Develop a security policy

This topic defines a security policy and explains the process for creating a security policy.

Each internet service that you use or provide poses risks to your system and the network to which it is connected. A security policy is a set of rules that apply to activities for the computer and communications resources that belong to an organization. These rules cover areas such as physical security, personnel security, administrative security, and network security. Your security policy defines what you want to protect and what you expect of your system users. It provides a basis for security planning when you design new applications or expand your current network. It describes user responsibilities, such as protecting confidential information and creating nontrivial passwords.

Your security policy should also describe how you will monitor the effectiveness of your security measures. Such monitoring helps you to determine whether someone might be attempting to circumvent your safeguards. To develop your security policy, you must clearly define your security objectives. Once you create a security policy, you must take steps to put into effect the rules that it contains.

You might find it useful to send security guidelines to all of your employees to emphasize your security policies regarding physical and system security. In these guidelines, you should include instructions about how to protect system security, such as signing off workstations, using passwords appropriately, and protecting the network from unauthorized intruders. The security policy could also explain the procedure for training employees and installing necessary software and hardware to ensure system security.

Remember that you can always change your security policy. When you make changes in your computing environment, you should update your security policy to address any new risks that these changes impose. Most companies find they need more strict security as they grow.

Perform the following steps to develop a security policy

  1. Talk with other members of your organization, such as security auditors, to better determine your security needs.
  2. Examine the technologies that you use in your company. For example, if your system is connected to the Internet, you will want a more restrictive security environment to protect your system from outside Internet users.
  3. Determine your overall approach to security, as follows:
    Strict
    A strict policy is a need-to-know security scheme. In a strict security environment, you give users access only to the information and functions that they need to do their jobs. All others are excluded. Many auditors recommend the strict approach.
    Average
    An average security policy gives users access to objects, based on the authorities that you have assigned them.
    Relaxed
    In a relaxed security environment, you allow authorized users access to most objects on the system. You restrict access only to confidential information. A single department or small company might use the relaxed approach on their systems.
  4. Determine what information assets require protection. To assist with this determination, consider confidentiality, competitiveness, and operations:
    Confidentiality
    Information that is not generally available to people in your company. Payroll is an example of confidential information. Another example of confidential information is new technical information that has not yet been announced to the public.
    Competitiveness
    Information that gives you an advantage over your competition, such as product specifications, formulas, and pricing guidelines.
    Operations
    Information on your computer that is essential for the daily operations of your business, such as customer records and inventory balances.
  5. Create a statement of company policy regarding security. This is an agreement between you and the top officials in the company. Your security policy should state what your overall approach is and what assets require protection. Example of a security policy
  6. Create a draft of your security policy. Example: Company security memo
  7. As you work through the planning process, take additional notes that you will use to complete the security policy.
  8. Complete the security policy and distribute it to the employees in your company. Use it as you implement and monitor the security on the system.

After you have created a security policy, you can choose your Security levels on the system.

Example of a security policy

Figure 1. Company Security Policy
Overall Approach
  • Relaxed: Most people need access to most information.
Critical Information
  • Contracts and special pricing
  • Payroll (Only Accounting can set and change credit limits for customers.)
  • Customer and inventory records
General Rules
  • Every system user has a user profile.
  • Users must change their password every 60 days.
  • Users must use the latest security patches.

Example: Company security memo

Figure 2. Company Security Memo

Security of the New System

You have all attended an information meeting about our new system. Those who will use the system have started training and will begin processing customer orders next week. Observe the following security guidelines when working on your system:
  • Everyone who needs to use the system will receive a user ID and a password. You will be required to change your password the first time you sign on the system and every 90 days after that. Passwords must be 8 characters in length and contain a combination of letters and numbers. Passwords must not contain your name, userid, or other personal information.
  • Do not share your password with anyone. If you forget your password, go to the technical support web site for instructions on resetting your password.
  • Lock your system using the screen-saver password when you are away from your desk.
  • Lock up confidential information when you go home for the day. Examples of confidential information include contract and special pricing information, and payroll records.