security polic
Click on the red underlined text to get to the source
...
This handbook is a guide to setting computer security policies and
procedures for sites that have systems on the Internet (however, the
information provided should also be useful to sites not yet connected
...
...
This guide is only a framework for setting security policies and
procedures. In order to have an effective set of policies and
procedures, a site will have to make many decisions, gain agreement ...
... Internet community. However, this document should be useful to any
site that allows communication with other sites. As a general guide
to security policies, this document may also be useful to sites with
isolated systems.
...
...
One of the most important reasons for creating a computer security
policy is to ensure that efforts spent on security yield cost
effective benefits. Although this may seem obvious, it is possible
...
... Security Policies ...
... What is a Security Policy and Why Have One? ...
... Your goals should be communicated to all users, operations staff, and
managers through a set of security rules, called a "security policy."
We are using this term, rather than the narrower "computer security
policy" since the scope includes all types of information technology
...
... security rules, called a "security policy."
We are using this term, rather than the narrower "computer security
policy" since the scope includes all types of information technology
and the information stored and manipulated by the technology.
...
... Definition of a Security Policy ...
...
A security policy is a formal statement of the rules by which people
who are given access to an organization's technology and information
assets must abide.
...
... Purposes of a Security Policy ...
...
The main purpose of a security policy is to inform users, staff and
managers of their obligatory requirements for protecting technology
...
...
An Appropriate Use Policy (AUP) may also be part of a security
policy. It should spell out what users shall and shall not do on the
various components of the system, including the type of traffic
...
...
In order for a security policy to be appropriate and effective, it
needs to have the acceptance and support of all levels of employees
within the organization. It is especially important that corporate
...
... within the organization. It is especially important that corporate
management fully support the security policy process otherwise there
is little chance that they will have the intended impact. The
following is a list of individuals who should be involved in the
...
... is little chance that they will have the intended impact. The
following is a list of individuals who should be involved in the
creation and review of security policy documents:
...
... representatives of the user groups affected by the security
policy ...
... What Makes a Good Security Policy? ...
...
The characteristics of a good security policy are:
...
...
The components of a good security policy include:
...
... There may be regulatory requirements that affect some aspects of your
security policy (e.g., line monitoring). The creators of the
security policy should consider seeking legal assistance in the
...
... security policy (e.g., line monitoring). The creators of the
security policy should consider seeking legal assistance in the
creation of the policy. At a minimum, the policy should be reviewed
by legal counsel.
...
...
Once your security policy has been established it should be clearly
communicated to users, staff, and management. Having all personnel
...
...
In order for a security policy to be viable for the long term, it
requires a lot of flexibility based upon an architectural security
...
... requires a lot of flexibility based upon an architectural security
concept. A security policy should be (largely) independent from
specific hardware and software situations (as specific systems tend
...
... the quest for system security. They provide a certain level of
protection and are, in general, a way of implementing security policy
at the network level. The level of security ...
... addresses and fax numbers) be included
in the site security policy. The names and contact information of
all individuals who will be directly involved in the handling of an
incident should be placed at the top of this list.
...
...
When a security incident involves a user, the site's security policy
should describe what action is to be taken. The transgression should
be taken seriously, but it is very important to be sure of the role ...
...
At this point in time, your site has hopefully developed a complete
security policy and has developed procedures to assist in the
configuration and management of your technology in support of those
...
... Review all security policies and procedures annually (at a minimum).
...