SlideShare a Scribd company logo

Security policy.pdf

Md. Sajjat Hossain
Md. Sajjat Hossain

A security policy should outline the key items in an organization that need to be protected. This might include the company's network, its physical building, and more. It also needs to outline the potential threats to those items. If the document focuses on cyber security, threats could include those from the inside, such as possibility that disgruntled employees will steal important information or launch an internal virus on the company's network. Security policy A security policy is a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur. A security policy is an overall statement of intent that dictates what role security plays within the organization. Security policies can be organizational policies, issue-specific policies, or system- specific policies, or a combination of all of these. [https://www.sciencedirect.com/topics/computer-science/security-policy] A security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets. Why do you need a security policy? A security policy contains pre-approved organizational procedures that tell you exactly what you need to do in order to prevent security problems and next steps if you are ever faced with a data breach. Security problems can include:  Confidentiality – people obtaining or disclosing information inappropriately  Data Integrity – information being altered or erroneously validated, whether deliberate or accidental  Availability – information not being available when it is required or being available to more users than is appropriate At the very least, having a security ( ★★For making this content author used various online resources, it is share here only for those who want to know something about it. This content is not the full of author's primary/ own creating/ intellectual property. )

Education
1 of 6
Download to read offline
1 Question 8: What is security policy? Why do you need a security policy? How to develop a security policy? Introduction A security policy should outline the key items in an organization that need to be protected. This might include the company's network, its physical building, and more. It also needs to outline the potential threats to those items. If the document focuses on cyber security, threats could include those from the inside, such as possibility that disgruntled employees will steal important information or launch an internal virus on the company's network. Security policy A security policy is a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur. A security policy is an overall statement of intent that dictates what role security plays within the organization. Security policies can be organizational policies, issue-specific policies, or system- specific policies, or a combination of all of these. [https://www.sciencedirect.com/topics/computer-science/security-policy] A security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets. Why do you need a security policy? A security policy contains pre-approved organizational procedures that tell you exactly what you need to do in order to prevent security problems and next steps if you are ever faced with a data breach. Security problems can include:  Confidentiality – people obtaining or disclosing information inappropriately  Data Integrity – information being altered or erroneously validated, whether deliberate or accidental  Availability – information not being available when it is required or being available to more users than is appropriate At the very least, having a security policy will ensure everyone in the IT department is on the same page on security processes and procedures. https://www.varonis.com/blog/how-to-create-a-good-security-policy/ Policies and Procedures are two of the words that most employees dread to hear, especially when it comes to IT Security. The obvious question is why do we need to have IT Security policies
2 and procedures? Well, there are many reasons and here are the top 5 reasons, in no particular order: They address threats – Threats are everywhere, especially when it comes to IT Security and the explosion of Ransom ware these days. The goal behind IT Security Policies and Procedures is to address those threats, implement strategies on how to mitigate those threats, and how to recover from threats that have exposed a portion of your organization. They engage employees – I know that this might sound a little crazy but bear with me on this one. Think about a time when you worked for an organization that forced a bunch of policies and procedures down your throat. What were some of the thoughts that you had? Where did these come from? Who created them? Why are we doing this? These are all valid questions and ones that can be avoided when you engage employees in the process of developing and implementing IT Security policies and procedures. Who does what, when, and why? – IT Security policies and procedures provide a roadmap to employees of what to do and when to do it. Think about those annoying password management policies that every company has. You know the ones where you have to change your password every 47 minutes and can’t use the last 56 passwords that you previously entered. If that policy and procedure didn’t exist in organizations, how common would it be for people to use simple, easy to guess passwords that ultimately open the organization to increased risk of data theft and/or data loss. Who gets access to what – Think about the days when you were back in college and you would go to a nightclub. Do you remember when you would venture towards the back of the nightclub and there was the VIP section with a very large, angry person guarding who got in and who didn’t get in? Policies and procedures play the role of bouncer in a nightclub. They dictate who has access to what information, why, and reasons for accessing it. Without policies and procedures in place, everyone would be allowed into the VIP section and that wouldn’t be good for business. What’s the penalty – IT Security policies and procedures outline the consequences for failing to abide by the organizations rules when it comes to IT Security. We all have choices to make as to whether we are going to comply with the policy that has been outlined, that's just human nature. But, people like to know, and need to know, what the consequence is for failing to follow a policy. Policies and procedures provide what the expectation is, how to achieve that expectation, and what the consequence is for failure to adhere to that expectation. https://www.compassitc.com/blog/it-security-policies-and-procedures-why-you-need-them There are some others reasons that are why security policy is need. These are in the following:  Protects organization through proactive policy stance.
