Developing An Effective Network Security Policy Essay.

Why You Need an IT Security Policy

A network security policy is implemented for addressing the different issues of ACME that consists of 120 employees in its workplace located on a multistoried building. The two buildings are required to be connected with the primary and secondary data centers that are leased by the company. The potential section identified for the basic network infrastructure of the organization is the security of the network [8]. The redundancy of the server is also analyzed for identification of the potential sections of the network. During the development of an IT security policy the model ‘defense in depth’ should be applied and the necessary components that are vulnerable in the network should be identified [5]. The process and methodologies involved for the development of the IT security policy should be evaluated and the security program should be developed for creation of multiple layer protection in the network.

The rules and the procedures should be integrated for maintaining confidentiality, availability and integrity of data with the resources available in the network. Responsibility should be given to the security professionals for the management of the IT security policy and identification of the incidents procedures and the processes. A good IT security policy comprises of clear communication with brief information that are realistic in nature. The scope and the application of the security policy are also defined for making the enforcement possible [2]. The security policy should be able to identify the roles and responsibility of the administrator, user or management and provide guidance to develop the specific procedures. The protection of the resources should be balanced with the productivity and the incidents should be identified for handling them easily.

The main key point that is considered for the development of a flexible and adaptable IT security policy is to update the technology for the establishment of the goals and objectives of the organization [9]. The potential section that is to be included in the IT security policy should be a living document and it should be updated frequently for offering new technologies based on the technology and the size of the organization.

The security policy created for the organization should be well defined and the vision and mission statement should be aligned for the development of the security policy. The security policy should have a clear and concise statement for making the readers to understand the policy [12]. The confidentiality and the security of the organization should be maintained and the availability of the data should be maintained for the authorized users of the network. The definition of the security should be documented for the improvement of the security policy and bringing new changes in the policy [1]. The document would act as a backup for the identification of the risk associated with the security policy of the organization.

Key Components of a Good IT Security Policy

It is found that several problems are faced during the enforcement of the IT security policy in the organization. Different stakeholders should be assigned for ensuring that any security breach or network misconduct can be handled [4]. A hierarchy should be maintained between the experts for the embracement of the policy in the organization and the exception policy created should be reviewed by the security manager for providing approval and denial. The overrule permission should not be given to the management team for handling the exceptions of the It security policy created for the organization.

The roles and responsibility of the users should be identified for the management of the persons to access the resources of the network and levels should be created for the employees. Providing training to the members is also important for the enforcement of the security policy in the network [7]. A standard guideline should be created for the improvement of the current standards of the network and an awareness program should be conducted for increasing the security of the network solution. The computer resources of the organizational network should be protected against illegal access to avoid the loss of data and hacking of the network solution. 

The assets and the hardware used for the configuration of the network solution should be listed and the access rights provided to the users should be listed for the management of the information and increasing the accuracy of the network security policy enforcement [8]. The threats and the vulnerability associated with the system should be identified and the network should be exploited for production of a report identification of the vulnerability associated with the development of the network security policy of the organizational network.

A good baseline is needed to be established for the network. Next another scan is needed to be run depending on the complexity, stability and size of the network. Then the results are needed to be compared. As the discrepancies are learned the rogue devices should be tracked down. This must be combined with the vulnerability scan and the old and new devices are to be listed that never conforms to the security policies. These devices are needed to be brought under compliance with the security policies [14]. Then it must be put through the access approval processes and then removed from the network. Different information should be gathered regarding the network of the organization and the policy should be accepted by the different group of users for ensuring that the policy does not affect the organizational policy negatively.

Enforcing Your IT Security Policy

While defining the policies and living with them regularly the causes for the policies must be reminded. The policies must never replace the thinking. The cause behind the potential threats and polices of all the actions must be taken into consideration irrespective of the policy [16]. The implementation of the standards like ISO 1799 ISO 9000 etc. is required for the controlling the best practice in the organization and implementation of the security checklist for the definition.

