--Originally published at Allow Yourself to fail and learn… and hack
Have you ever wondered what should we expects as users, or as members of a company from the technology we use, or the information we acquire and manipulate? There’s a document for that and is called Security Policies.
When we talk about security policies, we are talking about the document that companies use to declare on paper how they protect their technology and information. Same as technology, this document is always receiving updates, adding or changing what it states.
Policies should define as follows:
- Scope – Who the policy applies to.
- Who does the actions defined by the policy.
- Defines when defined actions are to be done.
- Defines where or on what equipment the policy applies to.
- Defines the organizational level that the policy applies to such as a division or the entire enterprise.
- Who enforces the policy
- What are the consequences of failure to follow the policy.
- Policies may reference procedures that are used but do not define the procedures. E.g. the policy may specify that passwords must be changed every 60 days but not provide a procedure telling how to change them.
So in simple words, it is sort of an agreement that as user we agree to acknowledge. And as members of a company guides to perform security solutions to problems that may be presented. Sort of a constitution, but with step by step guidance on each problematic that could happen.
Extra: the voice acting here is horrible, but it’s a clear example of a security policy on companies, on this case a secure password policy.
Useful reference:
http://www.comptechdoc.org/independent/security/policies/
