Handling a security policy -- literally

The security policy for an organization is not just a single document; it is an entire collection of documents including policies, standards, guidelines and procedures. These documents discuss both the big picture of security as well as the step-by-step installation details for the security of an environment. A set of documents with this much information about your organization should trigger a knee-jerk response -- it has got to be protected!

Your security policy is a roadmap for your organization on how to protect itself from intentional and accidental incidents. However, it is also a manual that instructs malicious entities exactly where your weaknesses are and what means of attack will be most effective. You must treat your security policy in the same vein as any other classified, proprietary or sensitive resource in your environment.

In addition to protecting your security policy from external entities, it is also a good idea to restrict access to internal personnel as well. Users, managers, administrators, etc. should have access only to the procedures and guidelines that apply specifically to their work tasks or systems. There is no need for anyone outside of the upper management and the infosec team to have access to the entire security policy.

As your environment changes and as you alter your system to protect against new threats or specific incidents, you need to update your security policy. As part of that effort, be sure that only the latest

    Requires Free Membership to View

and most up-to-date version of the security policy documents remains in circulation. If everyone is not working from the same set of security instructions, then there is more potential for oversight or error resulting in additional security incidents.

About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

For more information, visit these resources:
  • Security Policies Tip: Keeping up with security policies
  • Security Policies Tip: Security policy by example
  • Security Policies Tip: Building your policy

    This was first published in May 2003

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.