--Originally published at Computer and Information Security
There exist some security issues that technology cannot stop. For example: An antivirus program is not able to prevent an user from opening a link and releasing a virus or corporative networks are vulnerable if former employees have working passwords. Technology alone is not enough so policies are used to guide the implementation and management of security.
A security policy is a document that defines how an organization will deal with some aspect of security. Security policies can also deal with regulatory requirements or policies can simply be advisory.
There is one rule to follow while defining policies: There should be a policy for every possible situation. If there is no a policy for a given problem, this may be aggravated. A policy needs to be very clear and specific to be effective.
Policies can be divided into user and administration policies.
The areas covered by the user policies are:
- Passwords
- Internet use
- Email attachments
- Installing/uninstalling software
- Instant messaging
- Desktop configuration
The administration policies should be a guide for the following scenarios:
- New employees
- Departing employees
- Change requests
- Security breaches
- Virus infections
- Denial of service attacks
This post was created with the collaboration of Salvador.
