Establishing a Complete Security Policy Management Process
The security policy management process is a part of the information security policy. It is a management method ensuring that technologies can serve services properly. Initially, the security policy of each firewall is simple. With the deployment of new services and devices, an increasing number of security policies are required, complicating configuration changes and management. An organization needs to establish and strictly implement a policy management process, which is used for reviewing all security policy applications. This process can be adjusted dynamically based on service requirements. To ensure reasonable and traceable security policy addition and modification, include the following aspects in the policy management process:
- The applicant in the service team initiates an application for adding a security policy and specifies the security policy to be added. The business director evaluates the necessity of the security policy and submits the application to the security team. Generally, the service team needs to provide the following information:
Any network change must be submitted to the security team in advance to evaluate the change impact and formulate the security policy adjustment solution.
- Access destination (service, port, or application)
- Access source, which generally refers to a subnet. If the access is initiated from a server, the IP address of the server needs to be specified.
- Function and purpose of the security policy to be added
- Validity period of the security policy to be added. If no validity period is specified, the security policy is a long-term policy.
- The security team evaluates the risks of the application submitted by the service team and determines the specific security policy implementation solution. If necessary, communicate with the business director or applicant about the new security policy application to ensure that the new security policy can meet service requirements and inform them of the security policy complexity and risks.
- The security team deploys and verifies the security policy. Key roles including the service team and data owner (service or application to access) must participate in the verification. Full verification can help find problems in a timely manner.
- All security policies must be recorded. Some industry specifications such as the Payment Card Industry Data Security Standard (PCI DSS) require that all application and approval documents be recorded and that security policies be audited periodically. Recording each security policy may complicate the process, but it is reasonable and efficient in the long run. Anyone in the security team can view the records to understand the intent of each security policy and establish the association between the security policy and the application process. This helps auditing and problem locating. It is recommended that the following information be recorded for a security policy:
- Content of the security policy application provided by the service team
- Applicant and approver in the service team
- Application date and time
- Handler of the security team
If the organization has a well-developed IT system, the preceding content is usually recorded in the service request process, which can greatly reduce the security policy recording workload. The combination of IT processes and firewall configurations makes policy management easy. For example, the creation time, operator, or IT process number can be recorded in the description field of the security policy to establish the relationship between the security policy and the application process, facilitating tracing and auditing.