Companies have put security concern as their key priority, especially those that are relying on ICT (information communication technology) for their business. There has been wide prospective to elaborate business by using computers and communication infrastructure, the easy and cost effective way. Producing a good security policy is targeting to protect companies from the viable liability and losses from any kind of network and information compromises. Security policy is a key tool necessary to properly address those important issues.
A good security policy must take into account actual or implicit rules and regulations. This is because business processes is evolving over the time, and a sharp move to new policy may create unwanted result. It is frequently a good result when personnel or end user take the more efficient way on how this new security policy implemented stepwise. A good security policy should emphasize on the process not on the end result.
Security policy is not all about procedures, methods, guidelines, and technical whizz. A good and sound security policy may expect several specific features which should involved management, end user, administrators, and the process. The optimal execution is through administration procedure, an suitable guideline and several appropriate methods. This should be inline with current company goal and culture. A good security policy must clearly define what each user, administrators and management’s role to in each security process. In technical aspect, the implementation must be executed with sanctions in hand. This is to correct and prevent some technical violation which possible incurred.
Bellow is the list of 10 factors of making a effective security policy:
A Violations Reporting Policy that indicates which types of violations (such as, privacy and security, internal and external) must be reported and to whom the reports are made. A non-threatening atmosphere and the possibility of anonymous reporting will result in a bigger probability that a violation will be reported if it is detected.
Computer Technology Purchasing Guidelines which assign required, or preferred, security features.
An Accountability Policy which determines the responsibilitiesof users, management, and operation staff. It should specify an audit capability, and provide incident handling guidelines (e.g., what to do and who to contact if a possible intrusion is detected).
A Privacy Policy which defines sensible expectations of privateness in regards such issues as monitoring of e-mail, logging of keystrokes, and access to users’ files.
An Authentication Policy which establishes trust through an effective password policy, and by setting guidelines for remote location authentication and the use of authentication devices (e.g.,, one-time passwords and the devices that generate them).
An Access Policy which determines access rightfield and exclusive rights to protect assets from loss or disclosure by specifying acceptable use guidelines for users, It should offer guidelines for external connections, adding new software, data communications, and connecting devices to a network to systems. It should also define any asked notification messages (such as, connect messages should provide words of advice about authorized usage and line monitoring, and not just say “Welcome”).
An Information Technology System & Network Maintenance Policy which depicts how both external and internal maintenance people are permitted to handle and access technology. One important topic to be addressed here is whether remote maintenance is allowed and how such access is controlled. Managing and controlling outsourcing should be considered as important factor.
Security Policy Implementation that should be enforceable with a tested applications and tools to prevent a potential technical liability. We are talking about firewalls, antivirus, intrusion detection and other tools.
Supporting Information which provides staffs, and management. with contact information for each type of policy violation; guidelines on how to handle outside queries about a security incident, or information which may be considered confidential or proprietary; and cross-references to security procedures and related information, such as company policies and governmental laws and regulations.
An Availability statement which sets users’ expectations for the availability of resources. It should address redundancy and recovery issues, as well as specify operating hours and maintenance downtime periods. It should also include contact information for reporting system and network failures.
There may be regulatory prerequisites that affect some aspects of your security policy (e.g., line monitoring). The creators of the security policy should regard seeking legal help in the creation of the policy. At a minimum, the policy should be reviewed by legal counsel.
Once your security policy has been established it should be clearly communicated to staffs, and management. Having all personnel sign a statement indicating that they have read, understood, and agreed to abide by the policy. This is the important thing at the end of creating a good security policy process. At Last, your policy should be reexamined on a regular basis to see if it is successfully supporting your security needs.
