Network Security Policies - Should You Bother?
A network security policy, or an information security policy, is a written agreement where a company clearly elucidates its network security measures, which are duly agreed to by all the employees of the organization, and acknowledged by putting their signatures on them. Such network security policies are very much in demand in both big and small companies in recent times owing to the large volume of sensitive data they handle, and the number of information security breaches that have come out into the open. In fact, signing and implementing an information security policy for both the computer as well as the wireless devices has been made a mandatory system in employee contracts at the very outset. People who do not agree to these policies may not be given a place in the enterprise.
On the other hand, companies cannot enforce any of the network security measures until and unless all the existing employees agree to the clauses in the policy. That is why sometimes framing network security policies can be a subject of much debate and discussion in company conference rooms. Deciding what procedures to include, the level of security over the server and the control it would exercise might bring company employees at loggerheads. The usual manner of carrying out things is to prepare an original draft and then put it up for deliberation. After the modifications, if any, the network security policy is put into place and the measures are begun.
Having a network security policy puts a very good impression when the information security audit comes up. An information security audit is the period when an external agency looks into the security measures that a company uses, and checks for loopholes or flaws within their security system. Since information audit reports are made public, a negative mark on them can hamper the prospects and credibility of the company. But if a company has a clearly earmarked network security policy in place, then the information security auditors will get the impression that the company has taken some pains to put security measures into place, and hence will regard them favorably.
The following are some points that must be addressed when making a network security policy:-
- The access control list must be clearly put up in a draft in advance. This is a list of the employees who will have access to the shared data of the company. The list should also mention how they will be able to access the data, and who will be in the know of the members of this access list of employees. Such lists are called as audit logs. These are elemental to investigating breaches later on.
- Companies can choose a particular format for creating their passwords, and also how they will store it. The best way is of course to just remember the passwords. Hence, foolhardy methods like making notes of the password and putting them where the auditors or people with criminal intent can get at them should be penalized. These penalties can also be discussed in the policy.
- Network policies should discuss what kinds of backup measures will be used by the company management, and who will be able to access them.
- There should be a discussion of the data encryption tools that will be put into use to handle and secure customer information. Hence, a network security policy is comprehensive codified information on what security measures the company will adopt and who will be in the know of these measures. For that reason, it is very important that these policies are properly constructed and implemented. Today there is University education to prepare Information Technology professionals in drafting network security policies. There are even special courses for Windows systems.
Information Security >> Privacy Policy
| 
