The Security Policy, your best friend!
Most employees see the need for policies and procedures, but often when these mechanisms seem to hinder them from accomplishing their task, their support for them commonly wanes.
It is a well documented fact, that having a Security Policy, is the underpinning of any companies overall security strategy.The high level policy should be technologically abstact, and concentrate on statements that reflect senior management's vision for the enterprise security architecture.
The security policy is a very individual thing, establishments such as financial institutions for example, will have different objectives than government facilities or small independant companies.
Often the security policy will fall underneath the general organizational policy. You can gain a lot of information about what a companys appetite for risk is, by reading the organizational and security policy.
Under the security policy, exist standards that make application of statements within the security policy.
For example, the policy may state "All internal information should be protected by physical or logical controls'. The standard may state "All internal information should be protected via native Windows encryption, with the Data Recovery Key exported to the security operations team"
Procedures give a consistent approach to configuring devices to comply with the standards. Procedures can be of a technical nature, or workflow in order to accomplish a task, such as the provision of a server into a production environment in a controlled and audited manner.
Guidelines can be viewed as 'Best (or better for those who don't like this term) Practices". They may give a default behaviour that gives the best results under a standard set of circumstances.
From looking at this document hierarchy, it becomes clear that the writing of a clear and concise security policy, is really the first key step to Information Security.The policy should have the full approval and backing of the senior management, without this, the policy will be very hard to enforce.
If you are tasked with a security function within a small firm without a security policy, this is the first task on your agenda
It is a well documented fact, that having a Security Policy, is the underpinning of any companies overall security strategy.The high level policy should be technologically abstact, and concentrate on statements that reflect senior management's vision for the enterprise security architecture.
The security policy is a very individual thing, establishments such as financial institutions for example, will have different objectives than government facilities or small independant companies.
Often the security policy will fall underneath the general organizational policy. You can gain a lot of information about what a companys appetite for risk is, by reading the organizational and security policy.
Under the security policy, exist standards that make application of statements within the security policy.
For example, the policy may state "All internal information should be protected by physical or logical controls'. The standard may state "All internal information should be protected via native Windows encryption, with the Data Recovery Key exported to the security operations team"
Procedures give a consistent approach to configuring devices to comply with the standards. Procedures can be of a technical nature, or workflow in order to accomplish a task, such as the provision of a server into a production environment in a controlled and audited manner.
Guidelines can be viewed as 'Best (or better for those who don't like this term) Practices". They may give a default behaviour that gives the best results under a standard set of circumstances.
From looking at this document hierarchy, it becomes clear that the writing of a clear and concise security policy, is really the first key step to Information Security.The policy should have the full approval and backing of the senior management, without this, the policy will be very hard to enforce.
If you are tasked with a security function within a small firm without a security policy, this is the first task on your agenda
posted by Paul Vincent at 12:35 PM
-730534.jpg)
0 Comments:
Post a Comment
<< Home