Information Technology Reference
In-Depth Information
Security Policy Components
A security policy is divided into smaller parts that help describe the overall risk manage-
ment policy, identification of assets, and where security should be applied. Other compo-
nents of the security policy explain how responsibilities related to risk management are
handled throughout the enterprise.
Further documents concentrate on specific areas of risk management:
Acceptable-use policy is a general end-user document that is written in simple lan-
guage. This document defines the roles and responsibilities within risk management
and should have clear explanations to avoid confusion.
Network access control policy defines general access control principles used in the
network and how data is classified, such as confidential, top secret, or internal.
Security management policy explains how to manage the security infrastructure.
Incident-handling policy defines the processes and procedures for managing security
incidents including the handling of emergency scenarios.
Several other documents supplement these; they vary depending on the organization. The
security policy requires the acceptance and support of all employees to make it success-
ful. All the key stakeholders or business leaders, including members of senior manage-
ment, should have input into the development of the security policy. In addition, key
stakeholders should continue to participate in the ongoing maintenance and updates to
the security policy in order to keep it up-to-date.
Ta ble 1 2 -7 summarizes additional security policy documents.
Ta b l e 1 2 -7
Security Policy Documents
Key
To p i c
Policy Description
Document Name
Defines the roles and responsibilities within risk
management
Acceptable-use policy
Defines general access control principles used and how data
is classified, such as confidential, top secret, or internal
Network access control
policy
Explains how to manage the security infrastructure
Security management policy
Defines the processes and procedures for managing incidents
Incident-handling policy
Risk Assessment
Within network security, proper risk management is a technique used to lower risks to
within acceptable levels. A well thought-out plan for network security design implements
the components that are part of the security policy. The security policies that an organi-
zation employs use risk assessments and cost-benefit analysis to reduce security risks.
Figure 12-6 shows the three major components of risk assessment. Control refers to how
you use the security policy to minimize potential risks. Severity
 
 
Search WWH ::




Custom Search