Organizational Security Policies
A key element of any
organization's security planning is an effective security policy. A security
policy must answer three questions: who can access which resources in what
manner?
A security policy is a
high-level management document to inform all users of the goals of and
constraints on using a system. A policy document is written in broad enough
terms that it does not change frequently. The information security policy is
the foundation upon which all protection efforts are built. It should be a visible
representation of priorities of the entire organization, definitively stating
underlying assumptions that drive security activities. The policy should
articulate senior management's decisions regarding security as well as
asserting management's commitment to security. To be effective, the policy must
be understood by everyone as the product of a directive from an authoritative
and influential person at the top of the organization.
People sometimes issue other
documents, called procedures or guidelines, to define how the policy translates
into specific actions and controls. In this section, we examine how to write a
useful and effective security policy.
Purpose
Security policies are used
for several purposes, including the following:
recognizing sensitive
information assets
clarifying security
responsibilities
promoting awareness for
existing employees
guiding new employees
Audience
A security policy addresses
several different audiences with different expectations. That is, each
groupusers, owners, and beneficiariesuses the security policy in important but
different ways.
Users
Users legitimately expect a
certain degree of confidentiality, integrity, and continuous availability in
the computing resources provided to them. Although the degree varies with the
situation, a security policy should reaffirm a commitment to this requirement
for service.
Users also need to know and
appreciate what is considered acceptable use of their computers, data, and
programs. For users, a security policy should define acceptable use.
Owners
Each piece of computing
equipment is owned by someone, and the owner may not be a system user. An owner
provides the equipment to users for a purpose, such as to further education,
support commerce, or enhance productivity. A security policy should also
reflect the expectations and needs of owners.
Beneficiaries
A business has paying
customers or clients; they are beneficiaries of the products and services
offered by that business. At the same time, the general public may benefit in
several ways: as a source of employment or by provision of infrastructure. For
example, you may not be a client of BellSouth, but when you place a telephone
call from London to Atlanta, you benefit from BellSouth's telecommunications
infrastructure. In the same way, the government has customers: the citizens of
its country, and "guests" who have visas enabling entry for various
purposes and times. A university's customers include its students and faculty;
other beneficiaries include the immediate community (which can take advantage
of lectures and concerts on campus) and often the world population (enriched by
the results of research and service).
To varying degrees, these
beneficiaries depend, directly or indirectly, on the existence of or access to
computers, their data and programs, and their computational power. For this set
of beneficiaries, continuity and integrity of computing are very important. In
addition, beneficiaries value confidentiality and correctness of the data
involved. Thus, the interests of beneficiaries of a system must be reflected in
the system's security policy.
Balance Among All Parties
A security policy must relate
to the needs of users, owners, and beneficiaries. Unfortunately, the needs of
these groups may conflict. A beneficiary might require immediate access to
data, but owners or users might not want to bear the expense or inconvenience
of providing access at all hours. Continuous availability may be a goal for
users, but that goal is inconsistent with a need to perform preventive or
emergency maintenance. Thus, the security policy must balance the priorities of
all affected communities.
Contents
A security policy must
identify its audiences: the beneficiaries, users, and owners. The policy should
describe the nature of each audience and their security goals. Several other
sections are required, including the purpose of the computing system, the
resources needing protection, and the nature of the protection to be supplied.
We discuss each one in turn.
Purpose
The policy should state the
purpose of the organization's security functions, reflecting the requirements
of beneficiaries, users, and owners. For example, the policy may state that the
system will "protect customers' confidentiality or preserve a trust relationship,"
"ensure continual usability," or "maintain profitability."
There are typically three to five goals, such as:
Promote efficient business
operation.
Facilitate sharing of
information throughout the organization.
Safeguard business and
personal information.
Ensure that accurate
information is available to support business processes.
Ensure a safe and productive
place to work.
Comply with applicable laws
and regulations.
The security goals should be
related to the overall goal or nature of the organization. It is important that
the system's purpose be stated clearly and completely because subsequent
sections of the policy will relate back to these goals, making the policy a
goal-driven product.
Protected Resources
A risk analysis will have identified
the assets that are to be protected. These assets should be listed in the
policy, in the sense that the policy lays out which items it addresses. For
example, will the policy apply to all computers or only to those on the
network? Will it apply to all data or only to client or management data? Will
security be provided to all programs or only the ones that interact with
customers? If the degree of protection varies from one service, product, or
data type to another, the policy should state the differences. For example,
data that uniquely identify clients may be protected more carefully than the
names of cities in which clients reside.
Nature of the Protection
The asset list tells us what
should be protected. The policy should also indicate who should have access to
the protected items. It may also indicate how that access will be ensured and
how unauthorized people will be denied access. All the mechanisms described in
this book are at your disposal in deciding which controls should protect which objects.
In particular, the security policy should state what degree of protection
should be provided to which kinds of resources.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.