Documenting the Security Policy

Figure 10-5 illustrates a sample security policy and how it can be divided into multiple documents that are applicable to the network segments.

Figure 10-5 Network Security Policy Documents

Corporate Information Security Policy

Identify Assets Assess Risk

Identify Areas of Protection Define Responsibilities

Network Access Control Policy

Acceptable Use of Network

Security Management Policy

Incident Handling Policy

Identify Legal Options

Define Responsibilities

Define Response Procedures

A general document describes the overall risk-management policy, identifies the corporation's assets, and identifies where protection must be applied. It also documents how risk management responsibility is distributed throughout the enterprise. Other documents, such as the following, might address more specific areas of risk management:

■ A general Network Access Control Policy documents how data is categorized (such as confidential, internal, and top-secret) and what general access control principles are implemented in the networks.

■ An Acceptable Use of Network document is usually written in easy-to-understand language and distributed to end users. This document informs users about their risk-management roles and responsibilities and should be as explicit as possible to avoid ambiguity or misunderstanding.

■ A Security Management Policy defines how to perform secure computer infrastructure management.

■ An Incident Handling Policy documents, the procedures to be used to ensure the reliable and acceptable handling of emergency situations.

Numerous other areas can be covered in separate documents, depending on the organization's requirements. The security policy should have the acceptance and support of all levels of employees in the organization. Therefore, representatives of all key stakeholders and affected management should be involved in creating and revising the security policy.

Was this article helpful?

0 0

Post a comment