comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

Understanding Security Policies

A security policy for an organisation can be defined as a set of rules, formed to secure a company's intellectual property. A security policy describes data flow limitations and restrictions to access by external sources, such as malicious programs, code files, and data. A security policy is used by the company's staff, IT users, and administrators, and so on. A security policy must be enforced on an organisation's network so it helps them to protect the network from potential attack and threats.

The following should be considered before creating a security policy:

Also, the policies created should define the following:

Need for a security policy

A security policy plays a vital role in the deployment of a network topology. A security policy helps network administrators to prioritize their administration role. A proactive security policy protects the intellectual property of a company from several potential attacks/threats. This also helps the organisation to introduce rules and regulations to the user, about how they should make use of their IT equipment.

A security policy helps baseline security terms to reduce the risk of losing an organisation's artifacts. It provides an understanding for security administrators as to what steps they should take if there is a security violation, and what the consequences of the violation should be.

Five Steps to a Security Policy

There are important steps to be followed to implement a security policy:

Security policy components

A security policy consists of three important components:

Governing policy

The governing policy talks about the concept and importance of the security information at a very high level and defines the stance of the organization on security policies. Governing policies are also created in alignment with other company policies, so they support most components of the security policy. The governing policy is mostly read and signed by the management users and it is also agreed to by the end users.

Technical policy

These policies are used in most technical aspects of an IT environment and also cover some of the aspects and topics within the governing policy. Examples of technical policies are policies created for the use of an operating system, application, network, and handheld devices, such as mobiles, PDAs, and tablets.

Guidelines and job aids

Guidelines and job aids are the documentation that offers a step-by-step outline to implement a specific security policy, depending on the analysis. Job aids act as a backup when a user or member of IT leaves the company and none of the intellectual properties are maintained safely. Thus guidelines and job aids help the organization maintain security. An example is a document that explains how to install a software application on an end user machine.

How to develop a policy

Developing a policy is an art where multiple blocks are assembled together into a framework. This takes a lot time and several revisions. There are two different approaches used to deploy a policy. One approach is the top-down approach and the other is the bottom-up approach. Also, make sure that the new policy balances the current practices of the organization. Finally, the policy should be efficient and it should contain mechanisms to protect the organization against different types of potential attack.


Published on Fri 01 June 2012 by Mike Hamley in Security with tag(s): security policies