Page 20 - DCAP516_COMPUTER_SECURITY
P. 20

Computer Security




                    Notes          2.2 What is a Security Policy?

                                   Security policies are an excellent way to complement the hardware and software security measures
                                   of your organization. Security policies can determine the method that both hardware and software
                                   are used. The policies will enable everyone in the organization to be on the same track. Did You
                                   Know Every organization should have a stated security policy. It should be carefully written
                                   and checked by an attorney to be sure it does not create unnecessary liability.

                                   2.2.1 Requirements of the Policy

                                   1.  The policy must be consistent to be effective. There must be similar levels of security in
                                       multiple areas such as physical security, remote access, internal password policy policies,
                                       and other policies.
                                   2.  The policy statement should be assessable.

                                   3.  Issues should be clearly defined and when they apply to the policy. Define services affected
                                       such as email.
                                   4.  Clearly define goals of the policy.

                                   5.  Staff and management must find the policy acceptable. This is why it is important to
                                       justify each policy.
                                   6.  Define roles of the staff with respect to the policies and security issues.

                                   7.  The policy must be enforceable from the network and system controls. Policies must be
                                       set on servers to be sure domain passwords are reasonably complex, not repeated, changed
                                       periodically, etc.
                                   8.  Define consequences of security policy violation.
                                   9.  Define expected privacy for users.
                                   10.  Provide contact information for those interested in more information about the policy.

                                   2.2.2 Policy Definitions

                                   Policies may define procedures to be used or limitations to what can and cannot be done in the
                                   organization. Items that policies should define may include:
                                       Why the policy exists or why a procedure is done and what it is.

                                       Who enforces the policy or performs the procedure and why.
                                       Where is the policy effective or where is the procedure done.
                                       When is the policy in effect or when is the procedure used. The where and the when items
                                       define the policy scope.

                                   2.2.3 Policy Wording Suggestions


                                   If security policy is worded incorrectly, it can be ineffective or become a source of trouble. Be
                                   careful not to imply guarantees over items you cannot fully control. For example, you cannot
                                   guarantee that employees will be unable to view pornographic web sites from their workplace.
                                   It may also be worth considering a disclaimer to the policy indicating that the policy is not
                                   created to guarantee safety or circumvent accidental exposure of employees to objectional material,





          14                                LOVELY PROFESSIONAL UNIVERSITY
   15   16   17   18   19   20   21   22   23   24   25