Security policy basics defined
Solid security starts with a written document. A valid and sufficient
security ploicy exists only when it is documented and implemented. A written
security policy is the foundation upon which a viable real-world security
infrastructure is based.
alt="Security Manual - Sarbanes-Oxley" vspace=3
src="http://www.it-toolkits.com/images/Security.gif" width=85
longDesc="Security Manual Template - Sarbanes-Oxley" height=110>
width=94 height=22>
src="http://www.it-toolkits.com/images/buttons/DownloadTableofContents.gif"
width=209 height=22>
The areas that should be included are:
- Acceptable Use Policy defines what are and are not an allowed activities
on company premises, with company equipment, and when using company resources.
It often defines actions that are specifically prohibited, such as accessing
pornography, pirated content, or running a side-business. These prohibitions
are enforced with consequences in the event an employee is found in
violation. - Privacy Policy clearly defines what is and is not private when
working on company equipment or when on company property. There are a variety
of laws and regulations that address privacy. When privacy protection is
legally mandated, a company must enforce and protect privacy in compliance
with the regulations. Some organizations choose to grant additional privacy
beyond that mandated by law. - Password Policy defines the minimum length of a password, the types of
characters allowed or required in the password, minimum and maximum age of the
password, and the prevention of password re-use. The password policy might
also include account lockout parameters which define the number of
unsuccessful logon attempts granted before an account is temporarily or
permanently disabled. - Disposal and Destruction policy defines when and how to get rid of stuff.
There is always waste to be disposed of in every organization. Whether coffee
grounds, sensitive printed documentation, or old storage devices, there needs
to be a plan other than just tossing it in the bin. - Storage and Retention Policy defines ata such as customer
information, financial history, auditing data, etc., must often be retained
for years or indefinitely. It is important to thoroughly plan out the
technology, storage location, and security of the process of backing up and
storing this information. - Incident Response Policy addresses: preparation, detection,
containment, eradication, recovery, and post-mortem review. The goal or
purpose of this policy is to minimize downtime, reduce loss, and improve
availability. - Change Management Policy includes installation of new software, updating
device drivers, application of patches, modifying configuration, and even
physical reorganizations.
When change is not controlled and monitored, then
security is at risk. A change management policy imposes a procedure to
evaluate, test, and approve changes before they are allowed into the
production environment. - Firewall Policy dictates and defines how firewalls are to be implemented
throughout the infrastructure.
Leave a Reply