The organization’s security policies define the way security is to be implemented within the organization. Once policy is defined, it is expected that most employees will follow it. With that said, you should also understand that full and complete compliance with policy will not occur. Sometimes policy will not be followed due to business requirements. In other cases, policy will be ignored because of the perceived difficulty in following it.
Even given the fact that policy will not be followed all of the time, policy forms a key component of a strong security program and thus must be included in a set of recommended practices. Without policy, employees will not know how the organization expects them to protect information and systems.
At a minimum, the following policies are recommended as best practices:
- Information policy Defines the sensitivity of information within an organization, and the proper storage, transmission, marking, and disposal requirements for that information.
- Security policy Defines the technical controls and security configurations that users and administrators are required to implement on all computer systems.
- Use policy Identifies the approved uses of organization computer systems, and the penalties employees will incur for misusing such systems. It also identifies the approved method for installing software on company computers. This policy is also known as the acceptable use policy.
- Backup policy Defines the frequency of information backups, and the requirements for moving the backups to off-site storage. Backup policies may also identify the length of time backups should be stored prior to reuse.
Policies alone do not provide sufficient guidance for an organization’s security program. Procedures must also be defined to guide employees when performing certain duties and to identify the expected steps for different security-relevant situations.
This article is an excerpt from Network Security A Beginner’s Guide, Third Edition published by McGraw Hill. Visit Amazon to purchase the book.
All information in this article is copyrighted by McGraw Hill and is reprinted here by express permission of the publisher.
