machine off. The worst part is that it's our attitude that keeps on telling us

"Hey among those millions of computers on the Internet, surely the chances

that our network will get broken into is remote." Trust us, don't bet your life

on it.

No two organizations have similar security concerns. Thus, it makes no sense

having a common framework for comparing the policy framing scenarios among any

two corporate. For all of us, our data is precious and we will go any length to

see that redundancy is maintained in the form of daily incremental backups and

maybe restricting access to the systems containing that precious data.

Then why do numerous organizations have no strategy when it comes to drawing up

a security policy and implementing it? Maybe some do not want to go the extra

mile in framing a security policy. Maybe some system administrators is so

overworked that they find implementing and enforcing a security policy, a waste

of time. Rather than speculating on the possibilities of not having a security

policy in place, let us figure out what it takes to get one up.

Whatever the nature of the business a company is in, almost every company has an

extensive network that at some point is connected to the outside world. Probably

the only connection between the Internet and the Intranet is the proxy services

that sit between the two. The gateway may also be masquerading as a mail server

or fax server. The list of services running on the gateway is endless. But in

this whole scenario of having to provide all these services to the internal

staff, what kind of security measures have you put in place to ensure that your

internal network doesn't become a playground for any cracker? The cracker might

use your network to launch DOS attacks on a site.

Framing and implementing a security policy requires a lot of thought and

debate to be put into it. You should not wake up to its need after having been

hit.

It requires a collaborative effort by the system administrator as well as the

users. Certain rules and regulations should be strictly engraved into the

working of every employee. Alternatives and compromises have to looked at before

finalizing on major issues and freezing the whole thought process. Laying down

the framework and implementing the security measures are not the end of the

whole process. Employees must also be made to understand that following these