--Originally published at Don't Trust Humans, Trust Computers
Imagine a world without rules, with no one telling you what to do, how to do it, why you should it and so on. You could make your own rules, like “no rules allow” or some other nonsense like that. Even though this idea seems pretty cool, it isn’t at all. A world without rules would be pure chaos and madness, with everyone doing what they want no matter what. So we can say that rules are very important no matter what people may think. Rules are the ones that makes us keep control (sometimes) of our nonsense actions. We can find rules everywhere nowadays; in the parks, schools, buses, malls, states, countries, households, internet and sooo many other places. Today I am going to focus on a very specific type of sets of rules which are security policies.
Security policies are a set of rules and procedures a company implements to ensure the functionality of the various systems a company may have. All this rules and behaviors are written in a extended document that a company makes according to their needs. This document is always being modify because of the various need technologies that emerge and also because of situations that the company may have faced. Every security policies are different among companies, they can share some of them, but at the end, there are going to be different policies for different companies. Even though they have different policies, they share some common goals, like: creating a baseline to what a determine person related to the company can do, or to define some mechanism of security.
When writing a policy is very important to take some factors in mind, like:
- the objectives of writing a policy.
- the scope.
- who enforces the policy.
- the consequences of not following the policy.
- it protects the information and the people.
- it sets an expected behavior.
The people that gets affected by the policies are usually called the audience. The audience is any one that might have access to the company’s network, like employees, users, contractors, etc. When making the policies, a company need to take in consideration all the different types of audience it might have and make specific policies to each of one.
Some of the most common policies, you might find in Security Policies are:
- Password Policy.
- This policy may include:
- ways of how to protect a password.
- the requirements to create and effective password.
- how often a password needs to be change.
- This policy may include:
- Internet Connection Policy.
- This policy may include:
- defining the use of the internet.
- having control of which website some user can access to.
- defining connectivity.
- This policy may include:
- Approve Application Policy.
- This policy may include:
- applications that can be use.
- some exceptions.
- This policy may include:
- System Update Policy.
- This policy may include:
- which systems are the ones that need to have an update.
- how often a system needs to be update.
- information about the update.
- This policy may include:
- Server Monitoring Policy
- This policy may include:
- which servers are the ones that need monitoring.
- how often to monitor the servers.
- how they should be check and what to check.
- This policy may include:
And there are even more policies that can be written, all depending on the company’s needs.
This security policies are a fundamental part in any company. They are the base of how a company should work and what to do in some cases.
Stay safe.
A.C.
References http://www.comptechdoc.org/independent/security/policies/ https://www.paloaltonetworks.com/documentation/glossary/what-is-an-it-security-policy http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3
