Creating Security Policies in the Real World
Novell Cool Solutions: Tip
Digg This -
Posted: 10 Oct 2002
Current Version: Novell BorderManager 3.7
Share the best ideas from your Security Policy, and you could win one of three Palm Pilot VIIx handhelds.
We've been watching with great interest the growing problem of web security breaches and potential breaches, since it falls directly into your laps, as security professionals. A recent survey found that hacker attacks increased by 32% during the first half of this year. Eighty-five percent of companies have reported security breaches, and estimate having lost about $120 million last year due to attacks.
According to IDC, billions are currently being spent on network security, but Web sites and applications continue to be penetrated by hackers and crackers, meaning corporations are still vulnerable. ?Web presence for businesses today is essential, but just as it is essential, it is also the center of security problems,? said Charles Kolodgy, research manager for IDC's Internet Security Software service. ?Securing Web sites and the corresponding applications and databases is a difficult problem as Web sites exist to be accessible and firewall ports need to be left open for communication.?
Protecting your company against hackers requires constant vigilance and a rock-solid security policy that takes advantage of Novell BorderManager. We thought it would be a great idea to have you share interesting tidbits from your security policies, and we can build a library of good examples to help others construct policies that will work for them.
We are aware that many of these policies are, in themselves, secure and highly confidential documents. We are not asking you to share entire policies. We'd just like excerpts that might point up aspects people usually don't consider in crafting a policy.
For example, a good security policy will consider external threats as well as internal threats, and will include plans for dealing with hackers and saboteurs, as well as your own employees who set inadequate passwords and never logout at the end of the day. We've even heard of companies protecting themselves against insiders stealing computer memory by installing hacksaw-proof cords to keep computers from being opened. Others make storage of fixed assets a priority in their security policy, specifying that servers and archived data must be stored in an access-controlled room rather than leaving it distributed around the premises.
Another big risk that a surprisingly high number of companies don't consider is that of mismanaged accounts of people who have left the company but are still able to access the network. (One study shows that 20% of user accounts belong to employees who haven't worked for the organization for five years or longer.)
You'll also want to consider the growing use of Instant Messengers in your organization, and find methods of controlling the transfer of unencrypted information over this insecure avenue.
A good security policy will also address risks associated with natural disasters (fires, floods, accidents), and the new threat of terrorist attack. (We'd particularly like to hear any ideas in this area.)
Computer Virus management forms another important part of most security policies. Making sure you do not lose data to a virus means constant reviews, patches and vulnerability signature updates. Solid policies and procedures, as much as technology, are the key to success in fighting viruses. Employees must have rigorous instructions concerning suspicious e-mails and what to do in the event of infection.
Thwarting hackers will be high on the list for most companies who store confidential data about their customers. The Federal Bureau of Investigation (FBI) lists the following as the most common mistakes companies and their employees make which leave their data vulnerable:
- Default installation of operating systems and applications
- Weak passwords - some 40 percent of us use "password"
- Incomplete back-up of data
- Unneeded ports left open
- Data packets not filtered for correct incoming and outgoing addresses
Your security policy may need to provide precautions such as:
- Use password management software to help employees choose strong passwords. Have passwords expire.
- Create stronger authentication by combining passwords with biometrics.
Share Your Security Policy Excerpts and Tips
As we've learned so often before, the very best ideas are out there in your heads. You are on the front lines, and have undoubtedly come up with policies containing creative, elegant, ingenious, ideas full of foresight and imagination. Take a minute to share your best ideas, and we'll enter you in a drawing for three Palm Pilot VIIx handhelds.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com