The enforcement policy must be connected directly to the outcomes of the inaction. This indicates that the outcomes created have not been following the policy actively. Then the unattended risks are also unacceptable. The idea o the corporate governance has been morphing [13]. The outcomes have been shifting the directors, officers and the auditing the committee members who have been held accountable for the poor things. Further the uncommunicated policies never exist. More the policies has been clearly tied to the higher likelihood and well-communicated risks, more the constituents understand and comply. It has been known that the policies have been inequitably enforced and hollow. This is the place where the top management has been selling the policy and communicating with the expectations to the employees have been the key to effectiveness [3]. Next the business case must be framed for the policy.

The motive of the policy has been assuring the appropriate use of the email-systems and make the users aware of what has deeming as the unacceptable and the acceptable usage of the email system. The policy has been outlining the minimal necessities to use the email under the Network.

This refers to the set of rules that are designed to improve the security of the computers. This is done through encouraging the users for employing the strong passwords. Then they are used properly. This policy has been generally the component of the official regulations of the company. This is taught as the part of the awareness training regarding security.

These defines the steps for securing the servers via the policy management. This includes the analyzing of the security settings of the server. It is done to assure that the applied security policy on the server has been proper for the role of the server.

The access control lists or the ACL denotes to the list of permissions that are attached to the objects with respect to the file systems of the computers. This specifies which of the system processes or users have been granted the access to the objects. This also includes what operators have been permitted on the particular objects.

Creating Specific Network Policies

The security level is analyzed for comparing the risk associated with the development of the network. The need for excessive security is eliminated because it can act as a barrier for the smooth flow of the business. Experienced staffs are provided the access of the network and new staffs are kept out of the network.

In business, the security policy is regarded as the document revealing the way in which the organizations plan to secure the physical and IT assets of the company. It is generally regarded as the living document. This indicates that the document never gets ended. However it is updated continuously since the employee and the technology needs changes [6]. The security policy of the company could include the use policy that is acceptable. This is description of the way how the company plans to make their employees aware about the protection of the resources of the company.

The password policy is created for the management of the network resources from a central point and the users of the network are encouraged to use strong password with the combination of different special character and numerical to defend against brute force attacks. Training programs are arranged for the employees for ensuring that the password policy created for the organization are maintained and implemented in the current network of the organization. 

The email policy is created such that the external email server are not used and the organizational information are not shared by the employees to the external agents. An internal email server is configured for increasing the efficiency of the communication between the employees working in the organization.

The policy needs the compliance with the least security standards for helping to protect. This must safeguard not only the individual devices but also the other devices interconnected to the network of communications. The policy must prevent the exploitation of the campus resources by the unauthorized individuals. The policy should be applicable to every device that are connected to the campus communications to create the communication. The devices includes the printers, computers or the other network appliances along with the hardware connected to the network of the campus [15]. This must be behind the NAT or Network Address Translation systems or the firewalls. The objectives should be set according to the company’s business rules and meet the objectives of the organization for inclusion of the critical database, sharing of the information within the resources of the network. The objectives becomes security policy for the organization and the different components in the network are evaluated for the management of the network traffic and reduce the congestion in the network [10]. The hardware device installed in the network should meet the guidelines of the network security policy and the compliance with the other device installed in the network should be evaluated before application in the current network of the organization.

Password Policy

The Campus Administrative Officials  assuring that the devices connected to the communication network from the department or unit is needed to be supported to the administrator or the user with capabilities of the maintaining the minimal standards of security. Proper authentication should be used for all the hardware device in the network for meeting the security requirement and secure the network solution from external agents.

The System administrator must be assuring the compliance with the minimal standards for the security has set forth in the procedures.

The Campus Security and the Privacy Committee must be providing the planning, direction and the principles regarding the information security [15]. It has been developing and reviewing the policy and procedures of information security throughout the campus. They must write the minimal security standards for the networked devices. They must write the security standards for the network devices. They must approve the exceptions to the least security standards.

