A security policy can make or break a company which needs to keep information vital to the company’s operations private (Taylor). A well-written security policy should reflect the values of the company as well as the values of their customers. If a company boasts a secure connection for doing business or purchasing online, the promise can be kept via the security policy. If a company boasts a clean, harassment-free workplace for employees, this can also be enforced through the security policy. A security policy can range from an Acceptable Terms of Use statement for employees to an in-depth look at the firewall, network, and anti-virus suite. With the advent of the global economy and ease of access by inquisitively malicious persons, the need to secure data more and more becomes a key player in the battlefield for contracts, tapping into a new demographic of customers, and maintaining a competitive edge in business. Aside from protecting a company in the ever-growingly competitive economy, security policies are essential in protecting the safety and security which most hold dearly: the protection of their home. Within any government, classified information must be securely held in order to protect their homeland and people. To do this, the government as well as the private sector and the personal computer user must constantly evolve with emerging technologies and threats to that technology. In terms of any organization which requires secrecy and the protection of data and information, the best means of doing so is to take the defense in depth approach.
As a whole, a security policy should include multiple documents and separate policies depending on the needs of the organization (Taylor). An acceptable use policy, terms of service, and a well-developed plan for protecting the network should, at a minimum, be included. For employees, the acceptable use policy should explicitly state what constitutes acceptable use of the organizations network, hosts, and (if provided) internet access. If a service is provided, such as internet access via a wifi connection, the terms of service statement is meant to provide a minimum service guarantee for the customer. At a minimum, the security policy should also contain information regarding the network security programs and training information for the users (Taylor).
The Acceptable Use Policy (AUP) used by Starbucks can be used as an ideal example of not only what a business should expect from their employees, but also of their customers. As Starbucks pays for AT&T wifi as their Internet Service Provider (ISP), Starbucks is bound to the AUP set forth by AT&T. It states, “The AT&T Acceptable Use Policy is designed to help protect AT&T’s assets, the assets of its Customers, and the Internet community, from irresponsible or illegal activities of AT&T Customers and its Users.” (AT&T Intellectual Property) Any person who uses the wifi service at Starbucks is bound to this statement. This sentence ideally summarizes the purpose of any corporations AUP. Here, AT&T releases themselves from any claims and places responsibility of internet use on the user, or customer. The purpose of use is also clearly stated. No illegal activities may be conducted while connected to the ISP’s network, and the purpose is to protect the Internet community from users who would engage in malicious acts. By including this AUP in the internet provided to Starbucks, AT&T is also placing the burden of prevention on the employees of Starbucks. If an employee were to witness a customer using their wifi for illegal or irresponsible activities, ranging from the illegal download of software or files to hacking to viewing or looking for child pornography, they would be expected to approach the patron, and ban them from the premises, use of the wifi service, or even inform the proper authorities. Without this AUP, Starbucks or AT&T could be held responsible for any illegal activities, simply because they did not release the burden of responsibility onto the user.
This model can be seen in any organization which requires the use of, or even allows the use of, computers for either business or personal matters. The military, for example, has recently allowed Facebook to be accessed on the unclassified computer systems (Hoover). Use of the social networking site must comply with the AUP dictated by the Department of Defense (DoD), and must be used responsibly: the site can be used to its fullest extent for work which furthers the mission of the command, and can be used for personal matters as long as the use does not interfere with normal operations. Allowing Facebook and other social media to be used places the burden of responsibility on the user, or military person, viewing the site on the unclassified network. In order for such sites to be unblocked from the network requires a review of the current security policies, adjustments where necessary, and monitoring of the systems to insure that all users are compliant. In the case of the DoD, the security policy and measures have to be more stringently analyzed in order to protect the most secure and valuable asset they have: information.
Most corporations and companies are entrusted to protect information concerning their employees, maintaining confidentiality of their clients, or protecting data which provides them with an edge over their competition. The DoD is responsible for protecting information and data which allows the United States to be protected from her enemies. The classified information held by the DoD networks must be secured to the fullest extent required by the information in order for the DoD to carry out their mission. Collected or held data and information must be protected as warranted: the value of the data should be evaluated, along with the source from which the data is collected, as well as the social implications of the information. In an ideal world, all the information would be equally protected. Due to the massive amounts of data, the DoD as well as the commercial community must prioritize the information that they hold to maintain some semblance of cost-effectiveness. In the case of the corporate world, the most valuable information held, by perspective of their customers and employees, is Privacy Act Information. Upon a leak of Privacy Act Information, employee’s sensitive, personal information can be compromised and openly available to be exploited for identity theft. This information can wreak havoc on a person’s life, and therefore must be protected.
Looking at the vast amount of information that needs to be secured, security professionals must be able to decipher the value of the information and from there evaluate what type of protection is needed to secure the resources. An organization’s security policy should be developed based on the value of information and the resources available to be spent on security. The best policy is defense in depth. This measure insures that if one security measure is breached, the information being protected is not necessarily reached. Defense in depth is the most complete means of securing data and servers, and does not always involve extreme funding, but can be quite costly.
