Security policies
are documents developed and implemented by an
organization to manage security related risks,
meet business requirements, and comply with
regulations. Security policies specify the
controls and actions to be performed (what needs
to be done) and are approved by senior
management to ensure the policies are in line with the
organization's overall level of risk tolerance.
Purpose
The main goal of security policies is to protect
data by identifying procedures, guidelines and
safeguards for configuring and managing security
in the organization's environment. Security
policies define the organization’s philosophy
and requirements for securing information
systems and related assets. They
also outline how controls apply to staff,
processes, and environments. Consequences for
failed compliance with the policies are also
addressed.
Security policies provide many benefits to
organizations:
- Security vulnerabilities are identified
and properly treated. This ensures
security related risks are aligned with the
organization's level of risk tolerance.
- A consistent approach to security
reduces the likelihood and impact of a
security breach.
- Efficiencies are achieved when
information is safely shared within the
organization, as well as with customers,
partners, and vendors.
- Heightened security awareness increases
the likelihood of compliance with the
security policies.
Risk Assessment
The first step when preparing security policies
is to full identify assets and threats to the assets.
Important IT assets can include network
infrastructure components (firewalls, servers,
data, storage, applications, important
peripherals, etc.), staff (employees,
consultants, temporary help, etc.), facilities
(buildings, data centers), and security
protection mechanisms (access control systems,
locking cages, etc.). Other important
assets that should be identified include
intellectual property and customer goodwill.
When assessing risks, consider both external
and internal threats. External threats can
include hackers, viruses, Denial of Service (DoS)
attacks, collateral damage from terrorists,
fires, and related risks. Internal threats
include unauthorized use of systems, untrained
staff, failure to follow procedures, lack of or
insufficient security controls, etc.
Following the identification of assets and
threats, the organization should perform a risk analysis that
identifies the likelihood and impact of an event
on the organization. Consider the impact
if the asset’s data, networks or systems are
compromised. Also consider a security incident’s
impact on the organization's credibility,
reputation and relationships with stakeholders,
customers, and business associates.
The risk assessment and risk analysis helps:
- Ensure important assets are identified
- Allocate security expenditures to the
most important assets
- Minimize expenses without exposing the
organization to unnecessary risk
- Ensure resources are properly allocated
to the most important assets
- Provide direction and guidance when
developing security policies
Effective Security Policies
Once the assets, threats, and impact on the
organization have been identified, security
policies are used to treat the risks.
Security policies are used to:
- Eliminate risks
- Transfer risk to an outside entity
- Reduce risks to acceptable levels
- Identify monitoring controls needed to
ensure the risks remain within acceptable
levels
- Avoid risks
Seven key elements that should be
included within each security policy include:
- Overview - introduction and high level
summary
- Purpose - why this policy is needed
- Scope - departments/staff required to
follow this policy
- Policy - specific policy text with
assigned responsibilities and actions to be
performed
- Enforcement - disciplinary actions to be
taken if policy is not followed
- Distribution - distribution list for
this policy
- Revision History - dates and summaries
of changes made
Once security policies are in place, procedures
should be developed that specify specific actions
to be taken (how something is to be done) to
support the policies. For example,
the IT Department may have written procedures to harden a Windows server.
Recommended Security Policies
Security
policies address access controls, patch management, monitoring systems,
business continuity, compliance, and many other areas.
The following is a minimum list of recommended security policies
for small organizations. Medium and large
organizations face greater risks and need more
extensive policies and controls. Security protection policies
- Anti-Malware Policy
- Backup Policy
- Encryption Policy
- Personnel Security Policy
- Securing Information Systems Policy
Risk management policies
- Business Impact Analysis
- Data Classification Policy
- Data Retention Policy
- Risk Assessment Policy
Network security policies
- Change Management Policy
- Disposal Policy
- Firewall Policy
- Password Policy
- Physical Access Policy
- Remote Access Policy
- Server Hardening Policy
- Workstation Security Policy
A security
policy collection includes templates that
provide an organization a quick, cost
effective, and easy way to manage security
related risks, meet business requirements, and
comply with regulations.
Security Blog menu
Tags: security policies | information
security policy | cyber security policy | it
security policy | security policy templates
|