Designing and implementing network security policies can help protect all types of networks from potential attacks. Proper network security policies bridge the gap between an organization’s security objective and an organization’s specific security requirements for users and administrators. If an organization tries to implement a set of security tools without having at least an implied security policy, then its network security strategy is meaningless.
What is a Network Security Policy?
IT security policies are the set of rules and practices that an organization uses to manage and protect its network infrastructure. These policies must be defined, documented, implemented, reviewed and evaluated to ensure network security. Hence, the need for network security policies in any organization cannot be overlooked. It determines how policies are enforced and how to lay out some of the basic architecture of the company security/ network security environment.
Network security policies interpret, explain, and communicate the organization’s position on security as stated in advanced security principles. It is a “living document” that notifies administrators, staff, managers, and other users of their required obligations for safeguarding technology and information assets. The phrase “living document” suggests that the document is never-ending and constantly modified with employee requirements and technological changes. Therefore, a proper network security policy:
- Stipulates the rules for required behavior
- Defends users and information
- Describes the penalties of violations
- Permits the workforce to observe, probe, and investigate network security threats
Types of network security policies?
To address the objectives of network security within the organization to ensure confidentiality and service availability. The policy should Comply with existing laws, regulations, and state and federal policies by supporting organization’s mission statement and organizational structure.
To address system related issues at all levels of security from access control rules to permissions among group of employees.
Address particular security issues such as, Internet access, installation of unauthorized software or equipment, and sending/receiving e-mail and attachments. Once the issues you need to address are identified, issue specific policies are developed.
Basic rules for developing security policies
- Explain the purpose and what security goals it will address
- Define what IT resources are covered like hardware, software, data and group of professionals
- Defining Roles & Responsibilities
- Establish the support from top management to enforce the policies
- Defining the relationship between the department for identification, implementation, budgeting and analysis.
- Cover the legal, compliance and regulatory aspects to facilitate approval
- Also establish any disciplinary process for breaches of the program policy
Designing countermeasures for network security threats can be a frightening undertaking if tackled without a well-thought-out approach. EC-Council’s Certified Network Defender (CND) is a skills-based computer network security training program that gives you an understanding of all the things you need to know about designing and implementing the right network security policies.
By gaining the proper certification and essential network security training, you will be able to prepare a comprehensive network security plan.
How do you implement network security policies?
There are many ways to implement and ensure network security. The audience determines the content of the network security policy. For instance, you probably do not need to include the technical aspect of why a specific requirement is needed for a policy intended for managers. Although, these audiences may require the advanced summary or the principles backing the requirement. The end-users are more likely to comply with a network security policy that they are aware of the “why” of its implementation.
Nevertheless, the most recommended way to do this is to design a foolproof network security plan and to undergo network security training to learn and practice the different methods and techniques most commonly used.
How do you design network security policies?
To secure your network, there are three phases that your organization must go through preparation, prevention, and response. Network security policies begin with risk assessment, followed by the implementation of a security management practice, and lastly, an analysis or a review to modify the existing policies.
The preparation has its own sub-phases. Before implementing a security policy, you must do the following first: construct usage policy statements, conduct risk analysis, and establish a security team structure.
Construct Usage Policy Statements
When creating usage policy statements, it is recommendable to have a framework of the user’s roles and responsibilities in managing your network security. Having someone to be assigned as a partner is also essential. Create a partner acceptable use statement and provide them with an understanding of information that is only available strictly to them.
Furthermore, create an administrator acceptable use statement to clarify the actions for user account administration, policy enforcement, and privilege review. The administrator/s assigned should be knowledgeable about training plans and performance evaluations.
Produce a Risk Analysis Study
A risk analysis aims to identify the vulnerabilities and threats to your network, network resources, and data. The importance of having a risk analysis is to be able to apply the appropriate level of security to identified vulnerabilities to maintain a protected network. It is recommended to assign a risk level to the following devices: core network, access network, distribution network, network monitoring, network security, e-mail systems, network file servers, network application servers, data application servers, desktop computers, and other devices that may be exposed to intruders.
Form a Security Team Foundation
A security team of any organization should be led by a Security Manager. It is recommended to have representatives from each operation or department area to have a cross-functional security team. Members within this team may be enforced to undergo additional network security training. Additionally, this team has three main areas of responsibility namely: policy development, practice, and response.
The second phase, Prevention, has two sub-phases: approving security changes and monitoring the security of your network.
Approving Security Changes
The security team should identify the specific requirements for a specific network configuration. After creating the network configuration changes to further implement security policy, review them once again and check out on details that may pose a risk. A representative from the security team should monitor all the changes that are reviewed.
Monitoring Security of Your Network
Similar to network monitoring, security monitoring focuses on identifying the changes in a network that indicate a security violation. This phase is mainly dependent on the study of Risk Analysis and on the phase of approving security changes. These parameters will develop a clear vision of what the team needs to monitor.
Upon implementing the changes, a monitoring policy should be developed or updated for each area detected in the risk analysis. According to Cisco, low-risk equipment shall be monitored weekly, medium-risk equipment shall be monitored daily and high-risk equipment shall be monitored hourly. For rapid detection, monitoring should be done in a shorter time frame.
The last phase, Response, has three sub-phases: security violations, restoration, and review.
Having a good choice of the decision made ahead of time makes a response more manageable. Quick decisions can result in a good chance of protecting the network equipment, determining the extent of the intrusion, and recovering normal operations. The detection of an intrusion can be based on the notification from the security team. The level of authority varies in a security team so the access in network devices may also vary depending on the person in charge.
The final requirement of any security response is restoration. This is needed to gain back normal network operations. It is necessary to define how to conduct and make normal backups available for each system, and the procedures for backing up should be recorded as well. Security conditions should be detailed, from the requirements of the backup to the approval method for the restoration. If the backup is only accessible to specific roles, the process to obtain access should be included as well.
Reviewing is the final task required in designing and implementing network security policies. The main things that should be reviewed are the policy, the posture, and the practice. Network security training should be done often, to ensure that the support staff has a clear understanding of what to do in case of a network security threat breaks into the organization. The unannounced drill is typically recommendable and done in combination with the posture test. Document the findings in the review and identify the gaps in solving these vulnerabilities so that further actions can be done in case such incidents will happen in the future.
About EC-Council’s Certified Network Defender (CND) Program
EC-Council’s Certified Network Defender Program (CND) aims to produce Network Administrators who are adept at detecting, responding, and protecting networks from potential threats. CND certification program validates the skills that will help Network Administrators to promote resilience and business continuity during attacks.