--Originally published at The shield of the world
So…I have a business but, how do I protect it? This is where the Security policy play his game. A security policy is a document that states in writing how a company plans to protect the company’s physical and information technology assets. It defines the goals and elements of an organization’s computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure or insecure. The policies can be categorized into the 3 security principles.
A security policy is often considered a “living document”, meaning that the document is never finishes, but is continuously updated as technology and employee requirements change. A company security policy may include a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the policy to ensure the necessary corrections will be made.
The National Research Council has specifications that every company policy should address:
- Objectives
- Scope
- Specific goals
- Responsibilities for compliance and actions to be taken in the event of noncompliance.
For every IT security policy are sections dedicated to the adherence to regulations that govern the organization’s industry. An organization’s security policy will play a large role in its decisions and direction, but it should not alter its strategy or mission. Therefore, it is important to write a policy that is drawn from the organization’s existing cultural and structural framework. The policy should not be generic should be personalized to let the company achieve its mission and goals.
The policies may include:
- Password policy
- Network login policy
- Remote access policy
- Internet connection policy
- Approved application policy
- Asset control policy
- Equipment
media disposal policy
- Media use and re-use policy
- Mobile computer-policy
- Computer training policy
- IT Resource acceptable use policy
- Wireless use policy
- Anti-virus and malware policy
- System update policy
- User privilege policy
- Application implementation policy
- System lockdown policy
- Server monitoring policy
- IT Equipment purchase and failure prevention policy
- Incident response plan
- Intrusion detection policy
As you can verify the security policy is actually alive and you can totally personalize to you own company, to make it run in the same direction as your mission and goals. Everyday are new possible attacks and new methods of defense so the policy should be updated frequently by the IT admin or the person in charge of the security in the company.
That’s all folks!!
Gif from Giphy
Resources:
http://www.comptechdoc.org/independent/security/policies/security-policies.html
https://www.paloaltonetworks.com/documentation/glossary/what-is-an-it-security-policy
