Security Policy Life Cycle

Published Date: 02 Nov 2017

Introduction

A group of interconnection of the computer system that shares the information across wired or wireless technology is known as COMPUTER NETWORKS. NETWORK SECURITY means the specialized field of computer networking that provides security for computer network infrastructure. SECURITY POLICY is one of the domains of networking security.

Security policy life cycle:

Evaluation of security policy:

Evaluation of security policy means to be aware of the resources, needs for the users, gaining knowledge about all the security risk and measures.

B.Policy statement:

popo

C.Comparision:

Compare security policies with other companies so only have to get the clear knowledge about the security needs.

D.Implementation:

After getting the knowledge of security needs have to implement the security policy.

Elements of security policy

Source: http://www.dreamstime.com/basic-principles-of-data-security-thumb22882259.jpg

The basic elements available in security policies are as follows:

Confidentiality

Authenticity

Data integrity

Availability

Confidentiality:

Confidentiality is ensuring that the authorized persons having the full responsible for access the information or resources. No other external persons cannot access those networks

Some of the confidentiality topics are

Access control

Passwords

Biometrics

Encryption and decryptions

Privacy

Ethics

B.Authenticity:

.C.Data integrity:

Data integrity is ensuring that to thwart improper and unauthorized changes. Data integrity is essential for security, privacy and trustworthiness of company’s data. Regular back up of our data, off site secure storage, regular monitoring.

The processes involved in data integrity are

source:http://www.executivesupportsystems.com/Images/DataIntegrity.jpg

(http://www.executivesupportsystems.com/DataIntegrity.aspx)

Data entered, moved, altered, stored all are come under data integrity.

D.Availability:

The ability to use the desired information or resource. The network availability means suppose if the network is being failed, we can identify the problem and troubleshoot the network and then to use it. We have taken some time to troubleshoot the network. The time interval for network failure is representing by the term as mean time to failure. It is simply represented as MTTF. The time taken to troubleshoot the network failure is representing by the term as mean time to repair. It is simply represented as MTTR.

NETWORK AVAILABILITY=MTTF/(MTTF+MTTR)

This means to calculate the usage percentage of the network.

(http://www.network-protection.net/network-reliability-and-availability/)

COMPONENTS OF SECURITY POLICY:

Governing policy:

End user policy

Technical policy

Governing policy:

Governing policy means the high level component of security policy. It is important for manager and other technical staffs in the company. Governing policy is same as the company wide level policies. Governing policies is the only responsible for all security for the company or organization. It is broadly classified into two groups, technical and end user policy. It supports for both technical and end user policies.

End user policy

End user policy is the policy that covers all the essential information for the end user security.

Collecting detailed information from the user

Compiling

Implementation.

End-user policies answer the "what," "who," "when," and "where" security policy questions at an appropriate level of detail for an end user. End user policies is the only answerable position for the security policy questions like what, who, when and where.

Technical policy:

Technical policy is most important things in the governing policy. It is the policy that give the instruction to the security staffs member like what the security staffs members have to do, how to give the solution for the particular problems and what are the things that the security staffs members have not to maintain inside the policy statements. The number of policies which are come under the technical policy. Some of them are as follows

Network policy

Email policy

Wired and wireless data transmission policy

Remote access policy

(http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3)

SECURITY MANAGEMENT:

Network Security having lots of rules and regulations to secure the networks. Sometimes user doesn’t having any clear idea about the security policy. Users having lots of confusion about what is the basic idea for the policy, what is the purpose to create this kind policies and how to maintain this. These are question will strike the user mind so only we have to strictly maintain for the below documents policies.

Standards – necessities in our policies

Guidelines – method to carry out the policy

Procedures – best way to carry out the certain task

Standards:

Standards consists of some low level vital supervise to implement the information security policy. One of the most important security policies in standard is uniformity. Suppose if security staffs have to configure large number of router in an organization. All the router coding is more or less similar it is difficult to write code for each and every router so the security maintenance is more difficult. The result is fail in security policy. A standard is the simple thing to provide security for the policy.

