The security policy for an organization is not just a single document; it is an entire collection of documents including policies, standards, guidelines and procedures. These documents discuss both the big picture of security as well as the step-by-step installation details for the security of an environment. A set of documents with this much information about your organization should trigger a knee-jerk response -- it has got to be protected!
Your security policy is a roadmap for your organization on how to protect itself from intentional and accidental incidents. However, it is also a manual that instructs malicious entities exactly where your weaknesses are and what means of attack will be most effective. You must treat your security policy in the same vein as any other classified, proprietary or sensitive resource in your environment.
In addition to protecting your security policy from external entities, it is also a good idea to restrict access to internal personnel as well. Users, managers, administrators, etc. should have access only to the procedures and guidelines that apply specifically to their work tasks or systems. There is no need for anyone outside of the upper management and the infosec team to have access to the entire security policy.
As your environment changes and as you alter your system to protect against new threats or specific incidents, you need to update your security policy. As part of that effort, be sure that only the latest
About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
For more information, visit these resources:
This was first published in May 2003