Network Security: Best Practices

Believe it or not, best practices in network security begin with a top-down policy. Policy begins with understanding what it is you
need to protect and what it is you need to protect against. The levels of responsibility need to be understood, and that implies
that security is everyone's job, as each employee understands how he or she contributes to the organization. Best practices in
network security are more about the what and why of securing the organization's information assets than about the how.
The security policy is a formal definition of an organization's stance on security, meaning what is allowed and what is not
allowed. IT executives and managers faced with a myriad of technology choices become quickly overwhelmed at the daunting
task of securing the enterprise. It is possible to unmuddy the waters by starting with a three-step framework that will aid in
establishing a "best practices" network security program: Prepare, organize and execute. Let's take a look at each piece of this
framework in more depth.
STEP 1: Prepare
The preparation stage is three-pronged and involves creating policy statements, conducting a risk analysis and establishing a
security team structure.
The policy statement
To create policy statements, the organization needs to assess what levels of security are appropriate and achievable by taking
into consideration the organizational structure, individual roles and responsibilities, policies already in place, service level
agreements between the IT department and other departments, and even corporate politics. For instance, is the CEO exempt
from enforcement of a strict password policy? Is it OK for a manager to request access to an employee's e-mail? Should
employees be restricted from accessing the Internet altogether or from accessing particular sites? Are system administrators
outside the law?
Policy statements, in particular "Acceptable Use" statements, define users' roles and responsibilities and can be stated as
general high-level statements that cover all network systems and data within the organization. The statements should include
acceptable use of systems and data for all categories of users including the system administrator. The intent of this policy is to
clearly define the purpose, providing guidelines and responsibilities. The policy should also identify specific actions that could
be taken in response to a violation of security policy, including disciplinary action. Put it in print and post it on the walls.
Senior management should use either an internal HR or marketing department to make sure the word gets out to all employees.
Some companies require the signature of every employee on a copy of the acceptable-use statement. Security awareness
training, sometimes included in new-hire training, can include a review of the policy and employee signatures gathered at that
point.
The risk analysis
Conducting a risk analysis is a way of baselining the organization's security posture. Many companies hire an outside network
security audit firm to provide this. The purpose of a risk analysis is to identify points of entry to the network and possible means
of attack from both an internal and external perspective. This requires identifying all network resources and assigning a risk
level. For instance, if a core router or firewall was compromised, what would the risk level be? The next step in risk analysis is to
identify who has access to those resources. There are users, power or privileged users, administrators, partners and others.
This can be a painful process for some organizations depending upon what type of authentication and authorization methods
are in place. Some risk analysis methods include running a password cracking utility on the network in privileged mode to
uncover not so obvious privileges.
The security team
The security team needs to be a cross-functional team with participants from every operational area. The team is responsible
for policy awareness and enforcement as well as being informed on the technical aspects of the security architecture. The team
is also responsible for responding to security breaches and reporting to senior management. The security team should also be
responsible for approving security changes, or alternatively, a security team member should sit on the change management
team. Monitoring the security of the network, creating an incident response process that includes being part of the restoration
team when a loss occurs -- they are all responsibilities of the security team.
STEP 2: Organize
Once armed with policy statements, a risk analysis and a security team, it is important to define individual information assets as
either a resource or a domain. A resource is a particular computing platform, operating system, application, database or

network device. A domain is a business function. The cross-functionality of the security team ensures that priorities can be
quickly defined and levels of difficulty related to remediation understood. Breaking down the work into manageable chunks
facilitates moving forward. Go after the high-risk categories first and move down the list.
STEP 3: Execute
Once prepared and organized, executing is not as overwhelming as you might think.
Remember that it is impossible to completely secure distributed systems. The goal is to create security awareness, minimize
risk and maximize the use of technology.
Source : Computerworld
Recommended By Rick Moreno, GLOBAL INFORMATION TECHNOLOGY DIRECTOR, AT&T
Network Management / Managed Services / Outsourcing / IT Infrastructure
rick.moreno2015@gmail.com
rick (dot) moreno2015 (at) gmail (dot) com
https://www.linkedin.com/pub/rick-moreno/6/79a/850