A security policy for an organisation can be defined as a set of rules, formed to secure a company's intellectual property. A security policy describes data flow limitations and restrictions to access by external sources, such as malicious programs, code files, and data. A security policy is used by the company's staff, IT users, and administrators, and so on. A security policy must be enforced on an organisation's network so it helps them to protect the network from potential attack and threats.
The following should be considered before creating a security policy:
- A security policy can be formed to balance access and security, and to minimize risk
- A security policy created should not replace the thoughts of the user
- When a potential threat is identified, a security policy must be created in such a way that it can be changed
Also, the policies created should define the following:
- Aims of the policy
- Actions by the policy
- The device on which the policy is configured
- Consequences if there is a failure in the policy
Need for a security policy
A security policy plays a vital role in the deployment of a network topology. A security policy helps network administrators to prioritize their administration role. A proactive security policy protects the intellectual property of a company from several potential attacks/threats. This also helps the organisation to introduce rules and regulations to the user, about how they should make use of their IT equipment.
A security policy helps baseline security terms to reduce the risk of losing an organisation's artifacts. It provides an understanding for security administrators as to what steps they should take if there is a security violation, and what the consequences of the violation should be.
Five Steps to a Security Policy
There are important steps to be followed to implement a security policy:
Identifying a risk: Identifying an issue in the current environment involves understanding the use of resources by a legitimate or authorized user. The risk in the network can be identified by the use of good monitoring and reporting tools.
Conducting analysis: A proper and efficient analysis should be conducted to understand the use of secure hardware and software used in the organization. Even "too much is too bad," so administrators should take care to check that a high level of security does not disturb the smooth running of the business.
Drafting a language: A rule or a language should be drafted and the administrator should make sure that the policies are read and agreed to by all the users inside the organization. In the case of enterprise companies, administrators can use a manual or automated tool to help the user sign the policy. There are some tools available on the internet to test the user's knowledge of the policy.
Performing a legal review: A legal review can also be done to understand the perfect nature of the policy created, which will clearly explain the consequences if the user violates it.
Deploying an appropriate policy: An appropriate policy is required to be deployed to explain the preceding factors.
Security policy components
A security policy consists of three important components:
- Governing Policy
- Technical Policy
- Guidleines and Job Aids
The governing policy talks about the concept and importance of the security information at a very high level and defines the stance of the organization on security policies. Governing policies are also created in alignment with other company policies, so they support most components of the security policy. The governing policy is mostly read and signed by the management users and it is also agreed to by the end users.
These policies are used in most technical aspects of an IT environment and also cover some of the aspects and topics within the governing policy. Examples of technical policies are policies created for the use of an operating system, application, network, and handheld devices, such as mobiles, PDAs, and tablets.
Guidelines and job aids
Guidelines and job aids are the documentation that offers a step-by-step outline to implement a specific security policy, depending on the analysis. Job aids act as a backup when a user or member of IT leaves the company and none of the intellectual properties are maintained safely. Thus guidelines and job aids help the organization maintain security. An example is a document that explains how to install a software application on an end user machine.
How to develop a policy
Developing a policy is an art where multiple blocks are assembled together into a framework. This takes a lot time and several revisions. There are two different approaches used to deploy a policy. One approach is the top-down approach and the other is the bottom-up approach. Also, make sure that the new policy balances the current practices of the organization. Finally, the policy should be efficient and it should contain mechanisms to protect the organization against different types of potential attack.
Published on Fri 01 June 2012 by Mike Hamley in Security with tag(s): security policies