With the increasing number of connections and growth of the Internet, security has become an issue for both corporate and individual environment. Therefore, it is crucial for every organization to design, not only a good security architecture system but also a proper security policy that can ensure things will run as it is supposed to be.
When designing a security policy, it is important to remember that there is no right or wrong way to begin the process of developing a security policy. No single policy or security strategy will work for every organization. Many factors must be taken into account, including audience type and company business and size, or the maturity of the policy development process currently in place. A company which currently has no information security policy or only a very basic one may initially use a different strategy to a company which already has a substantial policy framework in place, but wants to tighten it up and start to use policy for more complex purposes such as to track compliance with legislation.
The basic idea of security policy is to provide protection for the integrity of your companyâ€™s information, allow for the confidentiality and privacy of your companyâ€™s information, and provide the availability of your companyâ€™s information.
A security policy is different from security processes and procedures, in that a policy will provide both high level and specific guidelines on how your company is to protect its data, but will not specify exactly how that is to be accomplished. This provides leeway to choose which security devices and methods are best for your company and budget. A security policy is technology and vendor independent â€“ its intent is to set policy only, which you can then implement in any manner that accomplishes the specified goals.
A security policy should cover all your companyâ€™s electronic systems and data. As a general rule, a security policy would not cover hard copies of company data but some overlap is inevitable, since hard copies invariably were soft copies at some point. Where the security policy applies to hard copies of information, this must be specifically stated in the applicable policy.
It is also possible to use policies to drive forward new company initiatives, with policy acting as the catalyst for future projects which move towards better security and general practices. For example, a policy stating that a certain type of encryption is required for sensitive information sent by email may (with prior consultation with the appropriate technical experts) help to promote the need to develop such a capacity in the future. The presence of this requirement in policy has made sure the impetus to develop the email encryption project has remained strong.
There will be different stakeholders that will use the policy. In general, the main audiences of groups are all level of management, technical staffs, and end users. All users will fall into at least one category (end-user) and some will fall into two or even all three.
Unfortunately, security policies are not easy to create. The process of getting a security policy is difficult, time-consuming, and expensive. Companies typically have two choices, either hiring a security professional to write a custom policy for your organization or write your own using resources found on the Internet or purchased guides. Each option has its own benefit and disadvantage. To hire a security professional is expensive, while to write your own policy is impractical as it will take too much times to do research, browse, and find the right one.
No matter how the policy is developed, in order to be effective, a security policy must be clear and consistent. As important, a security policy should fit into your existing business structure and not mandate a complete, ground-up change to how your business operates. A security policy must be written so that it can be understood by its target audience (which should be clearly identified in the document). There must be a universal understanding of the policy and consistent application of security principles across the company.
As a general guideline, security policy must at least have few sections: overview, purpose, scopes, target audience, policies, definition, and version. The content has to be no longer than is absolutely necessary and written in a plain English to avoid misunderstanding. This policy must comply with current laws and regulation, must be reasonable, and enforceable.
After the security policy has been in place for some period of time – which can be anywhere from three months to a year, depending on your company – the companyâ€™s information security controls should be audited against the applicable policies. Make sure that each policy is being followed as intended and is still appropriate to the situation.