Overview Managing computer and network security is easier than it may seem, especially if you establish a process of continual improvement-to keep the various requirements in perspective and to avoid forgetting about aspects of security. Security management centers on the concept of a security policy, which is a document containing a set of rules that describes how security should be configured for all systems to defend against a complete set of known threats. The security policy creates a balance between security and usability. The executive management of your organization should determine where to draw the line between security concerns and ease of use. Just think of a security policy as the security rules for your organization, along with policies for continual enforcement and improvement. Developing a Security Policy The first step in developing a security policy is to establish your network usability requirements by examining what things users must be able to do with the network. For example, the ability to send e-mail may be a requirement. Once you know what you are required to allow, you have a basis to determine which security measures need to be taken. policy A collection of rules. requirements A list of functions which are necessary in a system. Tip Physically, a security policy document is just a document, not software or software settings. I recommend creating your security policy document as an HTML web page that can be stored on your organizations intranet. This makes it easy to update and ensures that whenever someone reads it, theyre reading the most recent version. After youve got your requirements, make a list of features users may want but which are not expressly required. Add these to the list of requirements, but be sure to indicate that they can be eliminated if they conflict with a security requirement. Finally, create a list of security requirements-things users should not be able to perform, protections that should be taken against anonymous access, and so forth. The list of all of these requirements should simply be a series of sweeping statements, like: • Users must be able to send and receive e-mail on the Internet. use requirement • Users must be able to store documents on internal servers. use requirement • Hackers should have no access to the interior of the network. security requirement • There should be no way that users can accidentally circumvent file system permissions. security requirement • Passwords should be impossible to guess and take at least a year to discover using an automated attack with currently available technology. security requirement