SlideShare a Scribd company logo
1 of 14
Download to read offline
IMPORTANCE OF
A SECURITY
POLICY
Charles Garrett
WHAT IS A SECURITY POLICY?
 A formal, brief, and high-level statement or plan that embraces an
     organization’s general beliefs, goals, objectives, and acceptable
     procedures for information security.


 Policies exhibit the following attributes:
1.    Require compliance
2.    What are the consequences of not following policies?
3.    Identifies what is desired now how it will be implemented.
4.    Desired results are derived from standards and guidelines.
5 STEPS TO A SECURITY POLICY
 Identify
  Issues

            Conduct
            Analysis

                         Draft
                       Language

                                   Legal
                                  Review

                                             Policy
                                           Deployment
NEED FOR A SECURITY POLICY?
 Protects organization through proactive policy stance.


 Establishes the rules for user behavior and any other IT
  personnel.


 Define and authorize consequences of violation.


 Establish baseline stance on security to minimize risk for the
  organization.


 Ensure proper compliance with regulations and legislation.
SECURITY POLICY BENEFITS
 Minimizes risk of data leak or loss.


 Protects the organization from “malicious” external and internal
  users.

 Sets guidelines, best practices of use, and ensures proper
  compliance.

 Announces internally and externally that information is an asset, the
  property of the organization, and is to be protected from unauthorized
  access, modification, disclosure, and destruction.

 Promotes proactive stance for the organization when legal issues
  arise.
WHO USES A SECURITY POLICY?

 Administration
 Club Staff
 Computer Users
POLICY DOCUMENT OUTLINE
 Introduction
 Purpose
 Scope
 Roles and Responsibilities
 Sanctions and Violations
 Revisions and Updating Schedule
 Contact Information
 Definitions/Glossary/Acronyms
COMPONENTS OF SECURITY
POLICY
            Governing
             Policy




          Technical Policy




           Guidelines/Job
          Aids/Procedures
GOVERNING POLICY
 Discusses high level information security concepts.


 Defines what these information security concepts are, their
  importance, and the organizational stance on these security
  concepts.

 Read by management and end users.


 Aligns with other company policies.


 Supports the rest of the components of the security policy.
TECHNICAL POLICIES
 Covers some of the topics within the Governing Policy.


 Technical policies are used for more specific technical topics.


 Types of policies include: Operating Systems, Application,
  Network, and Mobile Devices.
JOB AIDS AND GUIDELINES
 Job aids are documentation that outline step by step on how to
  implement a specific security measure. This serves as a backup
  if a staff member leaves and ensures security is still maintained.


 An example of this is how to properly install DeepFreeze on a PC
  or how secure passwords will be constructed.


 Both guidelines and job aides help to maintain security of the
  organization and help to explain how policies.
SECURITY POLICY TOPICS
Physical Security    Acceptable Use
Privacy              Account Management
Security Training    Admin/Special Access
Software Licensing   Change Management
Virus Protection     Incident Management
Password
POLICY DEVELOPMENT PROCESS
 Start small and then build upon the policy overtime with revisions.


 Develop a set of policies that are critical and build the framework of the
  security policy.

 Delicately balance the development of the policy with the bottom-up and top-
  down approach.

 Work to develop a policy that balances between both current practices and
  what practices the organization would like to see in the future.

 Most Importantly, make sure to develop the policy so that it provides
  mechanisms to protect the organization against the multiple types of threats.
RESOURCES
 Diver, S. Information security policy – a development guide for
  large and small companies
  http://www.sans.org/reading_room/whitepapers/policyissues/infor
  mation-security-policy-development-guide-large-small-
  companies_1331

More Related Content

What's hot

INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsToño Herrera
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technologytrainersenthil14
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 

What's hot (20)

INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Cyber Security and Data Protection
Cyber Security and Data ProtectionCyber Security and Data Protection
Cyber Security and Data Protection
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Security threats
Security threatsSecurity threats
Security threats
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 

