Security Policy: Topics to Cover

Security Policy: Topics to Cover

• needs to address:
• scope and purpose including relation of objectives to business, legal, regulatory requirements
• IT security requirements
• assignment of responsibilities
• risk management approach
• security awareness and training
• general personnel issues and any legal sanctions
• integration of security into systems development
• information classification scheme
• contingency and business continuity planning
• incident detection and handling processes
• how when policy reviewed, and change control to it

Management Support

• IT security policy must be supported by senior management
• need IT security officer
• to provide consistent overall supervision
• manage process
• handle incidents
• large organizations needs IT security officers on major projects/teams
• manage process within their areas

Security Risk Assessment

• critical component of process
• else may have vulnerabilities or waste money
• ideally examine every asset vs risk
• not feasible in practice
• choose one of possible alternatives based on organization’s resources and risk profile
• baseline
• informal
• formal
• combined

Baseline Approach

• use “industry best practice”
• easy, cheap, can be replicated
• but gives no special consideration to org
• may give too much or too little security
• implement safeguards against most common threats
• baseline recommendations and checklist documents available from various bodies
• alone only suitable for small organizations

Informal Approach

• conduct informal, pragmatic risk analysis on organization’s IT systems
• exploits knowledge and expertise of analyst
• fairly quick and cheap
• does address some org specific issues
• some risks may be incorrectly assessed
• skewed by analysts views, varies over time
• suitable for small to medium sized orgs