2. WHAT IS A SECURITY POLICY?
A formal, brief, and high-level statement or plan that embraces an
organization’s general beliefs, goals, objectives, and acceptable
procedures for information security.
Policies exhibit the following attributes:
1. Require compliance
2. What are the consequences of not following policies?
3. Identifies what is desired now how it will be implemented.
4. Desired results are derived from standards and guidelines.
3. 5 STEPS TO A SECURITY POLICY
Identify
Issues
Conduct
Analysis
Draft
Language
Legal
Review
Policy
Deployment
4. NEED FOR A SECURITY POLICY?
Protects organization through proactive policy stance.
Establishes the rules for user behavior and any other IT
personnel.
Define and authorize consequences of violation.
Establish baseline stance on security to minimize risk for the
organization.
Ensure proper compliance with regulations and legislation.
5. SECURITY POLICY BENEFITS
Minimizes risk of data leak or loss.
Protects the organization from “malicious” external and internal
users.
Sets guidelines, best practices of use, and ensures proper
compliance.
Announces internally and externally that information is an asset, the
property of the organization, and is to be protected from unauthorized
access, modification, disclosure, and destruction.
Promotes proactive stance for the organization when legal issues
arise.
6. WHO USES A SECURITY POLICY?
Administration
Club Staff
Computer Users
7. POLICY DOCUMENT OUTLINE
Introduction
Purpose
Scope
Roles and Responsibilities
Sanctions and Violations
Revisions and Updating Schedule
Contact Information
Definitions/Glossary/Acronyms
9. GOVERNING POLICY
Discusses high level information security concepts.
Defines what these information security concepts are, their
importance, and the organizational stance on these security
concepts.
Read by management and end users.
Aligns with other company policies.
Supports the rest of the components of the security policy.
10. TECHNICAL POLICIES
Covers some of the topics within the Governing Policy.
Technical policies are used for more specific technical topics.
Types of policies include: Operating Systems, Application,
Network, and Mobile Devices.
11. JOB AIDS AND GUIDELINES
Job aids are documentation that outline step by step on how to
implement a specific security measure. This serves as a backup
if a staff member leaves and ensures security is still maintained.
An example of this is how to properly install DeepFreeze on a PC
or how secure passwords will be constructed.
Both guidelines and job aides help to maintain security of the
organization and help to explain how policies.
13. POLICY DEVELOPMENT PROCESS
Start small and then build upon the policy overtime with revisions.
Develop a set of policies that are critical and build the framework of the
security policy.
Delicately balance the development of the policy with the bottom-up and top-
down approach.
Work to develop a policy that balances between both current practices and
what practices the organization would like to see in the future.
Most Importantly, make sure to develop the policy so that it provides
mechanisms to protect the organization against the multiple types of threats.
14. RESOURCES
Diver, S. Information security policy – a development guide for
large and small companies
http://www.sans.org/reading_room/whitepapers/policyissues/infor
mation-security-policy-development-guide-large-small-
companies_1331