| Lesson 6 | Security Policy System Classification |
| Objective | Develop Security Policy by Classifying your Systems |
Develop Security Policy by Classifying your Systems
Develop your security policy by classifying your systems and assigning risk.
Systems classification effectively allocates security resources and develops a sound security infrastructure. Identify and then classify systems and data based on their importance to the organization using the Security Classification diagram below.
Systems classification effectively allocates security resources and develops a sound security infrastructure. Identify and then classify systems and data based on their importance to the organization using the Security Classification diagram below.
A security policy is a definition of what it means to be secure for a system, organization or other entity.
For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
Because the security policy is a high level definition of secure behavior, it is meaningless to claim an entity is "secure" without knowing what "secure" means. It is also foolish to make any significant effort to address security without tracing the effort to a security policy.
For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
Because the security policy is a high level definition of secure behavior, it is meaningless to claim an entity is "secure" without knowing what "secure" means. It is also foolish to make any significant effort to address security without tracing the effort to a security policy.
System classification
- Level I systems are mission-critical systems, systems with high availability requirements, or systems that cannot tolerate more than a few hours of downtime such as certificate servers, registration and customer billing systems. These are often publicly exposed servers; usually five percent of your resources.
- Level II systems include operational systems, line-of-business level systems, and systems that can tolerate up to 48 hours of downtime. About 20 percent of your resources, Level II resources are typically comprised of internal servers that are not directly connected to the Internet.
- Level III systems have backup systems and/or can tolerate at least one week of downtime in case of emergency. These are typically end-user machines. About 75 percent of your resources will be classified as Level III.
A Level I system requires significant resources and consideration, whereas a Level III system might need only virus checking. An unrealistic policy will hurt a company's ability to protect itself, and could even damage its ability to communicate efficiently.
Determination of resource risk
Once all your network's resources have been classified and prioritized, risk factors should be determined for each resource you have defined. When determining the risk factors for a resource, use this basic rule: The more sensitive the resource, the higher the risk factor.
Click on the link below to learn more about security administration classification.
Security administration classification
Security administration classification
Create written documentation of each system
Prior to writing your security policy, create a detailed, written documentation of every system, including hardware types, current configurations, and protocols used. After you have classified all your company's resources, you should include a prioritized threat list and an action list, prioritized by system, in your security implementation plan.