Tip

Planning considerations for an effective security policy

Planning considerations for an effective security policy
E. Eugene Schultz

Although volumes have been written about securing information resources, many companies don't have effective data security. The way to get that security is to have an effective security policy, one that's tailored for your particular situation. This tip, excerpted from

    Requires Free Membership to View

Windows NT/2000 Network Security, by E. Eugene Schultz, lists questions to ask when you're developing your policy.

-----------------------------------------------------------

An effective information security policy addresses many critical issues, including the following (at a minimum):

  • Who owns the systems, networks, applications, and data accessible to users?
  • What ongoing programs (for example, training and awareness) must be in place and what are their objectives?
  • What constitutes "acceptable use" of computing resources and data?
  • What is the relationship between job function and privileges that users receive? Most privileges be limited, and, if so, how?
  • What are the responsibilities of management, resource owners, and users?
  • What is the baseline of security controls to be implemented within systems and networks?
  • What muse be done to secure connections from third parties?
  • What level of monitoring and user accountability must be in place?
  • What level of privacy can users expect and how should privacy expectations be communicated to users?
  • What are the consequences of violating the policy?
  • When, why, and how must the policy be updated?

One of the most effective ways to "bring the policy down to the level of users" is to create a user accountability statement. A user accountability statement provides an encapsulation of the information security policy in wording that users can understand. In many organizations with an effective information security program, users are required to read and sign a user accountability statement once, or sometimes even twice, a year (often during particular security training and awareness activity).

-----------------------------------------------------------

Related book

Windows NT/2000 Network Security
Author : E. Schultz
Publisher : Macmillan Technical Publishing
ISBN/CODE : 1578702534
Cover Type : Hard Cover
Pages : 375
Published : July 2000
Summary:
This book is intended primarily for LAN administrators, system programmers, information security staff and advanced users. Although the main focus of the book will be technical, many facets of Windows NT security involve practicing sound control procedures. As such, much of the book's discussion will be pertinent to all three groups. Windows NT/2000 Network Security will also thoroughly cover security-relevant technical issues such as controlling services protocols like Web-services and SMB. The book will be carefully sequenced to delve into technical issues increasingly with each chapter, so that the last half of the book will be more relevant to LAN administrators and system programmers than anyone else -- whereas the first half will be equally pertinent to all groups.


This was first published in January 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.