SlideShare a Scribd company logo
1 of 14
Download to read offline
IMPORTANCE OF
A SECURITY
POLICY
Charles Garrett
WHAT IS A SECURITY POLICY?
 A formal, brief, and high-level statement or plan that embraces an
     organization’s general beliefs, goals, objectives, and acceptable
     procedures for information security.


 Policies exhibit the following attributes:
1.    Require compliance
2.    What are the consequences of not following policies?
3.    Identifies what is desired now how it will be implemented.
4.    Desired results are derived from standards and guidelines.
5 STEPS TO A SECURITY POLICY
 Identify
  Issues

            Conduct
            Analysis

                         Draft
                       Language

                                   Legal
                                  Review

                                             Policy
                                           Deployment
NEED FOR A SECURITY POLICY?
 Protects organization through proactive policy stance.


 Establishes the rules for user behavior and any other IT
  personnel.


 Define and authorize consequences of violation.


 Establish baseline stance on security to minimize risk for the
  organization.


 Ensure proper compliance with regulations and legislation.
SECURITY POLICY BENEFITS
 Minimizes risk of data leak or loss.


 Protects the organization from “malicious” external and internal
  users.

 Sets guidelines, best practices of use, and ensures proper
  compliance.

 Announces internally and externally that information is an asset, the
  property of the organization, and is to be protected from unauthorized
  access, modification, disclosure, and destruction.

 Promotes proactive stance for the organization when legal issues
  arise.
WHO USES A SECURITY POLICY?

 Administration
 Club Staff
 Computer Users
POLICY DOCUMENT OUTLINE
 Introduction
 Purpose
 Scope
 Roles and Responsibilities
 Sanctions and Violations
 Revisions and Updating Schedule
 Contact Information
 Definitions/Glossary/Acronyms
COMPONENTS OF SECURITY
POLICY
            Governing
             Policy




          Technical Policy




           Guidelines/Job
          Aids/Procedures
GOVERNING POLICY
 Discusses high level information security concepts.


 Defines what these information security concepts are, their
  importance, and the organizational stance on these security
  concepts.

 Read by management and end users.


 Aligns with other company policies.


 Supports the rest of the components of the security policy.
TECHNICAL POLICIES
 Covers some of the topics within the Governing Policy.


 Technical policies are used for more specific technical topics.


 Types of policies include: Operating Systems, Application,
  Network, and Mobile Devices.
JOB AIDS AND GUIDELINES
 Job aids are documentation that outline step by step on how to
  implement a specific security measure. This serves as a backup
  if a staff member leaves and ensures security is still maintained.


 An example of this is how to properly install DeepFreeze on a PC
  or how secure passwords will be constructed.


 Both guidelines and job aides help to maintain security of the
  organization and help to explain how policies.
SECURITY POLICY TOPICS
Physical Security    Acceptable Use
Privacy              Account Management
Security Training    Admin/Special Access
Software Licensing   Change Management
Virus Protection     Incident Management
Password
POLICY DEVELOPMENT PROCESS
 Start small and then build upon the policy overtime with revisions.


 Develop a set of policies that are critical and build the framework of the
  security policy.

 Delicately balance the development of the policy with the bottom-up and top-
  down approach.

 Work to develop a policy that balances between both current practices and
  what practices the organization would like to see in the future.

 Most Importantly, make sure to develop the policy so that it provides
  mechanisms to protect the organization against the multiple types of threats.
RESOURCES
 Diver, S. Information security policy – a development guide for
  large and small companies
  http://www.sans.org/reading_room/whitepapers/policyissues/infor
  mation-security-policy-development-guide-large-small-
  companies_1331

More Related Content

What's hot

Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Information security
Information securityInformation security
Information securityLJ PROJECTS
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 
Network security
Network securityNetwork security
Network securityfatimasaham
 

What's hot (20)

Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Access Controls
Access ControlsAccess Controls
Access Controls
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Information security management
Information security managementInformation security management
Information security management
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Information security
Information securityInformation security
Information security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
Information Security
Information SecurityInformation Security
Information Security
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security
 
