Development of network security plan which protects your whole complex network is a very important task. Designing security plan is complex process because of extranet connection used for business partners, public networks for ecommerce and remote-access services for users accessing network from home. Many security strategies have been developed so far but failed in protecting your assets over internet. I’m going to discuss a top-down approach for planning your network’s security strategy.
Network assets are internetworking devices, network hosts and network data that are transmitted over network. Network assets include trade secrets, intellectual property and company’s reputation. Defining network assets is the important task in designing security policy.
Risks increases because of untrained internet users who download applications having viruses. Denial-of-service attacks have now become common on network. Hostile intruders on internet can change data and steal data.
Analyzing Security Requirements
Security requirements for different types of data are different. Security requirement is needed for these assets.
Data Confidentiality: only authorized persons should be allowed to access sensitive data.
Data Integrity: only authorized persons should be allowed to make changes to sensitive data.
Data Availability: users should be given uninterrupted services.
Security features slows down performance of system as they consume CPU power and memory. These features normally utilize 15% of CPU power.
Developing Security Plan
Initial step in security design is security plan. Security plan is the high level document prepared by the higher authorities that contains the necessary steps to be taken to increase security. Plan consists of the steps, resources and expertise required to implement security. Network designer of company plays the major role in designing and implementing security plan as he has the technical expertise. The plan should contain the list of services provided and to be secured. The list consists of the services, users of services and who administers services. Complex security strategies should be avoided as they could be self-defeating. One of the most important tasks of security policy is the selection of persons who will be involved in implementing security policy.
- Is expert administrator for security is required to hire?
- How end users will be involved?
- How will technical staff, managers and end users be trained for security policy?
To make a security plan successful, the support of all level employees of the organization is required. Corporate management support to security plan is very important. Technical staff and end users should be into the plan.
Components of Security Policy
Following items should be included in security policy:
Accountability Policy: It defines the responsibilities of management, operations staff and end users. It should specify and provide guideline to what to do and whom to contact when intrusion is detected.
Access Policy: It provides guidelines for connecting devices to a network, connecting to external network and adding new software to system.
Authentication Policy: It establishes a password policy and guidelines for remote locations authentications.
Computer-technology buying guidelines: It defines requirements for the networking products and computers required for implementing security plan.
Developing Security Procedures
Security policies are implemented through security procedures. Procedures define login, audit, configurations and maintenance processes. It is a good practice to write security procedures for security administrators, network administrators and for end users. Security procedures should clearly describe how to handle incidents when any intrusion is detected.
Risks change over time, so security policies should be changed and maintained. Following steps should be taken regularly for maintaining security policy properly.
- Schedule independent audits
- Reviewing logs
- Reading Audits
- Responding to incidents
- Updates about security policy
- Training security administrator with latest updates
- Security testing
- Updating security policies
A term Security wheel is used for maintaining security which states that testing, implementing, monitoring and improving security is never ending process.