A security policy is documentation that spells out and
enforces a specific set of rules and regulations. A policy is the foundation for ensuring a
security program can be developed. A
policy can be put in place to hold people accountable for their actions. It is a living document that allows an
organization to define very clear objectives, goals, formal procedures, and
rules that aid in defining the overall security posture and design of an
organization.
Before getting into specifics, there are a few characteristics
that all policies should have:
·
The policy must be understandable
·
The policy must be realistic
·
The policy must be consistent
·
The policy must be enforceable
·
The policy must be documented,
distributed, and communicated correctly
·
The policy must be flexible
·
The policy must be reviewed
A policy should spell out the following:
·
Roles and responsibilities of those
affected by the policy
·
Which actions, processes, and activities
are and are not allowed
·
What the consequences are for
non-compliance
The following list is what I feel are the most important
policies and procedures:
·
Password security policy - defines rules
for passwords: complexity, length, expiration, etc.
·
Physical access policy - guidelines for
physical access and control
·
Encryption policy - guidelines for
encrypting data
·
Remote access policy - defines what actions
are an are not allowed when remotely entering the system.
·
Internal Information access policy -
covers who has access to what, a 'need-to-know'
·
Social Media policy - covers what
employees shouldn't post on social media sites
·
Data classification policy - guidelines
for data classification
·
Acceptable use policy - covers Internet,
local network, software installation, e-mail use, etc. for all users
·
Privacy policy - guidelines on private
data usage and control
·
Disposal and destruction policy -
guidelines on when/how data is disposed of or destroyed, and by who
·
Storage and retention policy -
guidelines for storage and retention of data
·
Incident response policy - guidelines
for incident response to include roles and responsibilities
·
HR policy - guidelines for HR
·
Change management policy - guidelines
for change management
·
Firewall policy - guidelines for
firewall
·
Personal electronic device policy -
guidelines for mobile electronic devices, USB, and DVDs, what is and is not
allowed in the facility
References:
Davidson,
E. Media, D. (n.d.). IT security and the importance of policies
and procedures. Retrieved 30 June,
2012, from: http://smallbusiness.chron.com/security-importance-policies-procedures-1100.html
Global
Knowledge (2010). 10 Essential security policies. Retrieved
30 June, 2012, from: http://www.infosecisland.com/blogview/5033-10-Essential-Security-Polices.html
Shimonski,
R. (2003). Defining a security policy. Retrieved
30 June, 2012, from: http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html