Network security
Network securityNetwork security
Network security
 

Similar to Importance Of A Security Policy

Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Bonagiri Rajitha
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER  5 Security Policies, Standards, Procedures, aCHAPTER  5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxManushiKhatri
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech  Principles of  Computer Securit.docx1chapter42BaseTech  Principles of  Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management   it-tool...Protecting business interests with policies for it asset management   it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfkimangeloullero
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management   it-toolkitsFundamentals of data security policy in i.t. management   it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxamit657720
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxmccormicknadine86
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 

Similar to Importance Of A Security Policy (20)

Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER  5 Security Policies, Standards, Procedures, aCHAPTER  5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech  Principles of  Computer Securit.docx1chapter42BaseTech  Principles of  Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management   it-tool...Protecting business interests with policies for it asset management   it-tool...
Protecting business interests with policies for it asset management it-tool...
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdf
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management   it-toolkitsFundamentals of data security policy in i.t. management   it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Whitman_Ch04.pptx
Whitman_Ch04.pptxWhitman_Ch04.pptx
Whitman_Ch04.pptx
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 

Importance Of A Security Policy

  • 2. WHAT IS A SECURITY POLICY?  A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for information security.  Policies exhibit the following attributes: 1. Require compliance 2. What are the consequences of not following policies? 3. Identifies what is desired now how it will be implemented. 4. Desired results are derived from standards and guidelines.
  • 3. 5 STEPS TO A SECURITY POLICY Identify Issues Conduct Analysis Draft Language Legal Review Policy Deployment
  • 4. NEED FOR A SECURITY POLICY?  Protects organization through proactive policy stance.  Establishes the rules for user behavior and any other IT personnel.  Define and authorize consequences of violation.  Establish baseline stance on security to minimize risk for the organization.  Ensure proper compliance with regulations and legislation.
  • 5. SECURITY POLICY BENEFITS  Minimizes risk of data leak or loss.  Protects the organization from “malicious” external and internal users.  Sets guidelines, best practices of use, and ensures proper compliance.  Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.  Promotes proactive stance for the organization when legal issues arise.
  • 6. WHO USES A SECURITY POLICY?  Administration  Club Staff  Computer Users
  • 7. POLICY DOCUMENT OUTLINE  Introduction  Purpose  Scope  Roles and Responsibilities  Sanctions and Violations  Revisions and Updating Schedule  Contact Information  Definitions/Glossary/Acronyms
  • 8. COMPONENTS OF SECURITY POLICY Governing Policy Technical Policy Guidelines/Job Aids/Procedures
  • 9. GOVERNING POLICY  Discusses high level information security concepts.  Defines what these information security concepts are, their importance, and the organizational stance on these security concepts.  Read by management and end users.  Aligns with other company policies.  Supports the rest of the components of the security policy.
  • 10. TECHNICAL POLICIES  Covers some of the topics within the Governing Policy.  Technical policies are used for more specific technical topics.  Types of policies include: Operating Systems, Application, Network, and Mobile Devices.
  • 11. JOB AIDS AND GUIDELINES  Job aids are documentation that outline step by step on how to implement a specific security measure. This serves as a backup if a staff member leaves and ensures security is still maintained.  An example of this is how to properly install DeepFreeze on a PC or how secure passwords will be constructed.  Both guidelines and job aides help to maintain security of the organization and help to explain how policies.
  • 12. SECURITY POLICY TOPICS Physical Security Acceptable Use Privacy Account Management Security Training Admin/Special Access Software Licensing Change Management Virus Protection Incident Management Password
  • 13. POLICY DEVELOPMENT PROCESS  Start small and then build upon the policy overtime with revisions.  Develop a set of policies that are critical and build the framework of the security policy.  Delicately balance the development of the policy with the bottom-up and top- down approach.  Work to develop a policy that balances between both current practices and what practices the organization would like to see in the future.  Most Importantly, make sure to develop the policy so that it provides mechanisms to protect the organization against the multiple types of threats.
  • 14. RESOURCES  Diver, S. Information security policy – a development guide for large and small companies http://www.sans.org/reading_room/whitepapers/policyissues/infor mation-security-policy-development-guide-large-small- companies_1331