www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
To provide the proper levels of security and increase network availability, a security policy is a crucial element in providing secure network services. In addition, it is important to understand that network security is built around a security policy that is part of a system life cycle.
In terms of network security in the system life cycle, business needs are a key area to consider. Business needs define what the business wants to do with the network.
Risk assessment is another part of the system life cycle. It explains the risks and their costs. Business needs and risk assessment feed information into the security policy.
The security policy describes the organization's processes, procedures, guidelines, and standards. Furthermore, industry and security best practices are leveraged to provide well-known processes and procedures.
Finally, an organization's security operations team needs to have processes and procedures defined. This information helps explain what needs to happen for incident response, security monitoring, system maintenance, and managing compliance.
Figure 13-3 shows the flow of the network security life cycle.
Security Policy Defined
RFC 2196 says, "A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide." When developing security policies for an organization, RFC 2196 can serve as a guide for developing security processes and procedures. This RFC lists issues and factors that an organization must consider when setting its policies. Organizations need to make many decisions and come to agreement when creating their security policy.
Basic Approach of a Security Policy
| Step 1. | Identify what you are trying to protect. |
| Step 2. | Determine what you are trying to protect it from. |
| Step 3. | Determine how likely the threats are. |
| Step 4. | Implement measures that protect your assets in a cost-effective manner. |
| Step 5. |
Purpose of Security Policies
One of the main purposes of a security policy is to describe the roles and requirements for securing technology and information assets. The policy defines the ways in which these requirements will be met.
- It provides the framework for the security implementation:
- - Identifies assets and how to use them
- - Defines and communicates roles and responsibilities
- - Describes tools and procedures
- - Clarifies incident handling of security events
-
- It creates a security baseline of the current security posture:
- - Describes permitted and nonpermitted behaviors
- - Defines consequences of asset misuse
- - Provides cost and risk analysis
-
- How will the latest attacks impact your network and security systems?
Security Policy Components
A security policy is divided into smaller parts that help describe the overall risk management policy, identification of assets, and where security should be applied. Other components of the security policy explain how responsibilities related to risk management are handled throughout the enterprise.
- Security management policy explains how to manage the security infrastructure.
Several other documents supplement these; they vary depending on the organization. The security policy requires the acceptance and support of all employees to make it successful. All the key stakeholders, including members of senior management, should have input into the development of the security policy. In addition, they should continue to participate in the updates to the security policy.
Risk Assessment
Within network security, proper risk management is a technique used to lower risks to within acceptable levels. A well-thought-out plan for network security design implements the components included in the security policy. The security policies that an organization employs use risk assessments and cost-benefit analysis to reduce security risks.
Figure 13-4 shows the three major components of risk assessment. Control refers to how you use the security policy to minimize potential risks. Severity describes the level of the risk to the organization, and probability is the likeliness that an attack against the assets will occur.
Risk assessments should explain the following:
- What assets to secure
- The monetary value of the assets
- The actual loss that would result from an attack
Generally, network systems are built with just enough security to reduce potential losses to a reasonable level. However, some organizations have higher security requirements, such as complying with SOX or HIPAA regulations, so they need to employ stronger security mechanisms.
A risk index is used to consider the risks of potential threats. The risk index is based on risk assessment components (factors):
- Severity of loss if the asset is compromised
- Probability of the risk actually occurring
- Ability to control and manage the risk
One approach to determining a risk index is to give each risk factor a value from 1 (lowest) to 3 (highest). For example, a high-severity risk would have a substantial impact on the user base and/or the entire organization. Medium-severity risks would have an effect on a single department or site. Low-severity risks would have limited impact and would be relatively straightforward to mitigate.
The risk index is calculated by multiplying the severity and probability factors and then dividing that by the control factor:
Table 13-2 shows a sample risk index calculation for a typical large corporation facing a couple of typical risks. If the risk index number calculated is high, there is more risk and thus more impact to the organization. The lower the index number calculated means that there is less risk and less impact to the organization.
| Risk | Severity (S) Range 1 to 3 | Probability (P) Range 1 to 3 | Control Range 1 to 3 | Risk Index (S * P)/C Range .3 to 9 |
|---|---|---|---|---|
| DoS attack lasting for 1.5 hours on the e-mail server | 2 | 2 | 1 | 4 |
| Breach of confidential customer lists | 3 | 1 | 2 | 1.5 |
Continuous Security
As requirements change and new technology is developed, the network security policy should be updated to reflect the changes. Four steps are used to facilitate continuing efforts in maintaining security policies:
| Step 1. | Secure— Identification, authentication, ACLs, stateful packet inspection (SPI), encryption, and VPNs |
| Step 2. | Monitor— Intrusion and content-based detection and response |
| Step 3. | Test— Assessments, vulnerability scanning, and security auditing |
| Step 4. | Improve— Security data analysis, reporting, and intelligent network security |
Figure 13-5 shows the four-step process that updates and continues the development of security policies.
Integrating Security Mechanisms into Network Design
Today's network designs demonstrate an increased use of security mechanisms and have become more tightly integrated with network design. Many security services such as IDS/IPS, firewalls, and IPsec VPN concentrators now reside within the internal network infrastructure. It is recommended that you incorporate network security during the network design planning process. This requires close coordination between the various engineering and operation teams.
| |
No comments:
Post a Comment