Beyond trust: security policies and defence-in-depth

Abstract

An organization may well have a sound security policy to handle its internal affairs, but in many cases it flounders when dealing with the complexity of extended supply chains. While a security policy should identify critical business resources, operations and activities, this is all well and good when the enterprise is solely responsible for the management of resources. But in today's environment, organizations operate in an increasingly outsourced world. Policies must also address any third party external organization and ensure that all enterprise resources that are handled are done so with integrity and security. There are a number of key issues that must be addressed when constructing policies that work. This article will briefly outline how an effective security policy can be designed and implemented, and used as an effective layer in a defence-in-depth approach to network security. It is one of the most frequently claimed cliches in relation to setting up a secure enterprise environment that effective security policies can create a firm foundation on which to build. Although it is true that a security policy can be an excellent mechanism for improving the security posture of an enterprise, this is only the case when a number of practical implementation and management issues are addressed first. This article will briefly outline how an effective security policy can be designed and implemented, and used as an effective layer in a defence-in-depth approach to network security.