A security policy is a critical document that outlines how an organization will protect its assets from various security threats, both internal and external. It provides guidelines for managing risks, defining user behavior, establishing penalties for violations, and ensuring compliance with legal standards. Developing an effective security policy involves risk assessment, employee engagement, and ongoing training to adapt to evolving threats.

1. 1
Question 8: What is security policy? Why do you need a security policy? How to develop a
security policy?
Introduction
A security policy should outline the key items in an organization that need to be protected. This
might include the company's network, its physical building, and more. It also needs to outline the
potential threats to those items. If the document focuses on cyber security, threats could include
those from the inside, such as possibility that disgruntled employees will steal important
information or launch an internal virus on the company's network.
Security policy
A security policy is a written document in an organization outlining how to protect the
organization from threats, including computer security threats, and how to handle situations
when they do occur.
A security policy is an overall statement of intent that dictates what role security plays within the
organization. Security policies can be organizational policies, issue-specific policies, or system-
specific policies, or a combination of all of these.
[https://www.sciencedirect.com/topics/computer-science/security-policy]
A security policy is a document that states in writing how a company plans to protect the
company's physical and information technology (IT) assets.
Why do you need a security policy?
A security policy contains pre-approved organizational procedures that tell you exactly what you
need to do in order to prevent security problems and next steps if you are ever faced with a data
breach. Security problems can include:
 Confidentiality – people obtaining or disclosing information inappropriately
 Data Integrity – information being altered or erroneously validated, whether deliberate or
accidental
 Availability – information not being available when it is required or being available to
more users than is appropriate
At the very least, having a security policy will ensure everyone in the IT department is on the
same page on security processes and procedures.
https://www.varonis.com/blog/how-to-create-a-good-security-policy/
Policies and Procedures are two of the words that most employees dread to hear, especially when
it comes to IT Security. The obvious question is why do we need to have IT Security policies

2. 2
and procedures? Well, there are many reasons and here are the top 5 reasons, in no particular
order:
They address threats – Threats are everywhere, especially when it comes to IT Security and the
explosion of Ransom ware these days. The goal behind IT Security Policies and Procedures is to
address those threats, implement strategies on how to mitigate those threats, and how to recover
from threats that have exposed a portion of your organization.
They engage employees – I know that this might sound a little crazy but bear with me on this
one. Think about a time when you worked for an organization that forced a bunch of policies and
procedures down your throat. What were some of the thoughts that you had? Where did these
come from? Who created them? Why are we doing this? These are all valid questions and ones
that can be avoided when you engage employees in the process of developing and implementing
IT Security policies and procedures.
Who does what, when, and why? – IT Security policies and procedures provide a roadmap to
employees of what to do and when to do it. Think about those annoying password management
policies that every company has. You know the ones where you have to change your password
every 47 minutes and can’t use the last 56 passwords that you previously entered. If that policy
and procedure didn’t exist in organizations, how common would it be for people to use simple,
easy to guess passwords that ultimately open the organization to increased risk of data theft
and/or data loss.
Who gets access to what – Think about the days when you were back in college and you would
go to a nightclub. Do you remember when you would venture towards the back of the nightclub
and there was the VIP section with a very large, angry person guarding who got in and who
didn’t get in? Policies and procedures play the role of bouncer in a nightclub. They dictate who
has access to what information, why, and reasons for accessing it. Without policies and
procedures in place, everyone would be allowed into the VIP section and that wouldn’t be good
for business.
What’s the penalty – IT Security policies and procedures outline the consequences for failing to
abide by the organizations rules when it comes to IT Security. We all have choices to make as to
whether we are going to comply with the policy that has been outlined, that's just human nature.
But, people like to know, and need to know, what the consequence is for failing to follow a
policy. Policies and procedures provide what the expectation is, how to achieve that expectation,
and what the consequence is for failure to adhere to that expectation.
https://www.compassitc.com/blog/it-security-policies-and-procedures-why-you-need-them
There are some others reasons that are why security policy is need. These are in the following:
 Protects organization through proactive policy stance.

