Handling a security policy -- literally

Learn why you need to protect your security policy document.

The security policy for an organization is not just a single document; it is an entire collection of documents...

including policies, standards, guidelines and procedures. These documents discuss both the big picture of security as well as the step-by-step installation details for the security of an environment. A set of documents with this much information about your organization should trigger a knee-jerk response -- it has got to be protected!

Your security policy is a roadmap for your organization on how to protect itself from intentional and accidental incidents. However, it is also a manual that instructs malicious entities exactly where your weaknesses are and what means of attack will be most effective. You must treat your security policy in the same vein as any other classified, proprietary or sensitive resource in your environment.

In addition to protecting your security policy from external entities, it is also a good idea to restrict access to internal personnel as well. Users, managers, administrators, etc. should have access only to the procedures and guidelines that apply specifically to their work tasks or systems. There is no need for anyone outside of the upper management and the infosec team to have access to the entire security policy.

As your environment changes and as you alter your system to protect against new threats or specific incidents, you need to update your security policy. As part of that effort, be sure that only the latest and most up-to-date version of the security policy documents remains in circulation. If everyone is not working from the same set of security instructions, then there is more potential for oversight or error resulting in additional security incidents.

About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

For more information, visit these resources:
  • Security Policies Tip: Keeping up with security policies
  • Security Policies Tip: Security policy by example
  • Security Policies Tip: Building your policy
  • This was last published in May 2003

    Dig Deeper on Information security policies, procedures and guidelines

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.