Security Policy

The purpose of security policies is to secure an organization system by imposing constraints to the secured areas such as the server rooms and information in the system. Security policies of an organization could be enforced using the defense-in-depth security model.

The defense-in-depth securitymodel uses multiple computer security techniques to mitigate the risk of a single component of defense being compromised. The security model includes data, application, host, internal network, perimeter network, physical security and procedures.

Data – Securing information (or sensitive data) with encryption and configure access permission to the files using NTFS file system. Policy on how or who the data can be access.

Application – Vulnerabilities of applications running of the servers are potentially at risk from attacker executing malicious code to it. Therefore all application running on the servers should be tested before installed and only authorized personnel should be allow to install/update any application on the servers. Application should also be configure to be allowed access to only authorized users.

Host –There are risks of attackers accessing the host machine through vulnerabilities found in the operating system’s listening services. The operating system of any device connecting to the server (including the server itself) should be updated.

Internal Network – Data are being transmitted within the internal network can be intercept by an attacker connecting to the network, using a sniffing tool. Private security certificates can be configured of sensitive data within the internal network.

Perimeter Network – The perimeter network are often the demilitarize zones (DMZ) where external users will be able to gain access to certain data or application of the organization. This is where servers should as the web server, mail servers and FTP servers could be placed in. The perimeter should be carefully configured and security policy should be enforced to allow the public to access a minimal level of information. As such, the access policy on firewalls between the internal network and the DMZ should be carefully planned.

Physical security – Physical security should be seen as the highest priority of all the layers in the defense-in-depth security model and non-authorized access should be deny. Any security breach to this layer could be as severe losing the whole IT system or information in the system. The doors, gates, wall are basic physical security systems.

Procedures – Any organization should have a list of procedures list or guide people what to do during any disasters. The administrators should follow this as a security policy to complete any recovery. Trainings for staffs are also important, as this could promote the awareness on security measures in the organization’s network.


References:
http://www.techrepublic.com/blog/security/understanding-layered-security-and-defense-in-depth/703
http://www.tisn.gov.au/Documents/SIFT-Defence-in-Depth-CIO+-+15+Oct+2008.pdf
http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)
http://academy.delmar.edu/Courses/ITNW1454/Handouts/AntivirusDefenseInDepth-Chapter3_AntivirusDefense-in-Depth.htm