Ask the Expert

How to create an enterprise-wide portal policy

I need to create a portal policy that I can rollout across my organization. Before I begin this process, are there any standards or guidelines that I should abide by?

    Requires Free Membership to View

You can use a couple of policy types with internal intranet portals and external portals facing the Internet. The most common policy is a privacy policy for Internet facing portals. This policy outlines the types of data an organization collects from their site visitors and reviews what was done with this data. It is not necessarily something the security group or any department should write or post without the approval of management and corporate legal counsel. Now you may be asking yourself why this should be. The answer is simple, because this policy is more than just a tool to inform your site's visitors that you collect data from them, it can be a legal tool as well. For example, say your organization posted an inaccurate policy stating that user information is never disclosed or shared in any way, but your organization passes potential sales leads or customer information to other partners. This is a violation of your policy. Having an inaccurate security policy could help someone who is suing your company or it could help the prosecution if your company violated any federal or state privacy laws.

This commonly occurs when someone within a company writes their own policy terminology, posts it on a Web page or at the bottom of their email signature and doesn't communicate with the organization's legal council on the matter. A company should also have a privacy statement on its site that is validated by their lawyers to ensure that a misstatement is not used because it could be detrimental to the company down the road.

NIST has developed the following standard pertaining privacy policies:

  • http://www.nist.gov/public_affairs/privacy.htm

Privacy portal policy examples:

  • http://www.ftc.gov/ftc/privacy.htm
  • http://www.aging.state.ca.us/CDA_Privacy_Policy.html
  • http://about.aol.com/aolnetwork/aol_pp

You may be referring to another type of policy that outlines what can be posted on a portal, who is allowed to submit items to it, how the submissions should be supplied and approved, and what types of items management will not allow on the portal, etc.

I am not familiar with any specific standard on this type of policy. It would just be an issue-specific policy with the focus of what can and cannot be done to the company portal, who can do it and what the ramifications for non-compliance are. I have listed some issue-specific policy resources below.

If you are looking for a good example on a portal policy, please review the following site: http://security.sdsc.edu/policy/PortalPolicy.html. This may encompass what you are trying to accomplish with this type of policy.

Issue-specific policy resources:

  • http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter5-printable.html
  • http://www.ncisse.org/publications/cissecd/Papers/S2P02.pdf
  • http://www.windowsecurity.com/whitepaper/Computer_and_Information_Security_Policy_.html
  • http://www.infosecwriters.com/text_resources/policies/Issue_Specific_antivirus1.doc
  • http://www.sans.org/y2k/sec_policy.htm#6

For More Information:

This was first published in June 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: