WebJunction - Network Protection

Security policies are an important element in creating a secure computing environment. A policy is a document that states an objective, defines accepted behavior, and pertains to everyone in your library. It is created by a team of interested parties and must be accepted by library management. Ideally, your technology specialists, managers, librarians, and library staff should all be involved in creating and implementing your library's security policy.

Policy development will be different for every library, but all policies should explain why a policy is needed, what is covered, who will be covered, and the repercussions if that policy is abused. Security policies must be reasonably implemented, enforceable, and continuous.

A sample policy for Internet usage - one piece of the policy puzzle

An example might be to create an Internet usage policy, one part of a larger overall security policy. It is a good place to start, as there are numerous examples of such policies already in place. But be aware that an Internet usage policy is not the only security policy your library will need.

For the Internet usage policy, state your objective as the desire to provide Internet access to all library staff. Explain that there are guidelines and responsibilities that go along with this access. Define the parameters for staff Internet usage. Examples of prohibited actions might be the downloading of inappropriate material, software, or hacking tools. Positive actions might include the use of virus protection, creating strong passwords, and notifying management of any suspicious activity on your computer. Lastly, define the penalties for abuse of the policy. You can have employees sign and date the policy, signifying that they understand and will comply.

Remember that you will need to train your employees in many of these tasks if you expect the security policy to succeed. Some organizations have held â€œsecurity fairsâ€ where they trained end-users, while also plying them with ice cream, at the end of a week. This is one example of tying security policy to a positive experience that helps users understand their role in securing the network.

The process of creating a policy

There are multiple steps to creating a security policy. It is important to have discussions with as many affected parties as possible. A security policy is only effective if you have the support of management and end-users. This eases enforcement of the policy and creates an atmosphere of understanding and trust rather than defensiveness and opposition.

Here are some recommended steps:

1. Download our extensive security policy template at: http://www.techatlas.org/tools/shared/SecurityPolicyTemplate.doc

2. Assemble a security policy team from various library departments and elect a team leader. It is advisable to have a legal department and HR person on the team, if that is the way your library system is set up.

3. Define security needs and select policy goals. Often security needs are very specific, but a wider ranging goal will cover these specific topics. For example, a specific desire might be: I need to have virus protection on my PC. A goal that would cover this, and more, would be: Provide trustworthy and secure computing.

4. Spell out why a policy is needed, whom it will affect, what is covered, and responses to abuse of the policy.

5. Create a list of guidelines for users to follow. Do's and Dont's are a simple and concise way to convey your desires.

6. Implement the policy. Users may be wary because it will affect them the most, but assure them that policies are good for the whole organization and really only affect the abusers.

7. Enforce, audit, and revise the policy. Once the policy is written, introduced, and the users are trained and informed, it must be enforced. This is done through audits to enforce the policies. Policies should be revised in response to changes in users' needs, new services, or changes to the network infrastructure.

Topics to Consider

Some of the considerations that should be crafted into policies are listed below. Several are network or IT specific and some are end-user oriented. Your network and the needs of your users could result in more or fewer topics being considered, and this list should not be considered exhaustive. Understanding how your users, both internal and external, use your network is paramount to defining a properly balanced security policy.

Â· Access policy or acceptable use

Â· User education

Â· Data backup, restoration, and mission critical document storage

Â· Anti-virus protection

Â· Operating system and software upgrades

Â· Password policy

Â· Remote access

Â· Internet access

Â· E-mail use

Â· Router policies

Â· Incident response

Â· Physical security

The policy is written - are we finished?

Not yet. The writing of the policy is actually the easy part. Next comes the enforcement. While this may sound scary, if your policy is well written and sensible, then enforcement should follow easily. The responsibility for auditing and enforcing, and responding to incidents should be clearly defined into specific roles and responsibilities.

Securing your network, and writing your security policy, is an ongoing cycle. Your policy should also include provisions for a regular â€œcheck-upâ€ in response to changes in your organization and include provisions for setting aside resources to update the security policy and its enforcement.

Links:

A Security Policy Template

http://www.techatlas.org/tools/shared/SecurityPolicyTemplate.doc

Defining a Security Policy (focused on enterprise networks)

http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html

Library Security Principles - Creating a Security Policy

http://www.infopeople.org/howto/security/basics/security_policies.html

A Sample Security Policy

http://www.tsl.state.tx.us/ld/pubs/compsecurity/ptthreesecpol.html

Steps for establishing a bulletproof security policy

http://networking.earthweb.com/netsecur/article.php/10952_897881_2

Indiana University Library Security Policy