Computer Security Policy Categories and Types
Once you have determined the value of your data, you need to develop a set of policies to help protect it. These policies are called security policies and may apply to users, the IT department, and the organization in general. When writing your policies, consider:
- What data may a user take home?
- If a user works from home or remote offices and uses the internet to transmit data, how secure must the data be when in transmission across the internet?
- What policies, network structure, and levels of defenses are required to secure your data depending on its importance, value and the cost of defending it?
The first items that should be defined are the policies related to the use and and handling of your data. This will help you determine defensive measures and procedures. I have categorized policies into three different areas listed below:
- User Policies - Define what users can do when using your network or data and also define security settings that affect users such as password policies.
- IT Policies - Define the policies of the IT department used to govern the network for maximum security and stability.
- General Policies - High level policies defining who is responsible for the policies along with business continuity planning and policies.
Define what users can and must do to use your network and organization's computer equipment. It defines what limitations are put on users to keep the network secure such as whether they can install programs on their workstations, types of programs they can use, and how they can access data. Some policies include:
- Password Policies - This policy is to help keep user accounts secure. It defines how often users must change their passwords, how long they must be, complexity rules (types of characters used such as lower case letters, upper case letters, numbers, and special characters), and other items.
- Proprietary Information Use - Acceptable use of any proprietary information owned by the company. Defines where it can be stored and where it may be taken, how and where it can be transmitted.
- Internet Usage - Use of internet mail, Use of programs with passwords or unencrypted data sent over the internet.
- System Use - Program installation, No Instant Messaging, No file sharing such as Kazaa, Morpheus. Restrictions on use of your account or password (not to be given away).
- VPN and remote user system use (remote access) - Must be checked for viruses/trojans/backdoors. Must have firewall, must have AV.
- Acceptable use of hardware such as modems - No use of modems to internet without a personal firewall.
These policies include general policies for the IT department which are intended to keep the network secure and stable.
- Virus incident and security incident - Intrusion detection, containment, and removal. 1. prepare (policies, checklists/procedures) 2 identify (get evidence) 3 contain (pull off network, modify passwords) 4 eradicate (fix, determine cause, improve defenses, test for vulnerablilties) 5 recover (validate the system, monitor for re-infection) 6 lessons learned (make recommendations to prevent a similar incident)
- Backup policy - Define what to back up, who backs it up, where it is stored, how long it is stored, how to test backups, what program is used to do backups.
- Client update policies - Update clients how often and using what means or tools.
- Server configuration, patch update, and modification policies (security) - Remove unneeded services (harden server). What servers should have IDS. How is it determined to do an update? What is done when someone works on the server?
- Firewall policies - What ports to block or allow, how to interface to it or manage it, who has access to the control console.
- Wireless, VPN, router and switch security, dmz policy, email retention, auto forwarded email policy, ability for IT to audit and do risk assessment, acceptable encryption algorithms
- High level program policy - Defines who owns other policies, who is responsible for them, scope and purpose of policies, any policy exceptions, related documents or policies.
- Business continuity plan - Includes the following plans:
- Crisis Management - What to do during the (any) crisis which may threaten the organization.
- Disaster Recovery - Subfunctions:
- Server recovery
- Data recovery
- End-user recovery
- Phone system recovery
- Emergency response plan
- Workplace recovery
Policies can exist on many levels of the organization from a group or team level, to department level, plant level, or global organizational level. some policies may only be effective on a local level while others may be enterprise wide throughout the organization.