Information Technology Reference
In-Depth Information
and complete policies and procedures from an organization that does not perform risk
management periodically. As said previously, security of information technologies is the
real-time risk management process. Real time risk management ensures up-to-date
policies and procedures.
3.
THE SECURITY POLICY
A policy is a documented high-level plan for organization-wide computer and
information security. It provides a framework for making specific decisions, such as
which defensive mechanisms to use and how to configure services, and is the basis for
developing secure programming guidelines and procedures for users and system
administrators to follow. Because a security policy is a long-term document, the contents
avoid technology-specific issues.
A security policy covers the following (among other topics appropriate to the
organization):
x high-level description of the technical environment of the site, the legal
environment (governing laws), the authority of the policy, and the basic
philosophy to be used when interpreting the policy
x risk analysis that identifies the site's assets, the threats that exist against those
assets, and the costs of asset loss
x guidelines for system administrators on how to manage systems
x definition of acceptable use for users
x guidelines for reacting to a site compromise (e.g., how to deal with the media and
law enforcement, and whether to trace the intruder or shut down and rebuild the
system)
x The minimal set of documents that should exist in the security policy is:
x Anti-virus and Worm Incidents policy
x Password assessment policy
x Backup policy
x Incident Handling policy
Security policy protects both people and information. It sets the roots for expected
behaviour by employees, system administrators, management and security personnel. It
authorizes security personnel to monitor, probe and investigate in ways that might be
indistinguishable from a hacker were it not for the policy.
A security policy establishes what must be done to protect information stored on
computers. A well-written policy contains sufficient definition of “what” to do so that the
“how” can be identified and measured.
It is critical to write down in a clear manner what is expected of anyone in the
organization when it comes to security. It is also helpful to inform people what is
expected of them, what the organization is going to do and what others in various roles
within the organization are going to do.
There are three types of policies. These are:
x Programme policy: This high level policy sets the overall tone of the
organization's security approach. It is usually brief, just long enough to establish
direction. Typically guidance is provided with this policy to enact the other types
of policies and define who is responsible. This policy may provide direction for
Search WWH ::
Custom Search