Formulating a Security Policy › Primary Elements of a Security Policy
Primary Elements of a Security Policy
Minimally, the security policy or document of security objectives can address the following areas:
- Objectives or premises that prove the need for security in your environment.
- Scope of security: What is to be protected (data, software, and hardware, etc.)?
- Ownership of resources: Who owns the data processing resources such as data, facilities, and hardware?
- Responsibility for the integrity of the resources: Who is responsible to ensure that resources are being accessed, used, or modified in a secure manner?
- Requirements to access the resources: Who “needs” access? Requirements may also specify those job functions authorized to determine when an individual requires access to a resource.
- Statement of intent as to how violations are logged and reported.
- Accountability: What action is taken when security is breached?
- Account protection requirements: In password-based security systems, this may include change intervals, one account per employee, and account assignment for remote users. This assumes that:
- Access to data processing facilities and data is company property granted to the employee to perform a specific job function.
- Each employee is responsible for the use of their account.
- Responsibility for the support and enforcement of the direction statement by functional area, including that of the security administration area.
Many policies elaborate on this last point since it states specifically what is expected of each functional area in the support and enforcement of the policy. Each user of the data processing resources must understand that they have a role to play in the security scheme, and must understand what that role is.
What follows is a discussion of the typical functional areas in a normal environment, and what their responsibilities include.
Copyright © 2014 CA Technologies.
All rights reserved.
|
|