Enterprise Security Policy and Standards 

An enterprise’s security policy document provides the framework for the deployment of security technology within the enterprise.  It is a key responsibility of the security officer to align business and corporate objectives with security requirements in the development of the security policy document.

The security officer identifies the parts of the network and the systems that are trusted and thus do not require any security services. The enterprise security team must clearly identify restricted network segments as well as the demilitarized zone (DMZ).

The security officer identifies all security requirements for an enterprise.  Careful planning and awareness of the types of threats that a system might experience are key to defining a security policy that leads to a secure environment.

An enterprise security document includes sections such as:

  • Introduction

  • Risk management and security principles

  • Security-related organizational roles and responsibilities

  • Planning processes and risk assessment

  • Information classification

  • Encryption

  • Non-employee personnel and security

  • Application communications

  • Viruses and malicious code

  • Physical security

  • Incident reporting

Enterprise TCP/IP Security Policy
Every organization must develop its own customized TCP/IP security policy to describe corporate policy for each and every protocol and network device that communicates on the enterprise TCP/IP network.  Each section of the TCP/IP security policy document must cover three areas: overview (of the protocol), recommendation (for use of the protocol on the enterprise network) and reasoning (justifying the recommendation).
 
An enterprise TCP/IP security policy includes the following core elements:

  • Defining the security perimeter based on an organization’s network topology and security requirements.

  • Developing a customized security policy based on business and application requirements.

  • Deploying firewall system(s) to implement the specifications of the organizations’ security policy.

Ask the following questions when creating the TCP/IP security policy:

  • What is the objective or motivation for this document in your organization?

  • Who is the intended audience for this document?  Will all or some parts of this document be distributed?

  • How frequently will this document be revised?

  • Who is responsible for updating the document?

  • Are there recommendations in the document that will be enforced?

  • Identify the security philosophy that best reflects the belief of the organization.

  • Which firewall systems are used to secure your connection to the Internet?

  • What is the firewall system and network architecture?

  • What is your policy for inbound access to systems?  Which specific protocols will be allowed to access nodes on your internal network?

  • What is your policy on outbound access to nodes on the Internet?  Which specific protocols will be allowed to establish outbound connections to nodes on the Internet?

  • Do you have remote offices or branches that connect to the home office?  If yes, is the remote office directly connected to the Internet, or does it access the Internet through the home office?

  • Are there external networks that are not trusted? Are there external networks that need access to your internal network via the Internet?

  • Where are your key servers (Web server, DNS server, FTP server) located on the network?

  • What is your policy on consultants and contractors who may have privileged access to systems and networks?

  • What is your policy on employees who are no longer with the organization—how do you ascertain that they have no access, privileged or unprivileged, to system resources on the network?

Summary
Each organization needs to define a security policy that is specific to its combination of systems, networks and applications.  A security policy defines the highest level of a security specification and states what is and what is not authorized in the general operation of a system or network element.


TCP/IP Security Policy Sections
A customized enterprise TCP/IP security policy document typically includes sections.
Executive Summary

Overview
Internal and External Networks
Security Philosophy
Scope and Deployment
Audience
Compliance
How to Use the Security Policy Document
Document Changes and Feedback

Network Services

Minimal IP Requirements
Routing Protocols
ICMP

Transport Layer
Thin Clients Network Protocols
IPSec Security
Firewalls
Intrusion Detection


Security Standards
The International Standards Organization (ISO) 27000 is a detailed security standard published in December 2000.  The British Standard (BS) 7799 and the ISO 27000 are very similar—the ISO 27000 includes two non-action sections at the start of the document. The standards are organized into 10 major sections, each covering a different topic or area:

  1. Security policy: The objectives of this section are to provide management direction and support for information security.  The information security policy document is a written policy that must be available to all employees responsible for information security.
     

  2. Security organization: The objectives of this section are:

    1. Information security infrastructure: To manage information security within the organization.

    2. Security of third-party access: To maintain the security of organizational information-processing facilities and information assets accessed by third parties.
       

  3. Asset classification and control: The objectives of this section are:

    1. Accountability of assets: To maintain appropriate protection of corporate assets.

    2. Information classification: To ensure that information assets receive an appropriate level of protection.
       

  4. Personnel security: The objectives of this section are:

    1. Security in job definition and resourcing: To reduce risk of human error, theft, fraud or misuse of facilities.

    2. User training: To ensure that users are aware of information security threats and concerns and are equipped to support the corporate security policy in the course of their normal work.

    3. Responding to incidents: To minimize the damage caused by security incidents and malfunctions and to learn from such incidents.
       

  5. Physical and environmental security: The objectives of this section are: Secure areas: To prevent unauthorized access, damage and interference to business premises and information.

    1. Equipment inventory: To prevent loss, damage or compromise of assets and interruption to business activities.
       

  6. Computer and network management: The objectives of this section include:

    1. Operational procedures and responsibilities: To ensure the correct and secure operation of information processing facilities.

    2. System planning and acceptance: To minimize the risk of systems failures.

    3. Protection from malicious software: To protect the integrity of software and information.

    4. Housekeeping: To maintain the integrity and availability of information processing and communication.

    5. Network management: To ensure the safeguarding of information in networks and the protection of the supporting infrastructure.

    6. Media handling and security: To prevent damage to assets and interruptions to business activities.

    7. Data and software exchange: To prevent loss, modification or misuse of information exchanged between organizations.
       

  7. System access control: The objectives of this section are:

    1. Business requirements for system access: To control access to business information.

    2. User access management: To prevent unauthorized access to information systems.

    3. User responsibilities: To prevent unauthorized user access.

    4. Network access control: To ensure the protection of networked services.

    5. Computer access control: To prevent unauthorized computer access.

    6. Application access control: To prevent unauthorized access to information held in computer systems.

    7. Monitoring system access and use: To detect unauthorized activities.
       

  8. System Development and Maintenance: The objectives of this section are:

    1. Security requirements of systems: To ensure security is built into operational systems.

    2. Security in application systems: To prevent loss, modification or misuse of user data in application systems.

    3. Security of application system files: To ensure IT projects and support activities are conducted in a secure manner.

    4. Security in development and support environments: To maintain the security of application system software and data.
       

  9. Business Continuity Planning: The objectives of this section are to counteract interruptions to business activities and to support critical business processes from the effects of major failures or disasters. This includes business continuity planning process, business continuity planning framework, testing business continuity plans and updating business continuity plans.
     

  10. Compliance: The objectives of this section are:

    1. Compliance with legal requirements: To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements.

    2. Security review of IT systems: To ensure compliance of systems with organizational security policies and standards.

    3. System audit considerations: To maximize the effectiveness of and to minimize interference to/from the system audit process.