Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
If it is important to be secure, then it is important to be sure all of the security policy is enforced by mechanisms that are strong enough. There are organized methodologies and risk assessment strategies to assure completeness of security policies and assure that they are completely enforced. In complex systems, such as information systems, policies can be decomposed into sub-policies to facilitate the allocation of security mechanisms to enforce sub-policies. However, this practice has pitfalls. It is too easy to simply go directly to the sub-policies, which are essentially the rules of operation and dispense with the top level policy. That gives the false sense that the rules of operation address some overall definition of security when they do not. Because it is so difficult to think clearly with completeness about security, rules of operation stated as "sub-policies" with no "super-policy" usually turn out to be rambling rules that fail to enforce anything with completeness. Consequently, a top level security policy is essential to any serious security scheme and sub-policies and rules of operation are meaningless without it.
A network security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a committee. A security policy goes far beyond the simple idea of "keep the bad guys out". It's a very complex document, meant to govern data access, web-browsing habits, use of passwords and encryption, email attachments and more. It specifies these rules for individuals or groups of individuals throughout the company.
Security policy should keep the malicious users out and also exert control over potential risky users within your organization. The first step in creating a policy is to understand what information and services are available (and to which users), what the potential is for damage and whether any protection is already in place to prevent misuse.
In addition, the security policy should dictate a hierarchy of access permissions; that is, grant users access only to what is necessary for the completion of their work.
The policies could be expressed as a set of instructions that could be understood by special purpose network hardware dedicated for securing the network.
A policy is a set of mechanisms by means of which your information security objectives can be defined and attained. Let's take a moment to briefly examine each of these concepts. First, we have the information security objectives:
- Confidentiality is about ensuring that only the people who are authorized to have access to information are able to do so. It's about keeping valuable information only in the hands of those people who are intended to see it.
- Integrity is about maintaining the value and the state of information, which means that it is protected from unauthorized modification. Information only has value if we know that it's correct. A major objective of information security policies is thus to ensure that information is not modified or destroyed or subverted in any way.
- Availability is about ensuring that information and information systems are available and operational when they are needed. A major objective of an information security policy must be to ensure that information is always available to support critical business processing.
These objectives are globally recognized as being characteristic of any secure system.
According to NIST, the main threat to WiMAX networks occurs when the radio links between WiMAX nodes are compromised. The systems are then susceptible to denial of service attacks, eavesdropping, message modification and resource misappropriation.
SP 800-127 recommends using built-in security features to protect the data confidentiality on the network. It also suggests that organizations using WiMAX technology should:
- Develop a robust WiMAX security policy and enforce it.
- Pay particular attention to WiMAX technical countermeasure capabilities before implementing WiMAX technology.
- Use WiMAX technology that supports Extensible Authentication Protocol methods as recommended in NIST SP 800-120.
- Implement Federal Information Processing Standards-validated encryption to protect data communications.
WiMAX is a wireless protocol with a larger reach than WiFi (IEEE 802.11x) networks, but smaller than wireless areas covered by cell phones.
The technology originally was designed to provide last-mile broadband wireless access as an alternative to cable, digital subscriber line (DSL) or T1 service. In recent years its focus has shifted to provide a more cellular-like, mobile architecture to serve a broader user base.