Corporate
Security Policy
All effective security measures start with a good,
comprehensive security policy. Developing a written and well-defined policy must
be the first step in addressing an organization's security needs. Indeed, all
efforts, both tactical and strategic, should flow from the policy. Furthermore,
as a company practices the methodology ascribed by the Security Wheel, the
security policy should become an integral feedback mechanism to measure success
and failure and should be updated as the need arises.
The security policy should contain a complete set of proactive and
reactive measures that an organization should take to prevent, or react to,
security events. The security policy should also address the following items:
roles and responsibilities, clear delineation of acceptable behavior, and
definition of data sensitivity classification. The repercussions of breeching
security policy should also be documented. Other considerations within the
security policy include the delineation of:
Once a clear, balanced policy has been constructed, it must be
approved by an organization's stakeholders, such as Executive managers, Human
Resources Staff, IT and Security Staff, Legal personnel, and others. With this
buy-in, the policy can be universally and consistently enforced rather than
being relegated to a shelf in the document library.
There are many resources regarding policy formation available
to the security administrator. Good starting points include RFC 2196 – The Site Security Handbook (www.ietf.org/rfc/rfc2196.txt) and the SANS "Design and
Implementation of the Corporate Security Policy" document (www.sans.org/resources/policies). Ample time should be dedicated
to developing a good security policy. Above all, the policy should be realistic,
flexible, and should be easily understandable by all within the organization.
Sections
Comments (0 posted)
Syndication
