Security management is the process by which security controls are implemented and security managers are subject to control. Some of the elements of this architecture -- the management of passwords and accounts, authorization controls, legal issues, privacy, and so forth -- are discussed in their own chapters. The following additional elements also form part of the structure:

• Acceptable use enforcement
• Administrative security
• Accountability controls
• Activity monitoring and audit

Acceptable Use Enforcement

One of the best things that a company can do is to have an acceptable use policy (AUP) that dictates what employees can do with the computers they use and the networks and data they have access to. Many early AUPs only addressed Internet access; they either told subscribers of an ISP what was deemed acceptable or listed company policies created to reduce bandwidth demands. Now, however, AUPs are attempting to specify the entire panorama of computer use, from what subjects employees are allowed to read about on the Internet, to what's okay to say in an internal e-mail, to whether a personal music CD can be inserted in the CD-ROM drive of the office desktop.

A problem with many of these AUPs is that they do not have compliance enforcement written into them or do not evenly and fairly apply their own rules. One thing is certain: if an AUP is not enforced, it's not worth having. Before proposing potential enforcement rules, let's look at some typical enforcement statements.

Remember: this chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg and Keith Strassberg (McGraw-Hill/Osborne, ISBN 0-072-22697-8, 2003). Buy this book now