Tweet
A lot of security policies exists and the can some times be categorized into the following:
Promiscuous Policy
This policy usually has no restrictions on usage of system resources.
Permissive Policy
This policy begins wide open and only know dangerous services/attacks or behaviors are blocked. This type of policy has to be updated regularly to stay effective.
Prudent Policy
This policy provides maximum security while allowing known but necessary dangers. This type of policy will block all services and only safe/necessary services are enabled individually. Everything is logged.
Paranoid Policy
This policy forbids everything. No Internet connection or severely restricted Internet usage is allowed.
Some examples of security policies could be:
Access Control Policy
This defines the resources being protected and the rules that control access to them
Remote Access Policy
This defines who can have remote access and defines access medium and remote access security controls.
Firewall Management Policy
This defines access, management and monitoring of firewalls in an organization.
Network Connection Policy
This defines who can install new resources on the network, approve the installation of new devices, document network changes etc.
Password Policy
This defines guidelines for using strong password protection on available resources.
User Account Policy
This defines the account creation process, authority, rights and responsibility of user accounts.
Information Protection Policy
This defines the sensitivity levels of information, who may have access, how it is stored and transmitted, and how it should be deleted from storage media etc.
Special Access Policy
This defines the terms and conditions of granting special access to system resources.
Email Security Policy
This policy is designed to govern the proper usage of corporate email.
Acceptable Use Policy
This defines the acceptable use of system resources.
When creating and updating policies within any given organization, some privacy guidelines are essential to keep in mind. Tell the employees what information you collect, why you need the information and how the information will be utilized. Limit the collection of information to what you actually need and collect it by fair and lawful means. Also, inform employees of potential collection of information, the use of this information and disclosure of personal information. Always keep personal information accurate, complete and up-to-date. Provide employee access to their personal information the organization has in its possession. Keep any personal information secure without exception. Be aware of local laws and official requirements regarding any personal information.
Always keep below steps in mind when creating or updating policies:
A Security policy team in an organization generally consists of an Information Security Team (IST), technical writers, technical personnel, a legal council, human resource, an audit and compliance team and users.
HR Implications of Security Policy Enforcement
The HR department is responsible for making employees aware of security policies and train them in best practices defined in the policies. The HR department also works with management to monitor policy implementations and address any policy violation issues.
Legal Implications of Security Policy Enforcement
Enterprise information policies should be developed in consultation with legal experts and must comply with relevant local laws. Enforcement of a security policy that violates users rights in contravention to local laws may result in law suits against an organization.
Promiscuous Policy
This policy usually has no restrictions on usage of system resources.
Permissive Policy
This policy begins wide open and only know dangerous services/attacks or behaviors are blocked. This type of policy has to be updated regularly to stay effective.
Prudent Policy
This policy provides maximum security while allowing known but necessary dangers. This type of policy will block all services and only safe/necessary services are enabled individually. Everything is logged.
Paranoid Policy
This policy forbids everything. No Internet connection or severely restricted Internet usage is allowed.
Some examples of security policies could be:
Access Control Policy
This defines the resources being protected and the rules that control access to them
Remote Access Policy
This defines who can have remote access and defines access medium and remote access security controls.
Firewall Management Policy
This defines access, management and monitoring of firewalls in an organization.
Network Connection Policy
This defines who can install new resources on the network, approve the installation of new devices, document network changes etc.
Password Policy
This defines guidelines for using strong password protection on available resources.
User Account Policy
This defines the account creation process, authority, rights and responsibility of user accounts.
Information Protection Policy
This defines the sensitivity levels of information, who may have access, how it is stored and transmitted, and how it should be deleted from storage media etc.
Special Access Policy
This defines the terms and conditions of granting special access to system resources.
Email Security Policy
This policy is designed to govern the proper usage of corporate email.
Acceptable Use Policy
This defines the acceptable use of system resources.
When creating and updating policies within any given organization, some privacy guidelines are essential to keep in mind. Tell the employees what information you collect, why you need the information and how the information will be utilized. Limit the collection of information to what you actually need and collect it by fair and lawful means. Also, inform employees of potential collection of information, the use of this information and disclosure of personal information. Always keep personal information accurate, complete and up-to-date. Provide employee access to their personal information the organization has in its possession. Keep any personal information secure without exception. Be aware of local laws and official requirements regarding any personal information.
Always keep below steps in mind when creating or updating policies:
- Perform risk assessment to identify risks to the organization assets.
- Learn from standard guidelines and other organizations.
- Include senior management and all other staff in policy development
- Set clear penalties and enforce them.
- Make final version available to all employees in the organization.
- Ensure every member of your staff read, understand and sign the policy.
- Deploy tools and controls to enforce policies.
- Train your employees and educate them about the policies in place and any updates.
- Regularly review and update your current policies.
A Security policy team in an organization generally consists of an Information Security Team (IST), technical writers, technical personnel, a legal council, human resource, an audit and compliance team and users.
HR Implications of Security Policy Enforcement
The HR department is responsible for making employees aware of security policies and train them in best practices defined in the policies. The HR department also works with management to monitor policy implementations and address any policy violation issues.
Legal Implications of Security Policy Enforcement
Enterprise information policies should be developed in consultation with legal experts and must comply with relevant local laws. Enforcement of a security policy that violates users rights in contravention to local laws may result in law suits against an organization.