3  Establishes the rules for user behavior and any other IT personnel.  Define and authorize consequences of violation.  Establish baseline stance on security to minimize risk for the organization.  Ensure proper compliance with regulations and legislation. https://www.slideshare.net/charlesgarrett/importance-of-a-security-policy-11380022 Develop a security policy Tenable security policy must be based on the results of a risk assessment as described in Chapter 2. Findings from a risk assessment provide policy-makers with an accurate picture of the security needs specific to their organization. This information is imperative because proper policy development requires decision-makers to:  Identify sensitive information and critical systems  Incorporate local, state, and federal laws, as well as relevant ethical standards  Define institutional security goals and objectives  Set a course for accomplishing those goals and objectives  Ensure that necessary mechanisms for accomplishing the goals and objectives are in place https://nces.ed.gov/pubs98/safetech/chapter3.asp There are two parts to any security policy. One deals with preventing external threats to maintain the integrity of the network. The second deals with reducing internal risks by defining appropriate use of network resources. Addressing external threats is technology-oriented. While there are plenty of technologies available to reduce external network threats -- firewalls, antivirus software, intrusion-detection systems, e-mail filters and others -- these resources are mostly implemented by IT staff and are undetected by the user. However, appropriate use of the network inside a company is a management issue. Implementing an acceptable use policy (AUP), which by definition regulates employee behavior, requires tact and diplomacy. At the very least, having such a policy can protect you and your company from liability if you can show that any inappropriate activities were undertaken in violation of that policy. More likely, however, a logical and well-defined policy will reduce bandwidth consumption, maximize staff productivity and reduce the prospect of any legal issues in the future.
4 These 10 points, while certainly not comprehensive, provide a common-sense approach to developing and implementing an AUP that will be fair, clear and enforceable. 1. Identify your risks What are your risks from inappropriate use? Do you have information that should be restricted? Do you send or receive a lot of large attachments and files? Are potentially offensive attachments making the rounds? It might be a nonissue. Or it could be costing you thousands of dollars per month in lost employee productivity or computer downtime. A good way to identify your risks can be through the use of monitoring or reporting tools. Many vendors of firewalls and Internet security products allow evaluation periods for their products. If those products provide reporting information, it can be helpful to use these evaluation periods to assess your risks. However, it's important to ensure that your employees are aware that you will be recording their activity for the purposes of risk assessment, if this is something you choose to try. Many employees may view this as an invasion of their privacy if it's attempted without their knowledge. 2. Learn from others There are many types of security policies, so it's important to see what other organizations like yours are doing. You can spend a couple of hours browsing online, or you can buy a book such as Information Security Policies Made Easy by Charles Cresson Wood, which has more than 1,200 policies ready to customize. Also, talk to the sales reps from various security software vendors. They are always happy to give out information. 3. Make sure the policy conforms to legal requirements Depending on your data holdings, jurisdiction and location, you may be required to conform to certain minimum standards to ensure the privacy and integrity of your data, especially if your company holds personal information. Having a viable security policy documented and in place is one way of mitigating any liabilities you might incur in the event of a security breach. 4. Level of security = level of risk Don't be overzealous. Too much security can be as bad as too little. You might find that, apart from keeping the bad guys out, you don't have any problems with appropriate use because you have a mature, dedicated staff. In such cases, a written code of conduct is the most important thing. Excessive security can be a hindrance to smooth business operations, so make sure you don't overprotect yourself.
5 5. Include staff in policy development No one wants a policy dictated from above. Involve staff in the process of defining appropriate use. Keep staff informed as the rules are developed and tools are implemented. If people understand the need for a responsible security policy, they will be much more inclined to comply. 6. Train your employees Staff training is commonly overlooked or underappreciated as part of the AUP implementation process. But, in practice, it's probably one of the most useful phases. It not only helps you to inform employees and help them understand the policies, but it also allows you to discuss the practical, real-world implications of the policy. End users will often ask questions or offer examples in a training forum, and this can be very rewarding. These questions can help you define the policy in more detail and adjust it to be more useful. 7. Get it in writing Make sure every member of your staff has read, signed and understood the policy. All new hires should sign the policy when they are brought on board and should be required to reread and reconfirm their understanding of the policy at least annually. For large organizations, use automated tools to help electronically deliver and track signatures of the documents. Some tools even provide quizzing mechanisms to test user's knowledge of the policy. 8. Set clear penalties and enforce them Network security is no joke. Your security policy isn't a set of voluntary guidelines but a condition of employment. Have a clear set of procedures in place that spell out the penalties for breaches in the security policy. Then enforce them. A security policy with haphazard compliance is almost as bad as no policy at all. 9. Update your staff
6 A security policy is a dynamic document because the network itself is always evolving. People come and go. Databases are created and destroyed. New security threats pop up. Keeping the security policy updated is hard enough, but keeping staffers aware of any changes that might affect their day-to-day operations is even more difficult. Open communication is the key to success. 10. Install the tools you need Having a policy is one thing, enforcing it is another. Internet and e-mail content security products with customizable rule sets can ensure that your policy, no matter how complex, is adhered to. The investment in tools to enforce your security policy is probably one of the most cost-effective purchases you will ever make. https://www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html Conclusion If it is important to be secure, then it is important to be sure all of the security policy is enforced by mechanisms that are strong enough. There are organized methodologies and risk assessment strategies to assure completeness of security policies and assure that they are completely enforced.

