Developing an effective security policy is the first and perhaps most critical step to safeguarding your network against intruders and gaining the trust of online consumers. But because building a security policy from scratch can be such a daunting and laborious process, many companies attempt to protect their networks without the solid foundation a security policy can offer.
What considerations should you include in your policy? How do your current processes compare with best practices? How can you translate your policy into practical measures that will protect your systems?
As tricky as creating and implementing policies can be, it is nonetheless crucial. Security policies provide the framework for implementing practical protective measures such as firewalls, access control and intrusion-detection systems. Without an inclusive and easily translatable policy, many companies are forced to take a hit-or-miss approach to securing their networks, which can leave data vulnerable and business-critical systems open to attack.
Businesses looking to create useful policies without breaking the bank should consider e-business technology's PoliVec Builder, an application that creates custom security policies and implementation guidelines. PoliVec Builder allows IT managers to avoid pouring a lot of time into creating policies from scratch and, at $US1495, it represents substantial cost-savings over hiring an outside company to help develop your policy. Most consulting firms will charge you at least $10,000 to build a policy that might not even be sufficiently tailored to fit your company's needs.
In our testing, we found PoliVec Builder to be remarkably easy to use. More important, the software provided effective policies for securing information systems, as well as useful guidelines for putting policies in place. However, PoliVec made it difficult to customise policies to match specific organisational requirements, and so earned our score of Consider.
The best policy
To build an effective security policy with PoliVec, users need only follow the program through four simple tabs: Policy Configuration, Policy Categories, Policy Settings and Policy Details. These tabs collect general company information and allow users to highlight specific areas of concern, such as virus management, remote access security and file backup. Users can also define specific parameters for their policies, such as how often security procedures must be reviewed and how often network passwords must be changed.
PoliVec then takes this information and creates a formal document that serves as a corporate security policy. This document can be saved as a PDF or HTML file to allow for printing and distribution.
Unfortunately, the product offers only one template to build these policies, which means that PoliVec generates basically the same document with minor variations for every company that uses it. But because this template is based on best practices, it is sufficient for most businesses and will cover all standard security measures.
In addition, e-business technology plans to include two new policy templates for financial institutions in forthcoming Version 1.1. We would like to see an additional healthcare template that follows the government's best practices guidelines.
It took about five minutes to install PoliVec on a system running Windows 2000 Professional, and less than an hour to create our corporate security policy.
PoliVec automatically generates implementation guidelines based on your newly created security policy, saving you the burden of analysing the finished document to come up with practical ways of putting it into practice.
For example, if your policy states that user passwords must be at least seven characters long and changed every 60 days, the guidelines will instruct you as to which network configurations to change and how to implement this password plan. The guidelines are so helpful in translating your policy into action that they are perhaps the product's strongest feature.
The weakest feature, on the other hand, is probably the limited conceptual database, which does not always allow users to shape their policies according to specific company methods or organisational idiosyncrasies. Instead, users must modify the PDF file or the HTML file to make any changes to the policy document.
Of course, this rigidity is inherent to any out-of-the-box product of this kind and will not affect the majority of companies that use PoliVec. In any case, PoliVec Builder provides a first-rate starting point for most companies, which can then manually alter the document as needed.
With PoliVec Builder, companies can reap the benefits of a high-quality security policy without paying the traditional price of blood, sweat and tears. We recommend it without exception to any company that doesn't require extensively customised security policies.