Access Control refers to making sure that people get exposed to only the informationthey are supposed to access. Making the right kind of information accessible to theright person only, is a major aim of security.A good security solution should protect all the objectives. A good security solutionneeds proper planning and this plan can be called as a security policy.
What is a security policy?
A security policy defines the procedures, guidelines and practices forconfiguring and managing security in an organization. Every organization shouldhave a security policy and it to be implemented by higher-level officials. As we aimfor higher level of security the more investment is needed to implement. Hence ananalysis is needed before formulating a security policy. Qualitative Risk-Assessment& Cost benefit analysis are the most important types of analysis.
Qualitative Risk Assessment
Because of the uncertainty associated with the risks in the IT business it is not easyto calculate risk level. So several techniques are developed for finding them likemultiplying the threat frequency with the risk associated with it. All the risks areconsidered such as those of assets, information etc., while calculating the overallrisk.
Cost benefit analysis
Cost benefit analysis gives an estimate of the monetary losses if the data is lost. Socost benefit analysis is used for calculating a break-even point. Break-even point isthe point at which both the security implementation investment and monetary lossesare same. In this analysis risk is not taken into consideration. For example it is not awise decision to implement a security with 10000 bucks for information worth 1000bucks.This analysis acts like a baseline for creating a security policy. Formulation of thesecurity policy needs higher officials from all the departments and domain experts.The following steps are to be followed while creating security policies1.
Determining the need of the policy2.
Discussing with department heads and determining which are to be protectedlike assets, clientele list etc.,3.
Reviewing government rules and regulations so that it can protect if anydiscrepancies occur and modify it.4.
Creating a policy satisfying the above three steps5.
Reviewing the policy with higher officials and modifying the policy if anychanges are needed.6.
Approving the policy and training all the associates.
Having a review of the policy quarterly or half-yearly and modifying it if needed.