Designing Access Controls

Comprehensive Security Policy

Comprehensive Security Policy

After you carefully evaluate your company’s users, network, and risk toler- ance, you can use all of the information that you have gathered to begin to create a comprehensive security policy. This written document will not only help you implement security consistently and appropriately for each user, but will also outline your security measures for the entire company, including end- users and upper management.

“Security policy” is somewhat of a misnomer because the document is actually a collection of security policies. For example, you will typically establish several security policies for access control methods. For example, if you select 802.1X as the access control method for a zone, you will need to make provisions for the devices, such as printers and Voice over IP (VoIP) that do not support this access control method. You will then create two security policies for that zone. (For more information about network zones, see Chapter 2: “Customer Needs Assessment.”) You will also create several security policies for endpoint integrity checking: you may create one endpoint integrity policy for Windows endpoints and another policy for Macintosh endpoints. Or, you may create one endpoint integrity policy for employees and another policy for guests.

In addition to describing your security policies, you should include the business needs as the foundation. You identified these business needs when you conducted your needs assessment: For example, you evaluated your com- pany’s risk tolerance for a network attack and assessed its current vulnerability to such an attack. You also discovered the type of network access users need to complete their jobs more effectively, and you identified the guests who need network access. Now that you understand these business issues, you must explain them to your company—including upper management.

Because your comprehensive security policy will have multiple audiences, you should try to make it as complete as possible. Keep these audiences in mind as you write: what must upper management know to understand both the business needs for establishing a security policy and the way you are implementing it? What must end-users know and understand in order to fully cooperate and comply with a security policy?

Although including the business needs and the technical instructions may make your comprehensive security policy somewhat lengthy, do not be con- cerned. Securing your network is critical to protecting your company’s busi-

3-5