Team LiB
Previous Section Next Section

Importance of a Security Policy

Security policies provide many benefits and are worth the time and effort needed to develop them. Security policies are important to organizations for a number of reasons, including the following:

  • Create a baseline of your current security posture

  • Set the framework for security implementation

  • Define allowed and disallowed behavior

  • Help determine necessary tools and procedures

  • Communicate consensus and define roles

  • Define how to handle security incidents

This leads directly to the next question: What should a good security policy contain? The following list is an overview of the key components or sections for a security policy:

  • Statement of authority and scope Identifies the sponsors of the security policy and the topics to be covered.

  • Acceptable use policy Spells out what the company allows and does not allow regarding its information infrastructure.

  • Identification and authentication policy Specifies what technologies and equipments are used to ensure that only authorized individuals have access to the organization's data.

  • Internet access policy Defines the ethical and proper use of the organization's Internet access capabilities.

  • Campus access policy Defines how on-campus users should use the data infrastructure.

  • Remote access policy Describes how remote users should access the company's data infrastructure.

  • Incident handling procedure Specifies how the organization creates an incident response team and the procedures the team uses during and after an accident occurs. A security policy has no use if no appropriate actions take place after an incident has happened.

NOTE

Each company's security policy is unique and must meet the objectives of the company. Also note that the previous list is not definitive.


The main purpose of a security policy is to inform users, staff, and management of their obligation to protect the organization's technology and information assets. The policy should state the mechanisms through which these requirements can be met. An acceptable use policy (AUP) can also be part of a security policy. It can tell the users what they can and cannot do on the network. A security policy should be as explicit as possible to avoid ambiguity or misunderstanding.

    Team LiB
    Previous Section Next Section