Recommended

Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfEnov8
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
How to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsHow to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsIT-Toolkits.org
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Bonagiri Rajitha
 

Recommended

Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfEnov8
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
How to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsHow to write your company's it security policy it-toolkits
How to write your company's it security policy it-toolkitsIT-Toolkits.org
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Bonagiri Rajitha
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docxambersalomon88660
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!Caroline Johnson
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policyRossMob1
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docxaryan532920
 
Top 10 Measure to Mitigate Insider Security Threats.pptx
Top 10 Measure to Mitigate Insider Security Threats.pptxTop 10 Measure to Mitigate Insider Security Threats.pptx
Top 10 Measure to Mitigate Insider Security Threats.pptxinfosec train
 
develop security policy
develop security policydevelop security policy
develop security policyInfo-Tech Research Group
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?CommLab India – Rapid eLearning Solutions
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloJohn Intindolo
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
All About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxAll About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxMetaorange
 
All About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfAll About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfMetaorange
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBsGFI Software
 
Why do you need an it policy it-toolkits
Why do you need an it policy it-toolkitsWhy do you need an it policy it-toolkits
Why do you need an it policy it-toolkitsIT-Toolkits.org
 
Evolution of Communication Theories.pptx
Evolution of Communication Theories.pptxEvolution of Communication Theories.pptx
Evolution of Communication Theories.pptxMd. Sajjat Hossain
 
Easy way to learn vocabulary .pdf
Easy way to learn vocabulary .pdfEasy way to learn vocabulary .pdf
Easy way to learn vocabulary .pdfMd. Sajjat Hossain
 

More Related Content

Similar to Security policy.pdf

Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docxambersalomon88660
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!Caroline Johnson
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policyRossMob1
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docxaryan532920
 
