WHAT IS A SECURITY POLICY?
A formal, brief, and high-level statement or plan that embraces an
organization’s general beliefs, goals, objectives, and acceptable
procedures for information security.
Policies exhibit the following attributes:
1. Require compliance
2. What are the consequences of not following policies?
3. Identifies what is desired now how it will be implemented.
4. Desired results are derived from standards and guidelines.
5 STEPS TO A SECURITY POLICY
NEED FOR A SECURITY POLICY?
Protects organization through proactive policy stance.
Establishes the rules for user behavior and any other IT
Define and authorize consequences of violation.
Establish baseline stance on security to minimize risk for the
Ensure proper compliance with regulations and legislation.
SECURITY POLICY BENEFITS
Minimizes risk of data leak or loss.
Protects the organization from “malicious” external and internal
Sets guidelines, best practices of use, and ensures proper
Announces internally and externally that information is an asset, the
property of the organization, and is to be protected from unauthorized
access, modification, disclosure, and destruction.
Promotes proactive stance for the organization when legal issues
WHO USES A SECURITY POLICY?
POLICY DOCUMENT OUTLINE
Roles and Responsibilities
Sanctions and Violations
Revisions and Updating Schedule
Discusses high level information security concepts.
Defines what these information security concepts are, their
importance, and the organizational stance on these security
Read by management and end users.
Aligns with other company policies.
Supports the rest of the components of the security policy.
Covers some of the topics within the Governing Policy.
Technical policies are used for more specific technical topics.
Types of policies include: Operating Systems, Application,
Network, and Mobile Devices.
JOB AIDS AND GUIDELINES
Job aids are documentation that outline step by step on how to
implement a specific security measure. This serves as a backup
if a staff member leaves and ensures security is still maintained.
An example of this is how to properly install DeepFreeze on a PC
or how secure passwords will be constructed.
Both guidelines and job aides help to maintain security of the
organization and help to explain how policies.
POLICY DEVELOPMENT PROCESS
Start small and then build upon the policy overtime with revisions.
Develop a set of policies that are critical and build the framework of the
Delicately balance the development of the policy with the bottom-up and top-
Work to develop a policy that balances between both current practices and
what practices the organization would like to see in the future.
Most Importantly, make sure to develop the policy so that it provides
mechanisms to protect the organization against the multiple types of threats.
Diver, S. Information security policy – a development guide for
large and small companies