In this network security policy, it is defined as a formal
statement of rules for people who are granted access to the organization
resources to abide (Temasek
Polytechinc, n.d.).
Since threats are ever-growing and ever-changing, hence network security policy
is a continuous cycle. In this cycle, it is divided into 4 phase, namely
secure, monitor, test and improve.
In secure stage, it will begin to implement things to
prevent any possible loss of information (Temasek Polytechinc, n.d.). This includes requiring
constant change of password and implementing firewall in the network.
In monitoring stage, it will be detecting any violation to
the policy (Temasek
Polytechinc, n.d.).
It normally involves the use of the Intrusion Detection System (IDS) to flag
any violations to network adminstrator.
In test stage, the organization will be performing
penetration testing or auditing the network system (Temasek Polytechinc, n.d.).
After gathering information from both monitoring and test
stage, the organization will be improving or create a new security policies
based on any vulnerability that is being surfaced in the organization (Temasek Polytechinc, n.d.). This stage is also known as
the improve stage.
Figure 1 (Security policy life cycle)
When developing security policy, the organization can decide
in three ways according to RFC 2196. Firstly, "Services offered versus
security provided." In this concept, the network administrator can decide
whether to provide the service (carries more security risks) or not to provide
the service (least benefits) (Tittel, 2003).
Secondly, "Ease of use versus security." Network
administrator can also decide between the ease of use (less secure) or
“user-unfriendly” interface (most secure). Hence, depending on the situation,
the network administrator will be deciding between these two extremities (Tittel, 2003).
Lastly, "Cost of security versus risk of loss."
Network administrator can decide between the costs of security (in terms of
performance, ease of use and cost) and loss when they didn’t implement. These
include the loss of information, privacy and service (Tittel, 2003).
References:
[Information security policy]. Retrieved
April 27, 2012, from: http://trustedtoolkit.blogspot.com/2007/07/information-security-policy-101_03.html
Temasek Polytechinc. (n.d.). L02 - Laws and ethics.
Singapore, Singapore, Singapore. Retrieved from SearchSecurity.
Temasek Polytechinc. (n.d.). Overview of
internetworking security. Singapore, Singapore, Singapore.
Tittel, E. (2003, August). The security policy
document library: site security handbook. Retrieved April 27, 2012, from
SearchSecurity:
http://searchsecurity.techtarget.com/tip/The-security-policy-document-library-Site-Security-Handbook
Dear Kim Chye,
ReplyDeleteI have read your post on Security Policy and find it very informative. In my own post, I also wrote about the stages of secure, monitor, test and improve, and find that your explanation of it is very clear and complete.
However, I did not write anything on the development of security policies and is very glad that you have written something about it. I think that what you have written about the development of the security policy is very useful to me.Now, I have both understood the cycle of the security cycle and how it is developed.
Luke.
This comment has been removed by the author.
ReplyDeleteHi Kim Chye,
ReplyDeleteI would like to thank you for your post as I found it very descriptive and educational. It helped me better my understanding on the fundamentals of a security policy.
Having read your post, I have learnt a lot more about security policies than I would have otherwise. What strikes me is the fact that the security policy is to be created in such a methodical manner, almost as if it were strictly but blindly adhering to a set of generic rules. Yet the development of the security policy calls for the need to carry out tests and research on each specific network system, enabling security policies the ability to uniquely deal with the nuances of the systems’ needs. This gave me great insight into the processes of a security policy, and thus once again I would like to thank you for your wonderful post.
Julian.
Hi Kim Chye,
ReplyDeleteI have read through your post on Security policy & i felt it was rather concise & relatively simple to understand. In your post, you explained about how having security policy is essential. Furthermore, the security policy is actually a continuous cycle comprising of different stages, each playing their own part.
Also, you've took the time & effort to link them closely to TP's organisation, making it much easier to understand. Indeed, i've realised that having security policies in place would ensure much greter consistency in an organisation.
Once again, great job! :)
aloysiusT
This comment has been removed by the author.
ReplyDeleteHi. Kc
ReplyDeleteI have read through ur post on Security Policy.I feel that is is very infomative and easy to understand. As compared to my own, yours is much more detailed and clear.
After reading through ur post, i learnt more about security policy and cycle of the security cycle and how it is developed. For example, the security policy is actually a continuous cycle comprising of different stages, each playing their own part.
Lastly, with your effort in linking them closely to TP, it is easier for me to understsand and thus realizing it is very important for any organization
Jun Rong
Hi Kim Chye,
ReplyDeleteAfter reading your post on Security Policy, I found the post to be very clear and educational. The post made me more knowledgable reading Security Policy.
In your post, I am able to have a deeper understanding of the term Security Policy as you explain the 4 different stages of security policy in detailed. Next, I have also learnt that a security policy can be decided in 3 ways. Namely: "Services offered versus security provided", "ease of use versus security" and "cost of security versus risk of loss".
Lastly, i am very thankful that you took the time to quote out the 3 different ways to decide a security policy as those 3 quotes helped me in having a better understanding of security policy. Thank you for the great effort in making this blog.
Jun Hao
Hi Kim Chye, I have read on your post about Security Policy and I found it to be quite enlightening.
ReplyDeleteAt the beginning, I didn't know what the 4 phases of developing a Security Policy. However, after reading your post, I've learnt what each of the 4 phases do and how they work together hand in hand to create an effective Security Policy.
Also, the 3 different approach in the creation of a Security Policy was very detailed, giving me a clear insight to each of them.
Overall, I am very impressed with the time and effort you took in writing all of this. I hope to be able to see more great content such as this.
-Winston Ho
Hi Kim Chye,
ReplyDeleteI have read your post. Like many others, your post on security policies covered the security policy development which mine did not. After reading, I have learnt what the phases do, and how they transit from one stage to another. I have also learnt that there are actually 3 "customized" ways to further develop the security policies, according to what the company wants/is able to afford. Overall, your post differs from mine in the way that yours is more concerned with how a security policy is formed, as compared to my post which is more concerned with the definitions of security policies, and what they comprise of.
Dear Kim Chye,
ReplyDeleteHaving read your post, I now understand that Network Security Policy is actually a continuous cycle with 4 phases: Secure Stage, Monitor Stage, Test Stage and Improve Stage. I have understood how the cycle works with each stage. I also understood the importance of the stages while creating the Network Security Policy. Since my post did not include any of the stages in its content, I now know something more about Network Security Policy. And with the three different approaches to develop a Network Security Policy helped me understand even more about the development of a Network Security Policy. Thank you for the time and effort put into the post.
Neo Kai Xiang