Handling a security policy -- literally

Learn why you need to protect your security policy document.

The security policy for an organization is not just a single document; it is an entire collection of documents including policies, standards, guidelines and procedures. These documents discuss both the big picture of security as well as the step-by-step installation details for the security of an environment. A set of documents with this much information about your organization should trigger a knee-jerk response -- it has got to be...

protected!

Your security policy is a roadmap for your organization on how to protect itself from intentional and accidental incidents. However, it is also a manual that instructs malicious entities exactly where your weaknesses are and what means of attack will be most effective. You must treat your security policy in the same vein as any other classified, proprietary or sensitive resource in your environment.

In addition to protecting your security policy from external entities, it is also a good idea to restrict access to internal personnel as well. Users, managers, administrators, etc. should have access only to the procedures and guidelines that apply specifically to their work tasks or systems. There is no need for anyone outside of the upper management and the infosec team to have access to the entire security policy.

As your environment changes and as you alter your system to protect against new threats or specific incidents, you need to update your security policy. As part of that effort, be sure that only the latest and most up-to-date version of the security policy documents remains in circulation. If everyone is not working from the same set of security instructions, then there is more potential for oversight or error resulting in additional security incidents.

About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


For more information, visit these resources:
  • Security Policies Tip: Keeping up with security policies
  • Security Policies Tip: Security policy by example
  • Security Policies Tip: Building your policy
  • This was first published in May 2003

    Dig deeper on Information Security Policies, Procedures and Guidelines

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close