Security policies are official, authorized documents that are created in compliance with the security philosophy of an organization. These documents are an overview of the organization’s assets and the degree of protection each asset or group of assets have. Well-crafted, coherent security policies would outline a set of rules to which users in the organization should follow when connecting to network resources. This would contain a listing of permissible and impermissible activities while clarifying and outlining security responsibilities.
Security policies aren’t mandates for how the policies should be applied, rather a guideline for administrators to reference when developing a plan of action and resulting reactions. Security policies can be formulated to satisfy the following needs:
Advisory policies – in place for all employees to be aware of the consequences of their actions. Informative policies – designed to inform and educate employees about company procedures.
Regulatory policies – make certain the organization is compliant with local, state and federal laws. Because security policies contain comprehensive information, it’s helpful to break the policy down into sub-documents, with each one covering a specific topic. These documents would include:
- User Policy – reviews the appropriate use of various items such confidential filing systems or Internet access.
- Configuration Policy – clarifies what applications are to be configured on the network and should assign a particular build for each system. This is a significant item to make certain all the network systems follow a set organization to reduce troubleshooting time.
- Patch Management system – explains the testing and distribution of updates being applied. Once approved, it’s incorporated into the standard build. This validates all new systems in accordance with the approved patch.
- Infrastructure Policy – explicitly defines how the system is to be managed and maintained, and who is charged with that responsibility. It also addresses service quality checking and controlling the systems, processing and consolidating of logs, managing change, the scheme for addressing network, and the standard for naming User Account Policy (which clearly defines which users have clearance and what permissions that entails). Make certain this follows the PC configuration policy. This can be managed by limiting user permissions.
Other policies - Depending on the organization, there will be other policies covering miscellaneous items such as encryption, password requirements, remote access, emailing sensitive information, and others.
