WHAT IS A SECURITY POLICY? A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for information security. Policies exhibit the following attributes:1. Require compliance2. What are the consequences of not following policies?3. Identifies what is desired now how it will be implemented.4. Desired results are derived from standards and guidelines.
5 STEPS TO A SECURITY POLICY Identify Issues Conduct Analysis Draft Language Legal Review Policy Deployment
NEED FOR A SECURITY POLICY? Protects organization through proactive policy stance. Establishes the rules for user behavior and any other IT personnel. Define and authorize consequences of violation. Establish baseline stance on security to minimize risk for the organization. Ensure proper compliance with regulations and legislation.
SECURITY POLICY BENEFITS Minimizes risk of data leak or loss. Protects the organization from “malicious” external and internal users. Sets guidelines, best practices of use, and ensures proper compliance. Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction. Promotes proactive stance for the organization when legal issues arise.
WHO USES A SECURITY POLICY? Administration Club Staff Computer Users
POLICY DOCUMENT OUTLINE Introduction Purpose Scope Roles and Responsibilities Sanctions and Violations Revisions and Updating Schedule Contact Information Definitions/Glossary/Acronyms
COMPONENTS OF SECURITYPOLICY Governing Policy Technical Policy Guidelines/Job Aids/Procedures
GOVERNING POLICY Discusses high level information security concepts. Defines what these information security concepts are, their importance, and the organizational stance on these security concepts. Read by management and end users. Aligns with other company policies. Supports the rest of the components of the security policy.
TECHNICAL POLICIES Covers some of the topics within the Governing Policy. Technical policies are used for more specific technical topics. Types of policies include: Operating Systems, Application, Network, and Mobile Devices.
JOB AIDS AND GUIDELINES Job aids are documentation that outline step by step on how to implement a specific security measure. This serves as a backup if a staff member leaves and ensures security is still maintained. An example of this is how to properly install DeepFreeze on a PC or how secure passwords will be constructed. Both guidelines and job aides help to maintain security of the organization and help to explain how policies.
POLICY DEVELOPMENT PROCESS Start small and then build upon the policy overtime with revisions. Develop a set of policies that are critical and build the framework of the security policy. Delicately balance the development of the policy with the bottom-up and top- down approach. Work to develop a policy that balances between both current practices and what practices the organization would like to see in the future. Most Importantly, make sure to develop the policy so that it provides mechanisms to protect the organization against the multiple types of threats.
RESOURCES Diver, S. Information security policy – a development guide for large and small companies http://www.sans.org/reading_room/whitepapers/policyissues/infor mation-security-policy-development-guide-large-small- companies_1331