An organization security policy determines how secure or
insecure the network and intellectual resources are, what features or
functionality is included in the network, and how easy the network resources are
to access. A good security policy can only evolve after the organization clearly
understands and defines its security goals. Only at that time can intelligent
decisions be made about which tools to use, which technologies to allow and/or
support, and what restrictions need to be defined and communicated.
Recognizing that the goals of other organizations might not be the
same as yours is important. Even competitors within the same industry might have
different security needs based on their perceptions, organizational structure,
and even whether they are industry leaders or followers. Furthermore, the goals
of an organization’s vendors—or would-be vendors—might not necessarily be the
best to follow. Many network devices include default settings that allow “wide
open” operation to maximize throughput and to facilitate adding new devices with
little thought for overall network security. For example, notice how many
vendors use the top throughput ratings for wireless systems, knowing full well
that when security is incorporated, the numbers drop substantially.
A security policy is always the result of compromises and
balancing between the following key tradeoffs:
-
Security versus ease-of-use
-
Security versus services provided
-
Security cost versus risk of loss
In the next sections, you will see each of these compromises and
the impact each one has on the resulting security.
Sections
Comments (0 posted)
Syndication