The ISP or the Information Security Policy should be working with the campus community to safeguard the computers and the Campus Network Infrastructure. They must block the access to the network in accordance with the procedures and guidelines to block the network access while necessary [11]. The restriction of the users to access the core components of the network should be enforced for the management of the internal traffic in the network and communicate with the other network securely. The configuration and the maintenance of the network is important for implementation of the security policy for the management of the campus network.

The departments, individuals and units must use the devices complying with the minimal standards that are set forth in the policy. He must do the activities as the system administrator when the assigned system administrator is absent. The minimum security standards for the devices are to be followed. Regarding the exceptions the individuals, departments and the units need to comply with the least security standards by need to connect to the campus communication network identifying the resources. These resources must assist then to become compliant on an ongoing basis. The devices that have not been complying with the minimum standards should be subjected to the exclusion from the network of the campus [7]. They must also trust that their devices have been needing configurations. They must not comply with the minimal standards of security. The networked devices should request the connection to the campus electronic communication networks. This must be done on an exceptional basis.

Lastly regarding the minimum security standards for the network devices there must be the software patching updates. The networked devices should run the software for which the security patches have been available in the timely fashion [2]. Then effective anti-malware software must be implemented. Along with this, there should be the host-based firewall software and the use of authentication.  

• Benson, Karen, and Shawon Rahman. "Security Risks in Mechanical Engineering Industries." arXiv preprint arXiv:1512.01730 (2015).
• Bhardwaj, Amit Kumar, and Maninder Singh. "Data mining-based integrated network traffic visualization framework for threat detection." Neural Computing and Applications 26, no. 1 (2015): 117-130.
• Chen, Zhen, Fuye Han, Junwei Cao, Xin Jiang, and Shuo Chen. "Cloud computing-based forensic analysis for collaborative network security management system." Tsinghua science and technology 18, no. 1 (2013): 40-50.
• Czyz, Jakub, Matthew J. Luckie, Mark Allman, and Michael Bailey. "Don't Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy." In NDSS. 2016.
• Dart, Eli, Lauren Rotman, Brian Tierney, Mary Hester, and Jason Zurawski. "The science dmz: A network design pattern for data-intensive science." Scientific Programming 22, no. 2 (2014): 173-185.
• Kahate, Atul. Cryptography and network security. Tata McGraw-Hill Education, 2013.
• Kim, Hyojoon, and Nick Feamster. "Improving network management with software defined networking." IEEE Communications Magazine 51, no. 2 (2013): 114-119.
• Liu, Jiaqiang, Yong Li, Huandong Wang, Depeng Jin, Li Su, Lieguang Zeng, and Thanos Vasilakos. "Leveraging software-defined networking for security policy enforcement." Information Sciences 327 (2016): 288-299.
• Olivier, Flauzac, Gonzalez Carlos, and Nolot Florent. "New security architecture for IoT network." Procedia Computer Science 52 (2015): 1028-1033.
• Patel, Aditya, Sweta Ghaghda, and Payal Nagecha. "Model for security in wired and wireless network for education." In Computing for Sustainable Global Development (INDIACom), 2014 International Conference on, pp. 699-704. IEEE, 2014.
• Pathan, Al-Sakib Khan, ed. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press, 2016.
• Patil, Kailas, and Braun Frederik. "A Measurement Study of the Content Security Policy on Real-World Applications." IJ Network Security 18, no. 2 (2016): 383-392.
• Peltier, Thomas R. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press, 2016.
• Perlman, Radia, Charlie Kaufman, and Mike Speciner. Network security: private communication in a public world. Pearson Education India, 2016.
• Siponen, Mikko, and Anthony Vance. "Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations." European Journal of Information Systems 23, no. 3 (2014): 289-305.
• Stallings, William, and Mohit P. Tahiliani. Cryptography and network security: principles and practice. Vol. 6. London: Pearson, 2014.