Top 10 Measure to Mitigate Insider Security Threats.pptx
Top 10 Measure to Mitigate Insider Security Threats.pptxTop 10 Measure to Mitigate Insider Security Threats.pptx
Top 10 Measure to Mitigate Insider Security Threats.pptxinfosec train
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloJohn Intindolo
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
All About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxAll About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxMetaorange
 
All About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfAll About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfMetaorange
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Why do you need an it policy it-toolkits
Why do you need an it policy it-toolkitsWhy do you need an it policy it-toolkits
Why do you need an it policy it-toolkitsIT-Toolkits.org
 

Similar to Security policy.pdf (20)

Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!7 Practices To Safeguard Your Business From Security Breaches!
7 Practices To Safeguard Your Business From Security Breaches!
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx
 
Top 10 Measure to Mitigate Insider Security Threats.pptx
Top 10 Measure to Mitigate Insider Security Threats.pptxTop 10 Measure to Mitigate Insider Security Threats.pptx
Top 10 Measure to Mitigate Insider Security Threats.pptx
 
develop security policy
develop security policydevelop security policy
develop security policy
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_Intindolo
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
 
All About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxAll About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptx
 
All About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfAll About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdf
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
Why do you need an it policy it-toolkits
Why do you need an it policy it-toolkitsWhy do you need an it policy it-toolkits
Why do you need an it policy it-toolkits
 

More from Md. Sajjat Hossain

Evolution of Communication Theories.pptx
Evolution of Communication Theories.pptxEvolution of Communication Theories.pptx
Evolution of Communication Theories.pptxMd. Sajjat Hossain
 
Easy way to learn vocabulary .pdf
Easy way to learn vocabulary .pdfEasy way to learn vocabulary .pdf
Easy way to learn vocabulary .pdfMd. Sajjat Hossain
 
নবম দশম শ্রেণির বাংলাদেশ ও বিশ্বপরিচয় MCQ.pdf
নবম দশম শ্রেণির বাংলাদেশ ও বিশ্বপরিচয় MCQ.pdfনবম দশম শ্রেণির বাংলাদেশ ও বিশ্বপরিচয় MCQ.pdf
নবম দশম শ্রেণির বাংলাদেশ ও বিশ্বপরিচয় MCQ.pdfMd. Sajjat Hossain
 
Vocabulary related to educational institutions.pdf
Vocabulary related to educational institutions.pdfVocabulary related to educational institutions.pdf
Vocabulary related to educational institutions.pdfMd. Sajjat Hossain
 
Noun and Verb form of 86 important words.pdf
Noun and Verb form of 86 important words.pdfNoun and Verb form of 86 important words.pdf
Noun and Verb form of 86 important words.pdfMd. Sajjat Hossain
 
One word substitution part-1 (study).pdf
One word substitution part-1 (study).pdfOne word substitution part-1 (study).pdf
One word substitution part-1 (study).pdfMd. Sajjat Hossain
 
An overview of Editing Courses in Journalism.pdf
An overview of Editing Courses in Journalism.pdfAn overview of Editing Courses in Journalism.pdf
An overview of Editing Courses in Journalism.pdfMd. Sajjat Hossain
 
Problems of child exploitation in Bangladesh.pdf
Problems of child exploitation in Bangladesh.pdfProblems of child exploitation in Bangladesh.pdf
Problems of child exploitation in Bangladesh.pdfMd. Sajjat Hossain
 
What is social media advocacy? How to build a successful social media advoca...
What is social media advocacy? How to build a successful social media advoca...What is social media advocacy? How to build a successful social media advoca...
What is social media advocacy? How to build a successful social media advoca...Md. Sajjat Hossain
 
What is lobby? Discuss the types and process of lobby.pdf
What is lobby? Discuss the types and process of lobby.pdfWhat is lobby? Discuss the types and process of lobby.pdf
What is lobby? Discuss the types and process of lobby.pdfMd. Sajjat Hossain
 
