Importance Of A Security Policy

10,315 views
9,540 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
10,315
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
207
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Importance Of A Security Policy

  1. 1. IMPORTANCE OFA SECURITYPOLICYCharles Garrett
  2. 2. WHAT IS A SECURITY POLICY? A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for information security. Policies exhibit the following attributes:1. Require compliance2. What are the consequences of not following policies?3. Identifies what is desired now how it will be implemented.4. Desired results are derived from standards and guidelines.
  3. 3. 5 STEPS TO A SECURITY POLICY Identify Issues Conduct Analysis Draft Language Legal Review Policy Deployment
  4. 4. NEED FOR A SECURITY POLICY? Protects organization through proactive policy stance. Establishes the rules for user behavior and any other IT personnel. Define and authorize consequences of violation. Establish baseline stance on security to minimize risk for the organization. Ensure proper compliance with regulations and legislation.
  5. 5. SECURITY POLICY BENEFITS Minimizes risk of data leak or loss. Protects the organization from “malicious” external and internal users. Sets guidelines, best practices of use, and ensures proper compliance. Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction. Promotes proactive stance for the organization when legal issues arise.
  6. 6. WHO USES A SECURITY POLICY? Administration Club Staff Computer Users
  7. 7. POLICY DOCUMENT OUTLINE Introduction Purpose Scope Roles and Responsibilities Sanctions and Violations Revisions and Updating Schedule Contact Information Definitions/Glossary/Acronyms
  8. 8. COMPONENTS OF SECURITYPOLICY Governing Policy Technical Policy Guidelines/Job Aids/Procedures
  9. 9. GOVERNING POLICY Discusses high level information security concepts. Defines what these information security concepts are, their importance, and the organizational stance on these security concepts. Read by management and end users. Aligns with other company policies. Supports the rest of the components of the security policy.
  10. 10. TECHNICAL POLICIES Covers some of the topics within the Governing Policy. Technical policies are used for more specific technical topics. Types of policies include: Operating Systems, Application, Network, and Mobile Devices.
  11. 11. JOB AIDS AND GUIDELINES Job aids are documentation that outline step by step on how to implement a specific security measure. This serves as a backup if a staff member leaves and ensures security is still maintained. An example of this is how to properly install DeepFreeze on a PC or how secure passwords will be constructed. Both guidelines and job aides help to maintain security of the organization and help to explain how policies.
  12. 12. SECURITY POLICY TOPICSPhysical Security Acceptable UsePrivacy Account ManagementSecurity Training Admin/Special AccessSoftware Licensing Change ManagementVirus Protection Incident ManagementPassword
  13. 13. POLICY DEVELOPMENT PROCESS Start small and then build upon the policy overtime with revisions. Develop a set of policies that are critical and build the framework of the security policy. Delicately balance the development of the policy with the bottom-up and top- down approach. Work to develop a policy that balances between both current practices and what practices the organization would like to see in the future. Most Importantly, make sure to develop the policy so that it provides mechanisms to protect the organization against the multiple types of threats.
  14. 14. RESOURCES Diver, S. Information security policy – a development guide for large and small companies http://www.sans.org/reading_room/whitepapers/policyissues/infor mation-security-policy-development-guide-large-small- companies_1331

×