Every enterprise should have a policy in place that allows them to be ready to handle the massive demands on their network and the hackers that are becoming smarter as each year passes.
At one time, we used to be able to come home from work and be able to separate our working and private lives. Those days are long gone as the digital age means that the lines between work and play are becoming increasingly blurred.
As the digital age evolves, so do the methods that hackers use. In the 1980’s, we had to fight against password guessing, self-replicating code and password cracking but hackers had to know exactly what they were doing if they wanted to cause any real damage.
Today, there are so many tools available on the internet that any would-be hacker can easily create packets that can get around even the most complex of security on a network.
While we have no idea what is coming next we do have ideas and we can be constantly reacting to everything.
Most attacks can actually be mitigated, not just through the use of the most sophisticated configurations and devices but through educating employees. And that is a big part of your enterprise security policy.
A security policy is made up of lots of different parts and the first thig to do is work out exactly what needs to be protected.
Work out the assets, the threats that are coming at them and work out the safeguards that need to be employed to protect them.
Once you have done this, you con them come up with the policy that addresses each separate audience – the users, the management, and external audiences.
Your security policy has to inform each of these separate audiences what the rules are, the expectations and what behaviors are allowed – or not allowed.
This must include the company policy of monitoring all users, probing and investigating those who violate the security policy in any way.
There are several separate categories that have to be addressed under the security policy:
- Technical – this policy defines the responsibilities that the security staff have and should include all electronic communication forms, network policies, remote access and rules regarding telephony.
- End-User – This policy has to be written in plain language so that everyone understands what is expected of them and what the consequences are of violation. Don’t assume that every employee is au fait with all the technical jargon
- Physical Security – this policy will cover all forms of physical security, be it hardware to protect the network or security implementations that physically protect the building, servers, employees, etc. from attack, theft, natural disaster, etc.
The very best enterprise security policy will be brought our containing comprehensive guidance on standards and procedures. It is imperative that every part of the enterprise, be it physical, network, technical, end-user, etc., be covered under the policy and nothing should be allowed to escape. One hole in security is enough for any attacker to get through and wreak havoc.