What do you mean digital media advocacy? Discuss the steps to successful dig...
What do you mean digital media advocacy? Discuss the steps to successful dig...What do you mean digital media advocacy? Discuss the steps to successful dig...
What do you mean digital media advocacy? Discuss the steps to successful dig...Md. Sajjat Hossain
 
What do you mean by advocacy? Discuss the importance and types of advocacy. ...
What do you mean by advocacy? Discuss the importance and types of advocacy. ...What do you mean by advocacy? Discuss the importance and types of advocacy. ...
What do you mean by advocacy? Discuss the importance and types of advocacy. ...Md. Sajjat Hossain
 
What is media advocacy? Discuss the importance of media advocacy. When shoul...
What is media advocacy? Discuss the importance of media advocacy. When shoul...What is media advocacy? Discuss the importance of media advocacy. When shoul...
What is media advocacy? Discuss the importance of media advocacy. When shoul...Md. Sajjat Hossain
 
What are the social problems in Bangladesh? Discuss the media advocacy for s...
What are the social problems in Bangladesh? Discuss the media advocacy for s...What are the social problems in Bangladesh? Discuss the media advocacy for s...
What are the social problems in Bangladesh? Discuss the media advocacy for s...Md. Sajjat Hossain
 
discuss the characteristics of media management .pdf
discuss the characteristics of media management .pdfdiscuss the characteristics of media management .pdf
discuss the characteristics of media management .pdfMd. Sajjat Hossain
 
what is advertising? Discuss the function of media management in advertising...
what is advertising? Discuss the function of media management in advertising...what is advertising? Discuss the function of media management in advertising...
what is advertising? Discuss the function of media management in advertising...Md. Sajjat Hossain
 
principles of media management.pdf
principles of media management.pdfprinciples of media management.pdf
principles of media management.pdfMd. Sajjat Hossain
 
What is project Management? How will you make a project effective by commuta...
What is project Management? How will you make a project effective by commuta...What is project Management? How will you make a project effective by commuta...
What is project Management? How will you make a project effective by commuta...Md. Sajjat Hossain
 
Discuss the ownership of media house.pdf
Discuss the ownership of media house.pdfDiscuss the ownership of media house.pdf
Discuss the ownership of media house.pdfMd. Sajjat Hossain
 

More from Md. Sajjat Hossain (20)

Evolution of Communication Theories.pptx
Evolution of Communication Theories.pptxEvolution of Communication Theories.pptx
Evolution of Communication Theories.pptx
 
Easy way to learn vocabulary .pdf
Easy way to learn vocabulary .pdfEasy way to learn vocabulary .pdf
Easy way to learn vocabulary .pdf
 
নবম দশম শ্রেণির বাংলাদেশ ও বিশ্বপরিচয় MCQ.pdf
নবম দশম শ্রেণির বাংলাদেশ ও বিশ্বপরিচয় MCQ.pdfনবম দশম শ্রেণির বাংলাদেশ ও বিশ্বপরিচয় MCQ.pdf
নবম দশম শ্রেণির বাংলাদেশ ও বিশ্বপরিচয় MCQ.pdf
 
Vocabulary related to educational institutions.pdf
Vocabulary related to educational institutions.pdfVocabulary related to educational institutions.pdf
Vocabulary related to educational institutions.pdf
 
Noun and Verb form of 86 important words.pdf
Noun and Verb form of 86 important words.pdfNoun and Verb form of 86 important words.pdf
Noun and Verb form of 86 important words.pdf
 
One word substitution part-1 (study).pdf
One word substitution part-1 (study).pdfOne word substitution part-1 (study).pdf
One word substitution part-1 (study).pdf
 
An overview of Editing Courses in Journalism.pdf
An overview of Editing Courses in Journalism.pdfAn overview of Editing Courses in Journalism.pdf
An overview of Editing Courses in Journalism.pdf
 
Problems of child exploitation in Bangladesh.pdf
Problems of child exploitation in Bangladesh.pdfProblems of child exploitation in Bangladesh.pdf
Problems of child exploitation in Bangladesh.pdf
 
What is social media advocacy? How to build a successful social media advoca...
What is social media advocacy? How to build a successful social media advoca...What is social media advocacy? How to build a successful social media advoca...
What is social media advocacy? How to build a successful social media advoca...
 
