Tips for creating a security policy

My company is revamping its network security plan. What tools should I use to develop up-to-date policies, and are there any tools that make this easier?

Security is an ever moving target that must be continually managed and refined to ensure appropriate confidentiality, integrity, and availability of the services and systems that are critical to your business, as well as the valuable information that is often at the heart of the organizations we defend.

The stream of news stories highlighting loss of customer information and proprietary data (among other drivers) are prompting many of us to take a step back and re-evaluate the infrastructure at large, and our security tools within that infrastructure.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

My company is revamping its network security plan. What tools should I use to develop up-to-date policies, and are there any tools that make this easier?

Security is an ever moving target that must be continually managed and refined to ensure appropriate confidentiality, integrity, and availability of the services and systems that are critical to your business, as well as the valuable information that is often at the heart of the organizations we defend.

The stream of news stories highlighting loss of customer information and proprietary data (among other drivers) are prompting many of us to take a step back and re-evaluate the infrastructure at large, and our security tools within that infrastructure.

In your case, you're wondering how network tools can help in creating up-to-date security policies.

A flippant, and I suspect prevalent, answer to your question would be that tools aren't for developing policy, they're for helping to enforce your policy. Such a view falls short in my opinion, because while policy enforcement may be a tool's greatest contribution to your security program, our tools often log activity that we can channel into a feedback loop that informs changes to policy. In other words, knowing what the tools are uncovering positions us to use this information to evolve (or update, if you prefer) our security policies.

Your question asks for specifics though, and I'll offer what advice I can.

There are well known, bread and butter tools that often aren't though of as policy tools. However, many of them can have a role in shaping your policy if you use them that way.

Vulnerability scanners - these scanners can help you determine patching policy. Once you know what vulnerabilities are exposed, you can make decisions about what can and can't be tolerated in the environment, timeframes and patching SLAs, and firewall rules.

Application security scanners - can inform your decisions about secure coding standards, and whether you make any investment in code scanning technology to help automate both implementation and enforcement of any standards you put in place

Flow data and Network-based Anomaly detection - knowing your typical network behaviors can highlight common activity that you might want to curb via policy or other tools. Both these technologies provide visibility into your network traffic.

IDS - a well-tuned IDS can provide information about attacks coming into your environment. This information can inform decisions of which technologies you deploy architecturally. You might notice attacks against one operating system in particular, and require a new deployment to use a different operating system as part of your defense strategy, or perhaps you uncover worm activity trying to spread from one network to another, and use this to create a policy that segments both network in part or in full.

The above aren't the only well established technologies in the security realm, and of course the list of examples could go on.

In addition to the established tools, new tools are always being created. Some succeed and some don't, and many, though in early stages of development, are worth considering.