What is a secure network? Can an Internet be made secure?[1] Although the concept of a
secure network is appealing to most users, networks cannot be classified simply as secure or not
secure because the term is not absoluteˆeach group defines the level of access that is permitted
or denied. For example, some organizations store data that is valuable. Such organizations define
a secure network to be a system prevents outsiders from accessing the organization's computers.
Other organizations need to make information available to outsiders, but prohibit outsiders from
changing the data. Such organizations may define a secure network as one that allows arbitrary
access to data, but includes mechanisms that prevent unauthorized changes. Finally, many large
organizations need a complex definition of security that allows access to selected data or services
the organization chooses to make public, while preventing access or modification of sensitive
data and services that are kept private.
Because no absolute definition of information secure exists, the first step an organization
must take to achieve a secure system is to define the organization's security policy. The policy
does not specify how to achieve protection. Instead, it states clearly and unambiguously the items
that are to be protected.

Defining an information security policy is complex. The primary complexity arises because an
information security policy cannot be separated from the security policy for computer systems
attached to the network. In particular, defining a policy for data that traverses a network does not
guarantee that data will be secure. Information security cannot prevent unauthorized users who
have accounts on the computer from obtaining a copy of the data. The policy must hold for the data
stored on disk, data communicated over a telephone line with a dialup modem, information printed
on paper, data transported on portable media such as a floppy disk, and data communicated over a
computer network.
Defining a security policy is also complicated because each organization must decide which
aspects of protection are most important, and often must compromise between security and ease
of use. For example, an organization can consider:
Data Integrity'
Data Availability'
Data Confidentiality and Privacy.

appealing