What is lobby? Discuss the types and process of lobby.pdf
What is lobby? Discuss the types and process of lobby.pdfWhat is lobby? Discuss the types and process of lobby.pdf
What is lobby? Discuss the types and process of lobby.pdf
 
What do you mean digital media advocacy? Discuss the steps to successful dig...
What do you mean digital media advocacy? Discuss the steps to successful dig...What do you mean digital media advocacy? Discuss the steps to successful dig...
What do you mean digital media advocacy? Discuss the steps to successful dig...
 
What do you mean by advocacy? Discuss the importance and types of advocacy. ...
What do you mean by advocacy? Discuss the importance and types of advocacy. ...What do you mean by advocacy? Discuss the importance and types of advocacy. ...
What do you mean by advocacy? Discuss the importance and types of advocacy. ...
 
What is media advocacy? Discuss the importance of media advocacy. When shoul...
What is media advocacy? Discuss the importance of media advocacy. When shoul...What is media advocacy? Discuss the importance of media advocacy. When shoul...
What is media advocacy? Discuss the importance of media advocacy. When shoul...
 
What are the social problems in Bangladesh? Discuss the media advocacy for s...
What are the social problems in Bangladesh? Discuss the media advocacy for s...What are the social problems in Bangladesh? Discuss the media advocacy for s...
What are the social problems in Bangladesh? Discuss the media advocacy for s...
 
discuss the characteristics of media management .pdf
discuss the characteristics of media management .pdfdiscuss the characteristics of media management .pdf
discuss the characteristics of media management .pdf
 
what is advertising? Discuss the function of media management in advertising...
what is advertising? Discuss the function of media management in advertising...what is advertising? Discuss the function of media management in advertising...
what is advertising? Discuss the function of media management in advertising...
 
principles of media management.pdf
principles of media management.pdfprinciples of media management.pdf
principles of media management.pdf
 
media management .pdf
media management .pdfmedia management .pdf
media management .pdf
 
What is project Management? How will you make a project effective by commuta...
What is project Management? How will you make a project effective by commuta...What is project Management? How will you make a project effective by commuta...
What is project Management? How will you make a project effective by commuta...
 
Discuss the ownership of media house.pdf
Discuss the ownership of media house.pdfDiscuss the ownership of media house.pdf
Discuss the ownership of media house.pdf
 

Recently uploaded

Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 

Recently uploaded (20)

TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 

Security policy.pdf

  • 1. 1 Question 8: What is security policy? Why do you need a security policy? How to develop a security policy? Introduction A security policy should outline the key items in an organization that need to be protected. This might include the company's network, its physical building, and more. It also needs to outline the potential threats to those items. If the document focuses on cyber security, threats could include those from the inside, such as possibility that disgruntled employees will steal important information or launch an internal virus on the company's network. Security policy A security policy is a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur. A security policy is an overall statement of intent that dictates what role security plays within the organization. Security policies can be organizational policies, issue-specific policies, or system- specific policies, or a combination of all of these. [https://www.sciencedirect.com/topics/computer-science/security-policy] A security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets. Why do you need a security policy? A security policy contains pre-approved organizational procedures that tell you exactly what you need to do in order to prevent security problems and next steps if you are ever faced with a data breach. Security problems can include:  Confidentiality – people obtaining or disclosing information inappropriately  Data Integrity – information being altered or erroneously validated, whether deliberate or accidental  Availability – information not being available when it is required or being available to more users than is appropriate At the very least, having a security policy will ensure everyone in the IT department is on the same page on security processes and procedures. https://www.varonis.com/blog/how-to-create-a-good-security-policy/ Policies and Procedures are two of the words that most employees dread to hear, especially when it comes to IT Security. The obvious question is why do we need to have IT Security policies
  • 2. 2 and procedures? Well, there are many reasons and here are the top 5 reasons, in no particular order: They address threats – Threats are everywhere, especially when it comes to IT Security and the explosion of Ransom ware these days. The goal behind IT Security Policies and Procedures is to address those threats, implement strategies on how to mitigate those threats, and how to recover from threats that have exposed a portion of your organization. They engage employees – I know that this might sound a little crazy but bear with me on this one. Think about a time when you worked for an organization that forced a bunch of policies and procedures down your throat. What were some of the thoughts that you had? Where did these come from? Who created them? Why are we doing this? These are all valid questions and ones that can be avoided when you engage employees in the process of developing and implementing IT Security policies and procedures. Who does what, when, and why? – IT Security policies and procedures provide a roadmap to employees of what to do and when to do it. Think about those annoying password management policies that every company has. You know the ones where you have to change your password every 47 minutes and can’t use the last 56 passwords that you previously entered. If that policy and procedure didn’t exist in organizations, how common would it be for people to use simple, easy to guess passwords that ultimately open the organization to increased risk of data theft and/or data loss. Who gets access to what – Think about the days when you were back in college and you would go to a nightclub. Do you remember when you would venture towards the back of the nightclub and there was the VIP section with a very large, angry person guarding who got in and who didn’t get in? Policies and procedures play the role of bouncer in a nightclub. They dictate who has access to what information, why, and reasons for accessing it. Without policies and procedures in place, everyone would be allowed into the VIP section and that wouldn’t be good for business. What’s the penalty – IT Security policies and procedures outline the consequences for failing to abide by the organizations rules when it comes to IT Security. We all have choices to make as to whether we are going to comply with the policy that has been outlined, that's just human nature. But, people like to know, and need to know, what the consequence is for failing to follow a policy. Policies and procedures provide what the expectation is, how to achieve that expectation, and what the consequence is for failure to adhere to that expectation. https://www.compassitc.com/blog/it-security-policies-and-procedures-why-you-need-them There are some others reasons that are why security policy is need. These are in the following:  Protects organization through proactive policy stance.
  • 3. 3  Establishes the rules for user behavior and any other IT personnel.  Define and authorize consequences of violation.  Establish baseline stance on security to minimize risk for the organization.  Ensure proper compliance with regulations and legislation. https://www.slideshare.net/charlesgarrett/importance-of-a-security-policy-11380022 Develop a security policy Tenable security policy must be based on the results of a risk assessment as described in Chapter 2. Findings from a risk assessment provide policy-makers with an accurate picture of the security needs specific to their organization. This information is imperative because proper policy development requires decision-makers to:  Identify sensitive information and critical systems  Incorporate local, state, and federal laws, as well as relevant ethical standards  Define institutional security goals and objectives  Set a course for accomplishing those goals and objectives  Ensure that necessary mechanisms for accomplishing the goals and objectives are in place https://nces.ed.gov/pubs98/safetech/chapter3.asp There are two parts to any security policy. One deals with preventing external threats to maintain the integrity of the network. The second deals with reducing internal risks by defining appropriate use of network resources. Addressing external threats is technology-oriented. While there are plenty of technologies available to reduce external network threats -- firewalls, antivirus software, intrusion-detection systems, e-mail filters and others -- these resources are mostly implemented by IT staff and are undetected by the user. However, appropriate use of the network inside a company is a management issue. Implementing an acceptable use policy (AUP), which by definition regulates employee behavior, requires tact and diplomacy. At the very least, having such a policy can protect you and your company from liability if you can show that any inappropriate activities were undertaken in violation of that policy. More likely, however, a logical and well-defined policy will reduce bandwidth consumption, maximize staff productivity and reduce the prospect of any legal issues in the future.