Similar to Importance Of A Security Policy

Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Bonagiri Rajitha
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER  5 Security Policies, Standards, Procedures, aCHAPTER  5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxManushiKhatri
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech  Principles of  Computer Securit.docx1chapter42BaseTech  Principles of  Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management   it-tool...Protecting business interests with policies for it asset management   it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfkimangeloullero
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management   it-toolkitsFundamentals of data security policy in i.t. management   it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxamit657720
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxmccormicknadine86
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Security Policy Framework
Security Policy FrameworkSecurity Policy Framework
Security Policy FrameworkDiana Walker
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 

Similar to Importance Of A Security Policy (20)

Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER  5 Security Policies, Standards, Procedures, aCHAPTER  5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech  Principles of  Computer Securit.docx1chapter42BaseTech  Principles of  Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management   it-tool...Protecting business interests with policies for it asset management   it-tool...
Protecting business interests with policies for it asset management it-tool...
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdf
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management   it-toolkitsFundamentals of data security policy in i.t. management   it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Whitman_Ch04.pptx
Whitman_Ch04.pptxWhitman_Ch04.pptx
Whitman_Ch04.pptx
 
Security Policy Framework
Security Policy FrameworkSecurity Policy Framework
Security Policy Framework
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 

Importance Of A Security Policy

  • 2. WHAT IS A SECURITY POLICY?  A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for information security.  Policies exhibit the following attributes: 1. Require compliance 2. What are the consequences of not following policies? 3. Identifies what is desired now how it will be implemented. 4. Desired results are derived from standards and guidelines.
  • 3. 5 STEPS TO A SECURITY POLICY Identify Issues Conduct Analysis Draft Language Legal Review Policy Deployment
  • 4. NEED FOR A SECURITY POLICY?  Protects organization through proactive policy stance.  Establishes the rules for user behavior and any other IT personnel.  Define and authorize consequences of violation.  Establish baseline stance on security to minimize risk for the organization.  Ensure proper compliance with regulations and legislation.
  • 5. SECURITY POLICY BENEFITS  Minimizes risk of data leak or loss.  Protects the organization from “malicious” external and internal users.  Sets guidelines, best practices of use, and ensures proper compliance.  Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.  Promotes proactive stance for the organization when legal issues arise.
  • 6. WHO USES A SECURITY POLICY?  Administration  Club Staff  Computer Users
  • 7. POLICY DOCUMENT OUTLINE  Introduction  Purpose  Scope  Roles and Responsibilities  Sanctions and Violations  Revisions and Updating Schedule  Contact Information  Definitions/Glossary/Acronyms
  • 8. COMPONENTS OF SECURITY POLICY Governing Policy Technical Policy Guidelines/Job Aids/Procedures
  • 9. GOVERNING POLICY  Discusses high level information security concepts.  Defines what these information security concepts are, their importance, and the organizational stance on these security concepts.  Read by management and end users.  Aligns with other company policies.  Supports the rest of the components of the security policy.
  • 10. TECHNICAL POLICIES  Covers some of the topics within the Governing Policy.  Technical policies are used for more specific technical topics.  Types of policies include: Operating Systems, Application, Network, and Mobile Devices.
  • 11. JOB AIDS AND GUIDELINES  Job aids are documentation that outline step by step on how to implement a specific security measure. This serves as a backup if a staff member leaves and ensures security is still maintained.  An example of this is how to properly install DeepFreeze on a PC or how secure passwords will be constructed.  Both guidelines and job aides help to maintain security of the organization and help to explain how policies.
  • 12. SECURITY POLICY TOPICS Physical Security Acceptable Use Privacy Account Management Security Training Admin/Special Access Software Licensing Change Management Virus Protection Incident Management Password
  • 13. POLICY DEVELOPMENT PROCESS  Start small and then build upon the policy overtime with revisions.  Develop a set of policies that are critical and build the framework of the security policy.  Delicately balance the development of the policy with the bottom-up and top- down approach.  Work to develop a policy that balances between both current practices and what practices the organization would like to see in the future.  Most Importantly, make sure to develop the policy so that it provides mechanisms to protect the organization against the multiple types of threats.
  • 14. RESOURCES  Diver, S. Information security policy – a development guide for large and small companies http://www.sans.org/reading_room/whitepapers/policyissues/infor mation-security-policy-development-guide-large-small- companies_1331