You have joined a small but growing company, Great Catalogs, Inc. (GCI). The company has decided to offer its catalog online, beginning its first venture into e-business. You are the newly hired network security engineer. It will be your job to build a secure network. The CEO knows nothing about networks but is the sponsor and champion of this project.
It will also be your job to educate the CEO and the board of directors on networks, security, and online risks from a security standpoint. You will be in charge of designing and implementing the network security policy and training program. The CEO and the board of directors want to have this network and catalog online within the next 2 years. A LAN and WAN are currently in place, but security has not been seriously addressed.
A security policy is basically a plan outlining and identifying the company’s critical assets. The policy states in writing how these critical assets must and will be protected. The main purpose is to provide staff with a brief overview of the acceptable use of any of the information assets, as well as to explain in detail what is deemed as allowable and what is not. By doing this, you are engaging the staff in the securing of the company’s critical systems.
The security policy document acts as a mandatory source of information for everyone using the systems and resources that have been defined as potential targets. A well-developed policy should address the following elements:
- How will sensitive information be handled?
- How will IDs and passwords be properly maintained?
- How will the company respond to a potential security incident, such as intrusion attempts, spam, and so on?
- How will the workstations and Internet connectivity be used in a secure manner?
- How will the corporate e-mail be properly used and enforced