Security Policies

This document provides infomation about security policies. This document is meant to only provide ideas and information about security policies and is not a definitive guide to computer security. The reader should use their own judgement about how to handle their own computer security and in reading information on this site agrees not to hold the webmasters of this site responsible for security incidents.

Policies are a set of requirements or rules which are required to set a path to a specific objective. Security policies should balance access and security. Security policies should minimize risk while not imposing undue access restrictions on those who need access to resources.

In addition, when defining policies and when living with them from day to day, the reasons for the policy should be kept in mind. A policy should never replace thinking. The reasons for the policy and the potential threats of every action should always be considered regardless of policy. Then when the actual threat possibility and potential damage is considered, it may be determined that policy should be changed.

When writing security policies, keep in mind that just because experts recommend specific policies, it does not make your network more secure because you try to follow the policy. Experts in the game of chess say that a player should try to control the center of the board, but following this recommendation does not guarantee that I will win the game. I must still think. It is important that those who try to follow security policies think and understand the reasons for them.

Policies should define:

  1. Scope - Who the policy applies to.
  2. Who does the actions defined by the policy.
  3. Defines when defined actions are to be done.
  4. Defines where or on what equipment the policy applies to.
  5. Defines the organizational level that the policy applies to such as a division or the entire enterprise.
  6. Who enforces the policy
  7. What are the consequences of failure to follow the policy.
  8. Policies may reference procedures that are used but do not define the procedures. For example the policy may specify that passwords must be changed every 60 days but not provide a procedure telling how to change them.

Security policies should be concise and as brief as possible while still fulfilling their purpose.

Security Policy Scope

Some security policies may pertain to everyone in the enterprise such as a password policy and others may be specific to how the IT department will handle communications such as the system update policy. Different people or organizations may break policies into different categories. The listing of security policies in this document are only one way to break security policies down. The listing of security policies in this document are not necessarily inclusive of all policies that an organization should create. SANS lists security policies at http://www.sans.org/resources/policies/

Enforcement and Auditing

Another problem with security policies is enforcement and auditing. Your organization must determine how to enforce and audit security policies or they will be worthless. Auditing is a process of determining whether the policies are being followed. Your organization should create a complete Information Systems Security Plan (ISSP) and incorporate the security policies into it along with the set auditing process. This means that there must be resources and personnel set aside to perform periodic audits and the management in the departments across the organization must accept the Information Systems Security Plan (ISSP).

This document provides some security policies which are shown as generic examples and others that provide guidance and ideas about how to write them.