Standards personality:

Improve the effectiveness of the policy.

Consistency.

All the organization must use this.

Some of the examples for the standards are as follows:

Password must contain the minimum of nine characters.

Mixed of uppercase letters, lowercase letters, numeric and special character.

Must to change the password at least once in a month.

Clear the cache, cookies as well.

Don’t use the repeated password.

Guidelines:

A guideline is the optional one. It’s just to support the standards security. It is more flexible one and it is just to vision about how to make better security policies.

Guidelines personality:

More flexible

Additional security for the network.

Some of the examples for the guidelines are as follows:

Consider "yesterday today and tomorrow at 8’o clock morning" as a password. Instead of this password we have written as "sturdy 2day & 2morrow @ 8am".

More complex to find our passwords.

Procedures:

Procedures documents is the most important thing compare to standards and guidelines. It consists of most detailed information about the implementation of the process in step by step and the graphics format. It is most essential documents for all the organization for the execution of the process.

Procedures personality:

Give detailed information for the process

Provide steps to execute the standards, policies and guidelines

Some of the examples for the procedures are as follows:

Suppose if user have to create the social network account first to fill the some documents. In this document contains some security questions like mother maiden name, first mobile number you used, favorite pet animal name, etc. once the user forget the password for that particular network means how the particular user to access the account. Some of the question will arise whether user have to create the new account or use the existing account. No worry user has to use the existing one. First to open the particular site and click the forget password button. Some of the confidential question will ask like mother maiden name, first mobile number you used, favorite pet animal name, etc. Give the correct answer to this question and to get the new password for the existing account.

(http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3)

STEPS TO DEVELOP SECURITY POLICY:

Six main steps are available to create the security policy

Scope:

The scope is the useful skill to protect the network security policy. The security will provide for all the branches of the organization from topmost level to bottommost level. The scope is not only fulfilling the needs of the developer or staffs and also fulfills the needs of the customer also.

Management permission:

Without the knowledge of superior authority software developer can’t do anything. It gives lots of problem to the developer. So getting permission from the superior authority first and will go for the next process.

Comparison:

Before developing the network policy lots of doubt will arise. How to create it, what are the necessary things needs to prepare a policy and how it will secure the network like this. Only solution to solve this problem is getting knowledge from others policies or to refer some others policies.

Risk assessment:

Before starting to develop a policy, full research of risk assessment must be done. The risk assessment is the one and only valuable tools to shaping of the security policy.

Policy statement:

Security policy will fully dependent on the risk assessment report. The aim of the policy statement is to show all the risk in the risk assessment report. It will be more useful for developing network security.

Implementation:

Before implementing the policy has to check whether the policy has to fulfill the basic needs or not. Some of the basic needs of the policies are as follows

i) Does your policy comply with law and with duties to third parties?

ii) Does your policy compromise the interest of your employees, your organization or third parties?

iii) Is your policy practical, workable and likely to be enforced?

iv) Does your policy address all the different forms of communication and record keeping within your organization?

v) Has your policy been properly presented and agreed to by all concerned parties?

(http://www.windowsecurity.com/whitepapers/policy_and_standards/How_to_develop_a_Network_Security_Policy_.html)

RUDIMENTARY STEPS:

The ground works steps for developing the security policies are:

Form a security squad

Widen the strategy testimonial

Go through the security procedures from other institutions

Assessment of risk

Before we have to develop the security policy we have to appoint the fully knowledge persons for field. The one and only responsible for the security measures of our institution is security squad.

CONCLUSION:

Network security policy development is not a simple thing. The achievement of the security policy will fulfill the needs of the superior management and wakefulness of the organizational staff members. After implementing the security policy the repeatedly re-evaluated must be do periodically because lots of wanted and unwanted things should be happens like coercion change, business requirement change and the countermeasures change and exposed change. These kinds of changes will be done periodically so only the network will be more secure.