  • 4. 4 These 10 points, while certainly not comprehensive, provide a common-sense approach to developing and implementing an AUP that will be fair, clear and enforceable. 1. Identify your risks What are your risks from inappropriate use? Do you have information that should be restricted? Do you send or receive a lot of large attachments and files? Are potentially offensive attachments making the rounds? It might be a nonissue. Or it could be costing you thousands of dollars per month in lost employee productivity or computer downtime. A good way to identify your risks can be through the use of monitoring or reporting tools. Many vendors of firewalls and Internet security products allow evaluation periods for their products. If those products provide reporting information, it can be helpful to use these evaluation periods to assess your risks. However, it's important to ensure that your employees are aware that you will be recording their activity for the purposes of risk assessment, if this is something you choose to try. Many employees may view this as an invasion of their privacy if it's attempted without their knowledge. 2. Learn from others There are many types of security policies, so it's important to see what other organizations like yours are doing. You can spend a couple of hours browsing online, or you can buy a book such as Information Security Policies Made Easy by Charles Cresson Wood, which has more than 1,200 policies ready to customize. Also, talk to the sales reps from various security software vendors. They are always happy to give out information. 3. Make sure the policy conforms to legal requirements Depending on your data holdings, jurisdiction and location, you may be required to conform to certain minimum standards to ensure the privacy and integrity of your data, especially if your company holds personal information. Having a viable security policy documented and in place is one way of mitigating any liabilities you might incur in the event of a security breach. 4. Level of security = level of risk Don't be overzealous. Too much security can be as bad as too little. You might find that, apart from keeping the bad guys out, you don't have any problems with appropriate use because you have a mature, dedicated staff. In such cases, a written code of conduct is the most important thing. Excessive security can be a hindrance to smooth business operations, so make sure you don't overprotect yourself.
  • 5. 5 5. Include staff in policy development No one wants a policy dictated from above. Involve staff in the process of defining appropriate use. Keep staff informed as the rules are developed and tools are implemented. If people understand the need for a responsible security policy, they will be much more inclined to comply. 6. Train your employees Staff training is commonly overlooked or underappreciated as part of the AUP implementation process. But, in practice, it's probably one of the most useful phases. It not only helps you to inform employees and help them understand the policies, but it also allows you to discuss the practical, real-world implications of the policy. End users will often ask questions or offer examples in a training forum, and this can be very rewarding. These questions can help you define the policy in more detail and adjust it to be more useful. 7. Get it in writing Make sure every member of your staff has read, signed and understood the policy. All new hires should sign the policy when they are brought on board and should be required to reread and reconfirm their understanding of the policy at least annually. For large organizations, use automated tools to help electronically deliver and track signatures of the documents. Some tools even provide quizzing mechanisms to test user's knowledge of the policy. 8. Set clear penalties and enforce them Network security is no joke. Your security policy isn't a set of voluntary guidelines but a condition of employment. Have a clear set of procedures in place that spell out the penalties for breaches in the security policy. Then enforce them. A security policy with haphazard compliance is almost as bad as no policy at all. 9. Update your staff
  • 6. 6 A security policy is a dynamic document because the network itself is always evolving. People come and go. Databases are created and destroyed. New security threats pop up. Keeping the security policy updated is hard enough, but keeping staffers aware of any changes that might affect their day-to-day operations is even more difficult. Open communication is the key to success. 10. Install the tools you need Having a policy is one thing, enforcing it is another. Internet and e-mail content security products with customizable rule sets can ensure that your policy, no matter how complex, is adhered to. The investment in tools to enforce your security policy is probably one of the most cost-effective purchases you will ever make. https://www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html Conclusion If it is important to be secure, then it is important to be sure all of the security policy is enforced by mechanisms that are strong enough. There are organized methodologies and risk assessment strategies to assure completeness of security policies and assure that they are completely enforced.