Policies represent the corporate philosophy of
an organization. They provide staff the
direction and support needed to perform their
day-to-day duties. In the case of information
security, an information security policy helps
provide direction in accordance with business
requirements, standards, laws, and regulations.
Policies should be established in line with
business objectives. For example, management
demonstrates support for and commitment to
information security through the issuance and
maintenance of an information security policy.
Leading organizations use an information
security policy to define information security
and establish the framework for setting control
objectives within the organization. Security
controls help protect the organization's
sensitive information and intellectual property.
Unfortunately, many businesses use an ad-hoc
approach to securing information, installing
firewalls, anti-virus software, and other
controls without a top down planned approach to
managing risks.
Security controls include administrative,
technical, and physical mechanisms to manage
risks. Security policies are essential to an
effective security system and express
management’s direction and guidance to
implementing, maintaining, and improving an
information security management system. Security
policies include access controls, managing
passwords, patch management, monitoring systems,
business continuity, compliance, and many other
areas.
Security controls often consist of the
following:
- Policy – the rules and requirements for
risk management and continuing business
operations.
- Standards – detailed networking and
security technologies for protecting
information systems.
- Guidelines – system or topic related
recommendations and best practices.
- Procedures – details to implement
standards and guidelines, guides for
installing software, securing facilities,
documenting security breaches, etc.
In some instances, policies can conflict with
each other. In these circumstances, a steering
committee can address policy conflicts and
identify appropriate compromises and alternative
solutions.
If your organization lacks policies,
security policy
templates provide a jump start and help you
manage your risks.
Security Blog menu
Tags: security policies | network security
policy | security policy template | security
standards | security guidelines
|