Security Policy
A security policy is a formal statement that governs who gets access to organisations’ resources, what they can do or should not. A security policy is therefore defined as a formal statement of the rules that govern people who are given access to an organization's technology and information assets (see Site Security Handbook [1]).
A security policy encompasses processes and procedures (rules) required by an organisation to protect its information assets, and to prosecute personnel that default. It is pertinent to note that one significant characteristic of a security policy is that it must address specific security issues of the organisation. That is, it must be “point–specific”. For example, an ‘Acceptance Use’ policy would cover the rules and regulations for appropriate use of the computing facilities [2]” While an ‘Email Policy’ would address rules and regulations for accepted use of corporate email facilities. And a ‘Cryptographic Standards’ policy would state the Encryption Algorithms, Hash Algorithms, Pretty-Good-Privacy (PGP)-type and Key Sizes that are allowed for use in exchange of corporate information within and outside the organisation. Most activities engaged in an organisation must be carefully stipulated in an organisation's security policy.
The practice of copying 'verbatium' another organisation's security policy is discouraged. Because, security policies must be specific and must apply to an organisation. When organisations' copy security policy, chances are that the copied policies may never apply to them.
1: B. Fraser (1997), “The Site Security Handbook”, RFC2196, [Online]: http://www.faqs.org/rfcs/rfc2196.html [Accessed 12th Dec. 2006.
2: SANS – (SysAdmin, Audit, Network and Security) Institute http://www.sans.org/resources/policies/ [Accessed 5th Dec. 2006]
A security policy encompasses processes and procedures (rules) required by an organisation to protect its information assets, and to prosecute personnel that default. It is pertinent to note that one significant characteristic of a security policy is that it must address specific security issues of the organisation. That is, it must be “point–specific”. For example, an ‘Acceptance Use’ policy would cover the rules and regulations for appropriate use of the computing facilities [2]” While an ‘Email Policy’ would address rules and regulations for accepted use of corporate email facilities. And a ‘Cryptographic Standards’ policy would state the Encryption Algorithms, Hash Algorithms, Pretty-Good-Privacy (PGP)-type and Key Sizes that are allowed for use in exchange of corporate information within and outside the organisation. Most activities engaged in an organisation must be carefully stipulated in an organisation's security policy.
The practice of copying 'verbatium' another organisation's security policy is discouraged. Because, security policies must be specific and must apply to an organisation. When organisations' copy security policy, chances are that the copied policies may never apply to them.
1: B. Fraser (1997), “The Site Security Handbook”, RFC2196, [Online]: http://www.faqs.org/rfcs/rfc2196.html [Accessed 12th Dec. 2006.
2: SANS – (SysAdmin, Audit, Network and Security) Institute http://www.sans.org/resources/policies/ [Accessed 5th Dec. 2006]
posted by Cyril at 6:19 AM
0 Comments:
Post a Comment
<< Home