4.3.8 Security policy
Some people have malicious intent, while others make mistakes or follow unsecure practices, putting equipment and data at risk. To protect assets, rules and regulations must be put in place to define how users should act, what actions are right or wrong, what they are allowed to do, and how they access systems and data.
A security policy defines all of the rules, regulations, and procedures that must be followed to keep an organisation, its people, and systems secure. A security policy can be divided into many different areas to address specific types of risk (Table 11).
Table 11 Types of security policies for people
|Defines who can connect, how they can connect, when they can connect, and what devices can be used to connect to a system remotely. This policy also defines the assets that are accessible to a remote user.||Defines what methods are used to protect information depending on the level of sensitivity. Generally, the more sensitive the information, the greater the level of protection used to secure it.||Defines the way in which users are allowed to use computers. This policy might define who can use certain computers, what programs must be used to protect a computer, or if a certain storage media is allowed to be used.||Defines how physical assets are secured. Some assets may need to be locked away at night, kept in a locked area at all times, or specifically designated not to leave the property.||Defines what password will be used to access specific resources and the complexity of the password. Often, this policy will control how often a password must be changed.|
The most important part of a security policy is user education. The people governed by the security policy must not just be aware of this policy; they must understand and follow it to ensure the safety of people, data, and things.
To learn more about security polices, visit the.