Page 18 - DCAP516_COMPUTER_SECURITY
P. 18
Computer Security
Notes large company, developing a single policy document that speaks to all types of users within the
organization and addresses all the information security issues necessary may prove impossible.
A more effective concept is to develop a suite of policy documents to cover all information
security bases; these can be targeted for specific audiences, making a more efficient process for
everyone.
This unit examines the elements that need to be considered when developing and maintaining
information security policy and goes on to present a design for a suite of information security
policy documents and the accompanying development process.
It should be noted that there is no single method for developing a security policy or policies.
Many factors must be taken into account, including audience type and company business and
size, etc. One other factor is the maturity of the policy development process currently in place.
A company which currently has no information security policy or only a very basic one may
initially use a different strategy to a company which already has a substantial policy framework
in place, but wants to tighten it up and start to use policy for more complex purposes such as to
track compliance with legislation. When starting out it is a good idea to use a phased approach,
starting with a basic policy framework, hitting the major policies that are needed and then
subsequently developing a larger number of policies, revising those that are already in place
and adding to this through the development of accompanying guidelines and job aids documents
which will help support policy. The varying levels of maturity in policy development are
discussed later in this paper in more detail.
2.1 Why Do You Need Security Policy?
Basic Purpose of Policy
A security policy should fulfill many purposes. It should:
1. Protect people and information
2. Set the rules for expected behavior by users, system administrators, management, and
security personnel
3. Authorize security personnel to monitor, probe, and investigate
4. Define and authorize the consequences of violation
5. Define the company consensus baseline stance on security
6. Help minimize risk
7. Help track compliance with regulations and legislation
Information security policies provide a framework for best practice that can be followed by all
employees. They help to ensure risk is minimized and that any security incidents are effectively
responded to. Information security policies will also help turn staff into participants in the
company’s efforts to secure its information assets, and the process of developing these policies
will help to define a company’s information assets. Information security policy defines the
organization’s attitude to information, and announces internally and externally that information
is an asset, the property of the organization, and is to be protected from unauthorized access,
modification, disclosure, and destruction.
Policy and Legislative Compliance
In addition to the purposes described above, security policies can be useful in ways that go
beyond the immediate protection of assets and policing of behavior. They can be useful compliance
12 LOVELY PROFESSIONAL UNIVERSITY
