Developing a security policy
Your security policy defines what you want to protect and what you expect of your system users.
Each internet service that you use or provide poses risks to your system and the network to which it is connected. A security policy is a set of rules that apply to activities for the computer and communications resources that belong to an organization. These rules include areas such as physical security, personnel security, administrative security, and network security. It provides a basis for security planning when you design new applications or expand your current network. It describes user responsibilities, such as protecting confidential information and rules for creating passwords.
Your security policy should also describe how you will monitor the effectiveness of your security measures. Such monitoring helps you to determine whether someone might be attempting to circumvent your safeguards. To develop your security policy, you must clearly define your security objectives. Once you create a security policy, you must take steps to put into effect the rules that it contains.
You might find it useful to send security guidelines to all of your employees to emphasize your security policies regarding physical and system security. In these guidelines, you should include instructions about how to protect system security, such as signing off workstations, using passwords appropriately, and protecting the network from unauthorized intruders. The security policy can also explain the procedure for training employees and installing necessary software and hardware to ensure system security.
Remember that you can always change your security policy. When you make changes in your computing environment, you should update your security policy to address any new risks that these changes impose. Most companies find they need more strict security as they grow.
Performing the following steps to develop a security policy
- Talk with other members of your organization, such as security auditors, to better determine your security needs.
- Examine the technologies that you use in your company. For example, if your system is connected to the Internet, you will want a more restrictive security environment to protect your system from outside Internet users.
- Determine your overall approach to security, as follows:
- A strict policy is a need-to-know security scheme. In a strict security environment, you give users access only to the information and functions that they need to do their jobs. All others are excluded. Many auditors recommend the strict approach.
- An average security policy gives users access to objects, based on the authorities that you have assigned them.
- In a relaxed security environment, you allow authorized users access to most objects on the system. You restrict access only to confidential information. A single department or small company might use the relaxed approach on their systems.
- Determine what information assets require protection. To assist with this
determination, consider confidentiality, competitiveness, and operations:
- Information that is not generally available to people in your company. Payroll is an example of confidential information. Another example of confidential information is new technical information that has not yet been announced to the public.
- Information that gives you an advantage over your competition, such as product specifications, formulas, and pricing guidelines.
- Information about your computer that is essential for the daily operations of your business, such as customer records and inventory balances.
- Create a statement of company policy regarding security. This is an agreement between you and the top officials in the company. Your security policy should state what your overall approach is and what assets require protection. Example of a security policy
- Create a draft of your security policy. Example: Company security memo
- As you work through the planning process, take additional notes that you will use to complete the security policy.
- Complete the security policy and distribute it to the employees in your company. Use it as you carry out and monitor the security on the system.
After you have created a security policy, you can choose your Security levels on the system.