4/23/2021 What Is a Security Policy? - Definition, Examples & Framework - Video & Lesson Transcript | Study.

com

What Is a Security Policy? - Definition, Examples & Framework

In the IT world, we protect an organization by having a strong, well-de ned security policy. In this lesson, we'll
examine how to create an e ective policy that protects assets, employees, and data.

What Is a Security Policy?

Without guidelines, where would society be? We've seen lms and video games that depict a post-
apocalyptic world where there are no rules. Rules and laws are necessary to keep the peace and
protect the public, or else anarchy will reign. In business, policies are needed to keep a business
productive and to protect its resources. A strong IT security policy can protect both the employees
and the bottom line.

An organization needs to have a security policy that is de ned, appropriate and exible, and a living
document that can adapt to the ever-evolving technology. This security policy covers how
employees can use the company's technology and how an IT department works with employees to
leverage and secure that technology. Best practice for IT security is a defense in depth strategy,
which involves multiple layers of protection ranging from antivirus software and password
protections to physical locks and hardware and software rewalls. Defense in depth is also called
the castle approach because a castle similarly will have multiple layers of protections (a moat,
portcullis, catapults, and so on). The security policy needs to take into account several aspects of
the organization; it must protect the employees, the assets (hardware and software), and the
company's data.

Protecting the Employees

The employees require both physical and virtual protection: they need to know evacuation plans in
case of a re or environmental disaster, but they also should have basic IT protections as well. Each
employee that uses a computer should have an individual user account to ensure accountability,
with a password policy that is clearly de ned and followed by the employee. An acceptable use
policy (including user acknowledgment that they understand the policy) protects the user and the
organization by de ning what a user can and cannot do with computer equipment to reduce the
threat of a breach. Mobile device guidelines should be implemented in the event of loss or theft,
ranging from encryption to remote management. Some remote management applications can
activate the camera and GPS on the device, stealthily take a photo of the surroundings, and send
the information back to an administrator to be forwarded to management and law enforcement.

https://study.com/academy/lesson/what-is-a-security-policy-definition-examples-framework.html 1/2
4/23/2021 What Is a Security Policy? - Definition, Examples & Framework - Video & Lesson Transcript | Study.com

Protecting the Assets

Physical security of assets is important as well. This can be as simple as locking the front door of a
small o ce at night, or as complicated as having a biometric device on a server room door. If an
area is left unattended with a desktop computer sitting in the open without cable locks, it could
easily turn up missing. Software installation disks and les should also be secured to prevent
unauthorized use and license violations. Card access systems can track ID badges; IP cameras can
record information to digital video recorders; and computer asset management software can
record and track locations of company resources. It is important to document not only an
organization's inventory, but also the policies regarding management of company resources.

Protecting the Data

The data that a company stores should be classi ed and protected based on that classi cation
from potential external and internal threats: the malicious hacker, the disgruntled employee, and
mistakes by untrained employees. Using rewalls to fend o the external threats and access
control lists (ACLs) to enforce the concept of least privilege for internal users are foundations for
keeping the data secure but are only preliminary steps in the defense in depth model of
information technology. Backing up and securing data are both important to a secure environment,
and disaster recovery policies and procedures are vital in the event of a breach or hardware loss.

Creating an Effective Policy

A security policy must be fully documented and available to all users. It must be enforceable and
include speci c repercussions when violated. For example, if an acceptable use policy is violated by
a user downloading a pirated copy of the latest movie, that user may be reprimanded, sanctioned,
or terminated, depending on the policy. A rst-time o ense may require that user to attend (or re-
attend) training, while multiple violations could lead to more serious sanctions.

Lesson Summary
A well-written and uidly updated IT security policy creates a solid foundation on which to build a
strong IT department. It o ers protections for the organization's assets through the use of the
defense in depth strategy, employees through use of an acceptable use policy, and data using
rewalls and least privilege. It can act as a blueprint for where an IT department currently is, a
codex for how it operates, and a roadmap for where it aspires to be.

https://study.com/academy/lesson/what-is-a-security-policy-definition-examples-framework.html 2/2