 |
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
Most computer security policies are documents that are usually filed away and never referenced. These policy documents can not keep pace with the rapid growth of computer technology.
The first step in an effective defense is to identify what you are protecting and the strength and weakness of every asset.
The industry is starting to address computer network security policy. In November of 2000 the National Institute of Standards and Technology (NIST) published the Federal Information Technology Security Assessment Framework. This publication aids organizations in establishing the policies and methods needed to create and maintain an effective security program.
What tools do you need in place to really build, manage, and enforce an effective network security policy?
|
|
|
There are several options. You can download scanning freeware (e.g. nmap, stobe, fping, etc.). You will need somebody within your organization with not only the understanding of networks but also the time to run such software. You will probably have to compile the software with the hope that the code it is relatively bug free, since freeware usually comes with little to no customer support.
Now you will need a workstation to run the software. Then you will have to correlate all the data into a understandable and presentable format. Now that takes time and money!
Here a some question you should ask yourself before undertaking such a task.
- Does the policy management system store my network baseline information?
- Does it store the results of my scans in a logical and effective format?
- Can I easily compare the scan results to my network baseline?
- Does it flag non-compliance?
- How does the policy system notify me of network changes?
- Is it easy to perform forensics on a particular host?
- How many users can effectively use my network security policy system?
- Is my network adhering to my policy?
- If the engineer who built this leaves is the project doomed?
These are just some of the important issues you may want to consider before implementing/developing a network security policy.
|
|
|
|
|
|
|