People, networks, hosts, and applications are the four pillars of a defense in depth security policy (Hazelwood). As the human factor is always the least secure and most complicated of the four, addressing this regularly and meticulously is very important. Trusting employees is always a concern of any employer, more so of employers with sensitive data to protect. Signing terms of service and AUP paperwork will legally bind employees to keeping the secrets of the company’s data and security measures, but cannot effectively train them to avoid social networking traps or teach them to maintain computer security. Consistent training and reminders of security policies is essential to protecting assets and keeping the edge in the world of information (Hazelwood). While teaching and training employees and users how to avoid traps and how to avoid security breaches should be a top priority in any security policy, this measure is useless without a properly secured network.
The network itself should be evaluated next before any installation or system setup. Without a broad-spectrum anti-virus system, a network intrusion detection system (NIDS), or an optimally functioning topology, hardening an operating system or protecting a server from physical access is useless (Hazelwood). Vulnerabilities in any of these aspects will leave the network open to cyber attack, manipulation, and possible theft. Beginning with the network topology, traffic should be routed by the most efficient means possible. If practical for the organization, traffic should move from the originating host directly to its storage register in the server or to the recipient (Hazelwood). With a larger network, this is not always cost-effective or even practical. In these scenarios, traffic should travel to only the routers, switches, or hubs absolutely necessary. A topology where traffic travels to each host en route to the recipient is not the most secure means of transmitting the data, as each additional host opens the data to a variety of security threats. Packet sniffing, man-in-the middle attacks and even innocently curious employees can cause major problems with the transmission and accuracy of data. To avoid this, the network topology should be configured to transmit data in the most direct means possible.
An excellent anti-virus and NIDS is essential to keeping outsiders from stealing data from any computer system: personal, commercial, or government. Just as essential as installing these programs at day one are keeping them updated. Not updating anti-virus software and NIDS with the latest security patches may open an organization to the most recently developed viruses or intrusion technologies (Hazelwood). As technology is constantly evolving, so is the threat to that technology. When new viruses are discovered, or backdoors in software are found, the creators should release a patch or service pack to update the program. These patches should contain the new code needed to close the unnecessarily open back doors, the ‘antidote’ to the virus, and any updates that allow the software to operate more effectively. The NIDS should be configured to meet the needs of the organization. The DoD, for example, would set theirs up to immediately alert responders to any attempts to breach the classified network. Organizations which do not hold such valuable information might limit their alerts to emailing the IT department, or for even smaller companies, to pop up on the administrator’s screen.
Looking at the hosts on the network, C3, auditing, and integrity are the topics to be covered. C3 is the culmination of capability, capacity, and configuration (Hazelwood). Maintaining C3 is fairly simple if it is properly set up at installation. Insuring that hardware resources match the software being used, configuring the server, and keeping up with security patches are some of the essentials when dealing with hosts (Hazelwood). As always, it is also important to maintain difficult to crack passwords, which can be tied into training employees. Using a password that is easy to guess or does not use multiple types of characters can create a vulnerability as the probability that password cracking software will find the match more quickly.
Insuring the integrity of hosts is a little more difficult. It is important to maintain the integrity of all files, and stringently monitor the modification of files on the server (Hazelwood). This will help protect against unauthorized changes, either by a malicious hacker or a careless employee, and can mitigate risk and maintain integrity of the files. Conducting audits on the server will also greatly assist in mitigating risk, by allowing the system administrators to see how security measures are holding up, and assist in making changes where and when necessary (Hazelwood). Routinely conducting audits will save servers from major problems and save administrators from major headaches.
Lastly, applications must be looked at. First, any applications used for payroll or operations must be analyzed before being installed (Hazelwood). Any application has the potential of being a security threat through bugs or poor programming. Evaluating applications for risk prior to installation is not enough to protect the network. All applications, operating systems and software must be updated with the latest service packs, patches, and if found to be a large risk, uninstalled and wiped from the system. Unused applications included in the operating system should be disabled, and applications not essential to normal operations should never be installed on the server or on hosts which are ever connected to the network. Without this measure, backdoors unknown to the security administrators may be used for unauthorized access to the network, to infect the network, or to steal secured data.
Security policies in the corporate or government world maintain the integrity of data and information, and keep safe those whom depend upon companies or the military. The best security policies are thoughtful, detailed, and look at security as a whole: incorporating a means to protect the company from careless users in conjunction with taking every precaution to assure customers that their private data is secured. While there are hundreds of ways to look at security, and even more means of implementing security measures, defense in depth is easily the most effective means of keeping the system secured. Insuring that multiple layers of security and safeguards are in place is always the ideal, along with maintaining those measures consistently. Having a security policy which incorporates these ideas will provide confidence in the company by the customer, and keep a competitive edge in a world ever-increasingly dependent upon information security and assurance.
Works Cited
AT&T Intellectual Property. AT&T Service Terms and Acceptable Use Policy. 2010. 29 November 2010 .
Hazelwood, Victor. Defense In Depth: An Information Assurance Strategy for the Enterprise. White Paper. La Jolla, CA: San Diego Supercomputer Center Security Technologies, 2006.
Hoover, J. Nicholas. “DoD Loosens Social Media Restrictions.” 26 Febuary 2010. Information Week Government. 1 December 2010 .
Taylor, Laura. “Security Policies 101.” 6 January 2003. Intranet Journal. 3 December 2010 .