Overview

The security policy life cycle, as suggested by J. Craig Lowery [1] in a recent white paper, is a model incorporating the following nine phases:

1. Draft. Representative committees write policies.

2. Adopt. Administration reviews and approves policies.

3. Implement. Administration defines procedures to implement the policies.

4. Educate. Users receive training about the new policies and procedures.

5. Deploy. Policies are put into effect; related technical solutions are deployed.

6. Monitor. Security team observes the computing environment for policy violations.

7. Enforce. Violators are punished as prescribed by policy.

8. Reevaluate. Policies are reviewed for continued relevance and accuracy.

9. Revise. Policies are revised as needed to keep them current, relevant, and accurate.

8.1 Purpose and Goals of WLAN Security Policies

A very good source of samples of security policies is the SANS Security Policy Resource Web page [2], which is maintained by the current policy project director, Michele D. Guel [3]. SANS policy information is provided free of cost. The folks at SANS compiled those security policies originally to assist those attending SANS training programs, but because SANS feels the security of the Internet depends on vigilance by all, they have made these resources available to the entire Internet community.

Another resource the reader can consult for security policy information is RFC 2196 [4]. This handbook is one of the early guides to developing computer security policies and procedures for sites that have systems on the Internet. Its purpose is to provide practical guidance to administrators who...