A common phrase I've heard is that "a security policy is only as good as the paper it is written on". What is a good security policy? How do you measure its impact and evolve the policy as needs change? I could ask many more rhetorical questions here, but I think you get the point.
Before we start with what a good security policy may look like, let's levelset on the fact that change is the norm in today's IT and business environment. Any policy, security or otherwise, that is not enforced, evaluated and refined over time is one that will most likely become outdated. Because as the great Bob Dylan said, The Times They Are A Changin. And with change (whether in the policy, whether in staff turnover, etc.) you better have good documentation or else good luck to ya. Good documentation includes the reason for the change, who requested and approved the change and date/time stamp – otherwise you will have too many resources spending too much time troubleshooting something that could've taken one person a matter of minutes. In the meantime, business is disrupted and/or critical systems and information are put at risk.
Ok so back to "what is a good security policy?" The answer to this will vary by organization in terms of the details, but conceptually a good policy must:
- Have buy-in from key stakeholders – business and IT management and end users
- Be enforceable – go back to the first line of this post. If it's not enforceable it's worthless. Don't waste your time.
- Be monitored over its lifecycle. To be clear, when talking about enforcing, managing and monitoring security policies I'm including all of the pertinent underlying info (e.g. rules and objects in a firewall, user or application permissions for accessing databases or files, etc.)
Very easy to say all of the above (these are common "best practices"), but how can we make this a reality? Speaking more specifically about network security policies, look no further than the multitude of stats out there that show the majority of firewall breaches are caused by misconfigurations, and that gaps in change management processes create what I'd call unforced errors. We're just hitting the ball into the net – it's our own fault!
Enter the world of network security policy automation. Instead of manually going through hundreds, if not thousands of firewall rules, many of which are outdated and introduce unnecessary risk, you can reduce the complexity of firewall policy management through automation. Then you can get back to "what is the purpose of this policy?" to ensure the security, compliance and productivity of your business.
Please share any of your tips for ensuring good security policies or horror stories about policies gone bad.