3. 3
 Establishes the rules for user behavior and any other IT personnel.
 Define and authorize consequences of violation.
 Establish baseline stance on security to minimize risk for the organization.
 Ensure proper compliance with regulations and legislation.
https://www.slideshare.net/charlesgarrett/importance-of-a-security-policy-11380022
Develop a security policy
Tenable security policy must be based on the results of a risk assessment as described
in Chapter 2. Findings from a risk assessment provide policy-makers with an accurate picture of
the security needs specific to their organization. This information is imperative because proper
policy development requires decision-makers to:
 Identify sensitive information and critical systems
 Incorporate local, state, and federal laws, as well as relevant ethical standards
 Define institutional security goals and objectives
 Set a course for accomplishing those goals and objectives
 Ensure that necessary mechanisms for accomplishing the goals and objectives are in
place
https://nces.ed.gov/pubs98/safetech/chapter3.asp
There are two parts to any security policy. One deals with preventing external threats to maintain
the integrity of the network. The second deals with reducing internal risks by defining
appropriate use of network resources.
Addressing external threats is technology-oriented. While there are plenty of technologies
available to reduce external network threats -- firewalls, antivirus software, intrusion-detection
systems, e-mail filters and others -- these resources are mostly implemented by IT staff and are
undetected by the user.
However, appropriate use of the network inside a company is a management issue. Implementing
an acceptable use policy (AUP), which by definition regulates employee behavior, requires tact
and diplomacy.
At the very least, having such a policy can protect you and your company from liability if you
can show that any inappropriate activities were undertaken in violation of that policy. More
likely, however, a logical and well-defined policy will reduce bandwidth consumption, maximize
staff productivity and reduce the prospect of any legal issues in the future.

4. 4
These 10 points, while certainly not comprehensive, provide a common-sense approach to
developing and implementing an AUP that will be fair, clear and enforceable.
1. Identify your risks
What are your risks from inappropriate use? Do you have information that should be restricted?
Do you send or receive a lot of large attachments and files? Are potentially offensive
attachments making the rounds? It might be a nonissue. Or it could be costing you thousands of
dollars per month in lost employee productivity or computer downtime.
A good way to identify your risks can be through the use of monitoring or reporting tools. Many
vendors of firewalls and Internet security products allow evaluation periods for their products. If
those products provide reporting information, it can be helpful to use these evaluation periods to
assess your risks. However, it's important to ensure that your employees are aware that you will
be recording their activity for the purposes of risk assessment, if this is something you choose to
try. Many employees may view this as an invasion of their privacy if it's attempted without their
knowledge.
2. Learn from others
There are many types of security policies, so it's important to see what other organizations like
yours are doing. You can spend a couple of hours browsing online, or you can buy a book such
as Information Security Policies Made Easy by Charles Cresson Wood, which has more than
1,200 policies ready to customize. Also, talk to the sales reps from various security software
vendors. They are always happy to give out information.
3. Make sure the policy conforms to legal requirements
Depending on your data holdings, jurisdiction and location, you may be required to conform to
certain minimum standards to ensure the privacy and integrity of your data, especially if your
company holds personal information. Having a viable security policy documented and in place is
one way of mitigating any liabilities you might incur in the event of a security breach.
4. Level of security = level of risk
Don't be overzealous. Too much security can be as bad as too little. You might find that, apart
from keeping the bad guys out, you don't have any problems with appropriate use because you
have a mature, dedicated staff. In such cases, a written code of conduct is the most important
thing. Excessive security can be a hindrance to smooth business operations, so make sure you
don't overprotect yourself.

5. 5
5. Include staff in policy development
No one wants a policy dictated from above. Involve staff in the process of defining appropriate
use. Keep staff informed as the rules are developed and tools are implemented. If people
understand the need for a responsible security policy, they will be much more inclined to
comply.
6. Train your employees
Staff training is commonly overlooked or underappreciated as part of the AUP implementation
process. But, in practice, it's probably one of the most useful phases. It not only helps you to
inform employees and help them understand the policies, but it also allows you to discuss the
practical, real-world implications of the policy. End users will often ask questions or offer
examples in a training forum, and this can be very rewarding. These questions can help you
define the policy in more detail and adjust it to be more useful.
7. Get it in writing
Make sure every member of your staff has read, signed and understood the policy. All new hires
should sign the policy when they are brought on board and should be required to reread and
reconfirm their understanding of the policy at least annually. For large organizations, use
automated tools to help electronically deliver and track signatures of the documents. Some tools
even provide quizzing mechanisms to test user's knowledge of the policy.
8. Set clear penalties and enforce them
Network security is no joke. Your security policy isn't a set of voluntary guidelines but a
condition of employment. Have a clear set of procedures in place that spell out the penalties for
breaches in the security policy. Then enforce them. A security policy with haphazard compliance
is almost as bad as no policy at all.
9. Update your staff

6. 6
A security policy is a dynamic document because the network itself is always evolving. People
come and go. Databases are created and destroyed. New security threats pop up. Keeping the
security policy updated is hard enough, but keeping staffers aware of any changes that might
affect their day-to-day operations is even more difficult. Open communication is the key to
success.
10. Install the tools you need
Having a policy is one thing, enforcing it is another. Internet and e-mail content security
products with customizable rule sets can ensure that your policy, no matter how complex, is
adhered to. The investment in tools to enforce your security policy is probably one of the most
cost-effective purchases you will ever make.
https://www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html
Conclusion
If it is important to be secure, then it is important to be sure all of the security policy is enforced
by mechanisms that are strong enough. There are organized methodologies and risk assessment
strategies to assure completeness of security policies and assure that they are completely
enforced.