network management, reporting and analytics, and compliance needs into a single, unified strategy that also propels the organization to its objectives with the minimum level of disruption.
Taking a network security policy from planning and integration to analytics, reporting and compliance to implementation requires the use of advanced technologies that can quickly interpret, classify and block potential threats while streamlining secured traffic. The proposed network security policy seeks to rely on state-of-the-art constraint-based programming techniques and rules engines to ensure the highest levels of reliability and fidelity to organization standards (Hegyi, Maliosz, Ladanyi, Cinkler, 2005). The evolving set of technologies that can be used throughout a network security configuration are increasingly able to "learn" through artificial intelligence which types of activity are valid and which are fraudulent (Burgess, Canright, Engo-Monsen, 2004). The intent of this network security policy is to attain this level of intelligence in the entire network security platform and systems.
Operational Security Policy
With the majority of employees being highly mobile and often at customer locations or traveling to potential prospect accounts, the operational security policy has set mobile access as the highest priority. The benefits of creating a secured Virtual Private Network (VPN) security policy also have multiplicative effects throughout the entire enterprise as well.
The variation between Secured Socket Layer (SSL) and IPSec-based protocols has been evaluated as part of this operational security plan and the determination made to standardize on SSL. This will provide our organization with far greater agility and speed of network connectivity without sacrificing security (Cisco Tutorial, 2013). IPSec, while highly secured and targeted to the specific IP address level, is impractical to the speed and transient nature of device usage in our organization. Figure 1 compares IPSec and SSL VPN configurations.
Figure 1: Comparing IPSec and SSL VPN Configurations
Sources: (Cisco Tutorial, 2013)
(Opus One, 2013)
Organizational Security
The most critical success factor in the development and deployment of an enterprise-wide it security policy is the need for ensuring role-based access to mission-critical information assets is not impeded by security polices unable to keep up with the pace of change in an enterprise. Organizational security strategies must be designed for agility and speed through the use of state-of-the-art systems that can quickly be reconfigured to match changing roles in an organization. Organizational security will be defined through role-based access, configurable through authenticated, clearly delineated processes that can be administered at the administrator level (Hone, Eloff, 2002).
The organizational security strategy will also be designed on the empirically validated Confidential, Integrity and Availability (CIA) triad model that successfully balances the need for data accuracy, security and access. Metrics and analytics will also be used for tracking the effectiveness of this strategy, as CIA-based implementations can be quantified from a reconciliation network performance standpoint (Gymnopoulos, Tsoumas, Soupionis, et. al., 2005).
Access Control and Cryptography Security
The it security policy will require the use of a proxy server-based approach to defining access control, authentication and cryptography. As there are a myriad of new technologies being released in this area, it is imperative that a Certificate Server-based authentication workflow be designed to ensure the goals of the organization can be achieved while information assets and systems are protected (Cisco Tutorial, 2013). Figure 2 illustrates the recommended configuration for the authentication and cryptography server (Hegyi, Maliosz, Ladanyi, Cinkler, 2005).
You’re 80% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.