Problem solve Get help with specific problems with your technologies, process and projects.

Planning considerations for an effective security policy

This tips lists what to ask when you're developing a security policy.

Planning considerations for an effective security policy
E. Eugene Schultz

Although volumes have been written about securing information resources, many companies don't have effective data security. The way to get that security is to have an effective security policy, one that's tailored for your particular situation. This tip, excerpted from Windows NT/2000 Network Security, by E. Eugene Schultz, lists questions to ask when you're developing your policy.


An effective information security policy addresses many critical issues, including the following (at a minimum):

  • Who owns the systems, networks, applications, and data accessible to users?
  • What ongoing programs (for example, training and awareness) must be in place and what are their objectives?
  • What constitutes "acceptable use" of computing resources and data?
  • What is the relationship between job function and privileges that users receive? Most privileges be limited, and, if so, how?
  • What are the responsibilities of management, resource owners, and users?
  • What is the baseline of security controls to be implemented within systems and networks?
  • What muse be done to secure connections from third parties?
  • What level of monitoring and user accountability must be in place?
  • What level of privacy can users expect and how should privacy expectations be communicated to users?
  • What are the consequences of violating the policy?
  • When, why, and how must the policy be updated?

One of the most effective ways to "bring the policy down to the level of users" is to create a user accountability statement. A user accountability statement provides an encapsulation of the information security policy in wording that users can understand. In many organizations with an effective information security program, users are required to read and sign a user accountability statement once, or sometimes even twice, a year (often during particular security training and awareness activity).


Related book

Windows NT/2000 Network Security
Author : E. Schultz
Publisher : Macmillan Technical Publishing
ISBN/CODE : 1578702534
Cover Type : Hard Cover
Pages : 375
Published : July 2000
This book is intended primarily for LAN administrators, system programmers, information security staff and advanced users. Although the main focus of the book will be technical, many facets of Windows NT security involve practicing sound control procedures. As such, much of the book's discussion will be pertinent to all three groups. Windows NT/2000 Network Security will also thoroughly cover security-relevant technical issues such as controlling services protocols like Web-services and SMB. The book will be carefully sequenced to delve into technical issues increasingly with each chapter, so that the last half of the book will be more relevant to LAN administrators and system programmers than anyone else -- whereas the first half will be equally pertinent to all groups.

This was last published in January 2001

Dig Deeper on Information security policies, procedures and guidelines