COMPLIANCE COUNSELOR
Planning considerations for an effective security policy
E. Eugene Schultz
01.09.2001
Rating: -4.36- (out of 5)
|
Planning considerations for an effective security policy
E. Eugene Schultz
Although volumes have been written about securing information resources, many companies don't have effective data security. The way to get that security is to have an effective security policy, one that's tailored for your particular situation. This tip, excerpted from Windows NT/2000 Network Security, by E. Eugene Schultz, lists questions to ask when you're developing your policy.
-----------------------------------------------------------
An effective information security policy addresses many critical issues, including the following (at a minimum):
- Who owns the systems, networks, applications, and data accessible to users?
- What ongoing programs (for example, training and awareness) must be in place and what are their objectives?
- What constitutes "acceptable use" of computing resources and data?
- What is the relationship between job function and privileges that users receive? Most privileges be limited, and, if so, how?
- What are the responsibilities of management, resource owners, and users?
- What is the baseline of security controls to be implemented within systems and networks?
- What muse be done to secure connections from third parties?
- What level of monitoring and user accountability must be in place?
- What level of privacy can users expect and how should privacy expectations be communicated to users?
- What are the consequences of violating the policy?
- When, why, and how must the policy be updated?
One of the most effective ways to "bring the policy down to the level of users" is to create a user accountability statement. A user accountability statement provides an encapsulation of the information security policy in wording that users can understand. In many organizations with an effective information security program, users are required to read and sign a user accountability statement once, or sometimes even twice, a year (often during particular security training and awareness activity).
-----------------------------------------------------------
Related book
Windows NT/2000 Network Security
Author : E. Schultz
Publisher : Macmillan Technical Publishing
ISBN/CODE : 1578702534
Cover Type : Hard Cover
Pages : 375
Published : July 2000
Summary:
This book is intended primarily for LAN administrators, system programmers, information security staff and advanced users. Although the main focus of the book will be technical, many facets of Windows NT security involve practicing sound control procedures. As such, much of the book's discussion will be pertinent to all three groups. Windows NT/2000 Network Security will also thoroughly cover security-relevant technical issues such as controlling services protocols like Web-services and SMB. The book will be carefully sequenced to delve into technical issues increasingly with each chapter, so that the last half of the book will be more relevant to LAN administrators and system programmers than anyone else -- whereas the first half will be equally pertinent to all groups.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
