Security policies should be an organisation's first line of
defence, but they often do not play as critical a role as they
should.
The policy format is a living document that needs to be created in
such a manner to appeal to the general employee population,
third-party auditors, the IT department, as well as potential
partners and suppliers.
Generalised policies need to be written so that updates do not
become overly burdensome, but can bring a call to action to prevent
breaches from occurring, or lay out the proper procedures should a
breach occur.
Most organisations opt to write the security policies themselves,
using common sense and their own experiences as a guideline.
However, there are also software packages available from
organisations, such as Pentasafe (recently acquired by NetIQ), that
automate the ability to create these policies.
The actual setting of security policies within an appliance, such
as the firewall server, is the other aspect of policy management.
Companies need to make sure that the policies are flexible enough
to allow information to flow, but not so lenient that the doors to
the organisation are completely open.
It is a fine balance that needs to be monitored closely and
consistently, but often isn't. The reason for today's renewed
interest in security policy is the continued expansion outside the
traditional boundaries of an organisation with partners and
suppliers, as well as a closer tie-in to responses to business
continuity should a disaster occur.
Many external relationships are demanding to review security policy
documents and configurations before doing business to ensure that
the transfer of information and Intellectual Property (IP) will be
secure from one company to the next.
This awareness will only continue as IP is more easily shared
across the Internet. Organisations need to ensure that they are no
longer simply meeting the minimum requirements of the security
policy document to keep the auditors content, but that they
understand the maintenance of policies becomes not only a matter of
strong password protection, but one of trusted relationships and an
avenue to create additional revenue