A security policy is a set of objectives, the rules of behavior for users and administrators, and the requirements for system and management that collectively are designed to ensure the security of computer systems in an organization.
A very good introduction to security policies and the components that should be in a security policy is available in RFC 2196, Site Security Handbook. This RFC is a guide to developing computer security policies and procedures for sites that have systems on the Internet. The purpose of the handbook is to provide practical guidance to administrators trying to secure their information and services. The subjects covered include policy content and formation, a broad range of technical system and network security topics, and security incident response. This RFC defines a security policy as "a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide."
Was this article helpful?