Project 8: Define Policies and Procedures
Policies are the cornerstone of a successful security program. These policies represent:
• The organization's standpoint on acceptable use of information and equipment
• Responsibilities of management, system administrators, security personnel, and users
Clearly defining roles and responsibilities are essential for success. Not only does this show everyone where they fit in the big picture; it gets them involved in protecting the organization.
Not sure if you have the appropriate policies? Here is a quick list that gives you an idea of policies that should exist in your organization. These policies include:
• Policies, standards, guidelines and procedures
• Risk assessment and treatment
• Threat monitoring
• Security roles and responsibilities
• System logging, monitoring, updating and patching
• System configuration control, change control and life cycle management
• Asset management and protection
• Vendor management
• Personnel/human resources security
• Security training, awareness and education
• Physical and environmental security
• Access control
• Identification/Authentication, authorization
• Privilege control
• Remote access, wireless access, etc.
• Physical access
• Teleworking
• Encryption and key management
• Segregation of duties/dual controls
• Workstation/portable device security
• Acceptable use policies
• Electronic commerce/web site security
• Security incident response and management
• Business continuity/disaster recovery
• System and program testing
• Compliance
Well defined policies and procedures aren't just nice things to have. They are essential to ensure consistency and quality of operations throughout the organization.
Already have policies? Re-evaluate them to ensure they are up to date with business needs and current technologies.
