Information Technology Reference
In-Depth Information
compliance with industry standards from organizations such as ISO, as well as
with the law and government regulations.
x Issue specific policy: These policies are intended to address specific needs within
an organization, such as password procedures and Internet usage guidelines.
x System specific policy: For a given organization there may be several systems
that perform different functions, and the use of one policy governing all of them
may not be appropriate. It may be necessary to develop a policy directed toward
each system specifically.
x A policy typically includes the following titles:
x Purpose: reason for the policy
x Related Documents: lists any other documents that affect the contents of the
policy
x Background: provides information on the need for the policy
x Scope: states the range of coverage of the policy (to whom and to what does the
policy apply)
x Policy Statement: actual guiding principles or what is to be done
x Action: specifies what actions are necessary and when they are to be
accomplished
x Responsibility: states who is responsible
x Ownership: identifies who sponsors the policy and from whom it derives its
authority, as well as defines who may change the policy.
Factors that contribute to the success of a security policy include management
commitment, technological support for enforcing the policy, effective dissemination of
the policy and the security awareness of all users. Management assigns responsibility for
security, provides training for security personnel and allocates funds to security.
Technological support for the security policy moves some responsibility for enforcement
from individuals to technology. The result is an automatic and consistent enforcement of
policies, such as those for access and authentication. Technical options that support
policy include (but are not limited to):
x challenge/response systems for authentication
x auditing systems for accountability and event reconstruction
x encryption systems for the confidential storage and transmission of data
x network tools such as firewalls and proxy servers
There are many topics and papers devoted to site security policies, including requests
for comments RFC 1244 (6) and RFC 1281 (7), guidelines written by the Internet
Engineering Task Force.
3.1
Security-Related Procedures
Procedures are specific steps to follow that are based on computer security policy.
Procedures address such topics as retrieving programmes from the network, connecting
to the site's system from home or while travelling, using encryption, authentication for
issuing accounts, configuration and monitoring.
Search WWH ::
Custom Search