Defining the policy
Use this topic to help you gather the information you need to define an effective security policy.
When you define a policy, consider the following elements:
- Objectives, or what you want to accomplish with your security policy.
- Scope, or who and what your security policy should cover. Your policy should state who can perform an action, not who cannot perform it.
- Data, or what needs to be secured.
- Before defining your security policy, assemble all of the people who are
stakeholders in the security of your business. These people will want to contribute
to the definition of your security policy. These can include the following
types of people:
- Business leaders
- Data owners
- System administrators
- Legal analysts
- Internal auditors
- Identify the regulations and practices that influence your security needs.
This information can come from the following types of sources:
- Government or industry regulations or standards.
- Requirements of the stakeholders in the security of your business.
- Possible threats to your security.
- Identify the assets your security policy must control. The following types
of sources can help you identify your assets:
- The regulations that need to be followed.
- The types of data you use in your business, such as sales data or shipping data.
- The points at which data is created, accessed, or deleted.
- Identify the various roles individuals play as they interact
with the data protected by your security policy. To help identify these roles,
determine the following:
- The types of individuals who are interacting with the data assets.
- The nature of the interactions between the individuals and the assets.