The main purpose of a security policy is to inform users, staff, and managers of the requirements and their responsibilities for protecting technology and information assets. The policy specifies the mechanisms through which these requirements are met. A security policy sets the framework for the security implementation, including the following:
Defines organizational assets and how to use them Defines and communicates roles
Helps determine the tools and procedures necessary to implement the policy Defines how to identify and handle security incidents ome questions you might need to ask when developing a security policy include the following:
What data and assets will be covered by the security policy?
Under what conditions is communication allowed between networked hosts?
How will implementation of the policies be verified?
How will policy violations be detected?
What is the impact of a policy violation?
What actions are required if a policy is violated?
Another purpose of a security policy is to provide a baseline of the current security situation from which to acquire, configure, and audit computer systems and networks for compliance with the policy. The policy defines behaviors that are allowed and those that are not allowed and informs users of their responsibilities and the ramifications of asset misuse. Attempting to use security tools in the absence of at least an implied security policy is meaningless.
As part of developing a security policy, you should perform a risk assessment and cost-benefit analysis, including considering the latest attack techniques. Remember that the security system must be designed to accommodate the goals of the business, not hinder them.
Was this article helpful?