‘Security policies’ are yet another aspect of Information security that is all around us – but we are hardly aware of it. We will see the meaning of security policy, the reasons for having security policies and some examples of security policies in this post.


A security policy in a nut shell is a document that lays out in detail how an organization is planning to safeguard its business and technological assets.


It is one which is framed by the management of an organization keeping in mind the type of the organization.  A small business involving 10-15 employees will need a limited security policy. On the other hand, if an organization has 1000 employees it needs a mightier and tighter security policy. This policy needs to be strictly enforced as well.

Email policy, remote access policy, Internet policy, wireless communication policy are some examples of security policies.
Let us look at some examples of real world policies:

  1. Library policy – In a ‘library policy’, all books might have a due date and the library policy might state that the book has to be renewed by that date(or pay a fine or extend it by another period of time)
  2. Email policy – The ’email policy’ might state that corporate email accounts might not be used for personal purposes

Reasons for having security policies:
These are some reasons for having security policies:

  1. Security policies help to protect the assets of an organization(without a ‘remote access policy’, corporate data might be leaked!)
  2. It helps to bolster the security team’s responsibilities
  3. In case there is any misunderstanding, the security policy serves as a reference

It is therefore an absolute necessity to create a security policy for every organization and make sure that it is followed as well.

Types of policies:
A policy can be divided into organizational policy, issue specific policy and system specific policy.
An organizational policy is laid out by the organization keeping in mind the business objectives of the company. It assigns the responsibilities to the various employees. The language of the policy is expected to be simple and easy to follow but strict.
An issue specific policy deals with certain issues like email or mobile devices. An email policy as stated earlier might request all employees not to use it for personal use.
A system specific policy relates to system related objects like networks, applications etc.  As an example system specific policies are related to firewalls, VPNs or IDS/IPS.

Unenforceable policy:
The unenforceable policy is one thing that has to be clearly avoided when working with policies.  An unenforceable policy is one that is created “just for the purpose of creating it” but it cannot be enforced at all. There is also the possibility that it might have been created a long time back too.
It is not followed by anybody in an organization and sometimes one might not even know it exists.  

“No personal use of office computers”

is a perfect example of an unforceable policy.

Example of a security policy:

Image Source: Google Images

The above picture shows a sample ‘password policy’ for a client organization.

Rules for creating a security policy:
These are some rules for creating a security policy:

  1. Identify the risks within the organization
  2. It is necessary to communicate this to the top level management
  3. Frame the policies or update the policies keeping in touch with the current security status. Many security policy templates relating to email, mobile devices, Internet security are available at “http://www.sans.org/security-resources/policies/”
  4. Make sure all members of an organization comply with it
  5. Arrange for a security awareness training campaign(Stephen Northcutt)

The security policy thus has to be created keeping in mind the business goals of the organization, the size of the organization and the type of the organization. The security policy has to be written clearly with a foresight. It should be able withstand the test of time, and if does not, it has to immediately be revamped. A security policy when correctly created and enforced will secure all end points of a network perimeter.
 

References:

Harris, S. All in one CISSP. In S. Harris.
Stephen Northcutt, L. Z. Inside Network Permieter Security.
http://articles.timesofindia.indiatimes.com/2013-08-24/security/41443485_1_mobile-devices-byod-phishing-attacks
http://www.sans.org/security-resources/policies/
 
 
 

(Visited 104 times, 1 visits today)

Related Posts

Information security Information Security Privacy

Shift Left Privacy

Jayanthi
AI Information Security Privacy Technology

OpenAI and Privacy

Jayanthi

Leave a Reply