Let’s begin by looking at the meaning of the word “policy”. Walt, C. (2001a) defines a policy in practical security terms as “a published document (or set of documents) in which the organization’s philosophy, strategy, policies, and practices with regard to confidentiality, integrity and availability of information.”

In other words, it’s actually management’s intention for how various stakeholders, especially employees, should uphold and follow the required security standards in operating the company’s activities.

Policies should:

  • state reasons why the policy is needed
  • describe what is covered by the policy – whom, what, and where
  • define contacts and responsibilities to outside agencies
  • discuss how violations will be handled

A recent journal by James and Coldwell (2007) states that corporate policies should consider security and ethics issues. Management should include explicit statements about the following:

  • An organization’s method of handling the security of its system and information;
  • Privacy and security issues of information;
  • Informational assets complying with the impact of ethical behavior and conflict.

Users should be educated to recognize the value of assets, risks, and costs of compromise, as the human being is always the weakest link in security management. Therefore, when designing a security policy, human factors should be closely examined and reviewed. This view is supported by a white paper from British Telecommunication plc (BT White Paper 2004).

If you take a look at most security life cycle models, you will notice that a security policy is at the center of security processes, as shown in some typical models below:

http://www.sans.org/reading_room/whitepapers/testing/260.php (SANS Institute)

http://www.bradreese.com/andrew-r-reese.htm (BradReese.com)

http://www.audisec.com/html/philosophy.html

You should not overlook this important security tool in your organization n, should you?

Reference:

BT Write Paper (2004), ‘Why Security Policies Fail’, http://www.mis.uwec.edu/keys/Teaching/is365/208770-BT%20Why%20Security%20Policies%20Fail%20-20000718.pdf Accessed 08/08/08

James, H. and Coldwell, R.A. (1993), ‘Corporate Security: An Australian Ostrich’, Information Management & Computer Security, Vol 1, (Issue 4), 10-12

Walt, C. (2001a), ‘Introduction to Security Policies, Part One: An Overview of Policies’, SecurityFocus, August 27, 2001, http://www.securityfocus.com/print/infocus/1193 Accessed 08/08/08

Walt, C. (2001b), ‘Introduction to Security Policies, Part Three: Structuring Security Policies’, SecurityFocus, October 9, 2001, http://www.securityfocus.com/infocus/1487 Accessed 08/08/08

Weil, S. (2004), ‘How UTIL Can Improve Information Security’, December 22, http://www.securityfocus.com/infocus/1815 Accessed 08/08/08

Tags: Security Life Cycle Model