Security Solutions
3-5
Designing Access Controls
Comprehensive Security Policy
Comprehensive Security Policy
After you carefully evaluate your company’s users, network, and risk toler-
ance, you can use all of the information that you have gathered to begin to
create a comprehensive security policy. This written document will not only
help you implement security consistently and appropriately for each user, but
will also outline your security measures for the entire company, including end-
users and upper management.
“Security policy” is somewhat of a misnomer because the document is actually
a collection of security policies. For example, you will typically establish
several security policies for access control methods. For example, if you select
802.1X as the access control method for a zone, you will need to make
provisions for the devices, such as printers and Voice over IP (VoIP) that do
not support this access control method. You will then create two security
policies for that zone. (For more information about network zones, see
Chapter 2: “Customer Needs Assessment.”) You will also create several secu-
rity policies for endpoint integrity checking: you may create one endpoint
integrity policy for Windows endpoints and another policy for Macintosh
endpoints. Or, you may create one endpoint integrity policy for employees and
another policy for guests.
In addition to describing your security policies, you should include the busi-
ness needs as the foundation. You identified these business needs when you
conducted your needs assessment: For example, you evaluated your com-
pany’s risk tolerance for a network attack and assessed its current vulnerabil-
ity to such an attack. You also discovered the type of network access users
need to complete their jobs more effectively, and you identified the guests who
need network access. Now that you understand these business issues, you
must explain them to your company—including upper management.
Because your comprehensive security policy will have multiple audiences,
you should try to make it as complete as possible. Keep these audiences in
mind as you write: what must upper management know to understand both
the business needs for establishing a security policy and the way you are
implementing it? What must end-users know and understand in order to fully
cooperate and comply with a security policy?
Although including the business needs and the technical instructions may
make your comprehensive security policy somewhat lengthy, do not be con-
cerned. Securing your network is critical to protecting your company’s busi-