Topics > Security Policies

IT Security












An effective network security policy is the foundation of an adequate information security environment. A network security policy is the basic document that defines the expectations for network security and guides administrators and network users. A good network security policy should support the organization's overall goals and mission, set standards for acceptable behavior on the network, identify assets that need to be protected, and hopefully reduce the number of security incidents. Security Polices can be written a high-level to allow for broad interpretation, or at a low-level to provide specific guidance. A good security policy has a mixture of both, allowing for innovation in appropriate areas and providing numerous details in critical areas. A network security policy should be easy for all users to understand and adaptable to the needs of the organization, especially as security and vulnerability assessments reveal weaknesses that need to be corrected. To be effective, a policy must be communicated to all network users, consistently enforced, and strongly supported by the organization's leadership. Although every organization's security needs are unique, these 10 elements should be evaluated when creating or revising a network security policy. top


The policy should state the goals and the scope for its use. The policy should relate how it supports the organizations overall goals and mission and how it compliments existing polices and local laws for network security. The overview section should refer where common technical terms are defined in the document to ensure all users are on the same page.


Physical Security and Access:

Unauthorized physical access to hardware and facilities can easily undermine more advanced technical defenses. The policy should be clear on who has physical access to sensitive areas that contains servers and other network equipment. There must also be clear procedures in place to ensure network users only have access to systems the need to use to complete their work. Internal attacks and human errors often present a serious risk to many organizations and controlling user access helps maintain the reliability and confidentiality of information. The Physical security of organizational assets, like laptop computer, should also be covered in this section.


Network Security and Configuration:

This section should give system administrators and the leaders of the organization a clear picture of how different security tools (like Virus Detection Programs, Firewalls, Network Scanners, Intrusion Detection Devices) and strategies (like data sandboxing, demilitarized zones, and pluralism) will be used to protect the network. This section should define the individual responsibility of users to protect the network and prohibit unauthorized tampering with the network. It should spell out user responsibilities for remote access and other network features.


Authentication and Encryption Infrastructure:

Authentication is how users identify themselves to the network. This section will detail the authentication and verification tools the organization uses and the user's responsibilities for them. It should provide guidance on the need to change passwords, protect encryption keys, when to use digital signatures and certificates, or biometric devices. This section of the policy is critical to ensuring the confidentiality of data.


Incident Response & Disaster Contingency Plan:

An organization's ability to recover from a disaster or respond to a security incident is extremely important. The section requires should provide clear roles and responsibilities that include the reporting of security incidents and recovery procedures. Responsibilities for updates to anti-virus software and code patches should also be covered in this section. How well an organization functions when faced with a security incident or a disaster can have a significant effect on the confidence of network users. This section should include security measures for backing up servers and data and contain contact information for members of an emergency or incident response team.


Acceptable Use of the Network:

This section should cover the rights and wrongs of using the network. It should provide detailed guidance on how to use e-mail, the Internet, and the organizational intranet. This section might also address the use of computer games and whether or not an individual can use e-mail and Internet access for personal use and what type of material is allowed. This is often a sensitive area for employees and the rules in this area will be more accepted if the organizations provides justification for it decisions. This is a good place to cover what expectation of privacy network users can expect.


Acceptable use of Software/Hardware:

This section will detail what changes to software and hardware are allowed and who can add or delete software. It should set acceptable behavior for the personal use of company software and hardware.



This section should also explain the penalties or actions that could be taken in the event of noncompliance. It might also state the methods that will be used to investigate breaches of the policy. Mandatory penalties, either minimums or maximum for violations policies are not recommended because they may tie the hands of the organization's leadership.


Security Awareness

Employees must manage passwords properly and be aware of "social engineering" attacks. To be effective, a network security policy needs to be communicated to everyone who uses the systems, whether they are internal or external users, administrators, and contractors. Users should receive awareness training and should acknowledge the security policy before given access to the network. The security policy should also be clearly posted, preferably on the organization's home page for both the Internet and the Intranet.


Evaluation and Revision

The policy should provide for periodic reviews of the network's security and for revisions of the policy itself. Internal security assessments should be done frequently, but outside assessments by a trusted third party are also recommended. The policy should be revised frequently because new threats and vulnerabilities constantly emerge in this dynamic field, especially as the functionality of the network evolves and new services are added. New tools for hacking and protecting the network force network administrators to constantly review their procedures to avoid the complacency that leaves a network vulnerable.