No announcement yet.

Types of Security Policies

  • Filter
  • Time
  • Show
Clear All
new posts

  • Types of Security Policies

    A lot of security policies exists and the can some times be categorized into the following:

    Promiscuous Policy
    This policy usually has no restrictions on usage of system resources.

    Permissive Policy
    This policy begins wide open and only know dangerous services/attacks or behaviors are blocked. This type of policy has to be updated regularly to stay effective.

    Prudent Policy
    This policy provides maximum security while allowing known but necessary dangers. This type of policy will block all services and only safe/necessary services are enabled individually. Everything is logged.

    Paranoid Policy
    This policy forbids everything. No Internet connection or severely restricted Internet usage is allowed.

    Some examples of security policies could be:

    Access Control Policy
    This defines the resources being protected and the rules that control access to them

    Remote Access Policy
    This defines who can have remote access and defines access medium and remote access security controls.

    Firewall Management Policy
    This defines access, management and monitoring of firewalls in an organization.

    Network Connection Policy
    This defines who can install new resources on the network, approve the installation of new devices, document network changes etc.

    Password Policy
    This defines guidelines for using strong password protection on available resources.

    User Account Policy
    This defines the account creation process, authority, rights and responsibility of user accounts.

    Information Protection Policy
    This defines the sensitivity levels of information, who may have access, how it is stored and transmitted, and how it should be deleted from storage media etc.

    Special Access Policy
    This defines the terms and conditions of granting special access to system resources.

    Email Security Policy
    This policy is designed to govern the proper usage of corporate email.

    Acceptable Use Policy
    This defines the acceptable use of system resources.

    When creating and updating policies within any given organization, some privacy guidelines are essential to keep in mind. Tell the employees what information you collect, why you need the information and how the information will be utilized. Limit the collection of information to what you actually need and collect it by fair and lawful means. Also, inform employees of potential collection of information, the use of this information and disclosure of personal information. Always keep personal information accurate, complete and up-to-date. Provide employee access to their personal information the organization has in its possession. Keep any personal information secure without exception. Be aware of local laws and official requirements regarding any personal information.

    Always keep below steps in mind when creating or updating policies:
    1. Perform risk assessment to identify risks to the organization assets.
    2. Learn from standard guidelines and other organizations.
    3. Include senior management and all other staff in policy development
    4. Set clear penalties and enforce them.
    5. Make final version available to all employees in the organization.
    6. Ensure every member of your staff read, understand and sign the policy.
    7. Deploy tools and controls to enforce policies.
    8. Train your employees and educate them about the policies in place and any updates.
    9. Regularly review and update your current policies.

    A Security policy team in an organization generally consists of an Information Security Team (IST), technical writers, technical personnel, a legal council, human resource, an audit and compliance team and users.

    HR Implications of Security Policy Enforcement
    The HR department is responsible for making employees aware of security policies and train them in best practices defined in the policies. The HR department also works with management to monitor policy implementations and address any policy violation issues.

    Legal Implications of Security Policy Enforcement
    Enterprise information policies should be developed in consultation with legal experts and must comply with relevant local laws. Enforcement of a security policy that violates users rights in contravention to local laws may result in law suits against an organization.
    Certified Security Geek