Network Security Policy

The organization security policy, like the vacation policy or the family leave policy, is an official company document that lays out the expectations of the organization, the processes to be implemented, and the sanctions for those that fail to comply. Without a well-defined and accepted security policy, security becomes an ad hoc process governed by the person in charge at the moment and can (at best) lack any effective usefulness to the organization or (at worse) could lead to significant losses of resources and/or opportunities.

Security policies are covered in detail in the “Site Security Handbook” (RFC 2196). The handbook document defines a security policy as “A formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” It goes on to say that “the main purpose of a security policy is to inform users, staff, and managers of their obligatory requirements for protecting technology and information assets. The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy. Therefore, an attempt to use a set of security tools in the absence of at least an implied security policy is meaningless.”