Professional Documents
Culture Documents
Security Policy
Security Policy
Prof. Vidyavati H. R
1
Learning Objectives
2
3
4
Policies, Standards, Guidelines and
Procedures.
• A policy is something that is mandatory.
• A standard is something that you follow for best
practices reasons. It could be an industry standard,
could be an internal standard, a personal standard.
• And then guidelines are something that’s
discretionary.
• Step by step instructions.
5
Why policy?
• A quality information security program begins and ends with
policy.
• A security policy is a document that states in writing how a
company plans to protect the company's physical and information
technology (IT) assets. A security policy is often considered to be a
"living document", meaning that the document is never finished,
but is continuously updated as technology and employee
requirements change.
• Properly developed and implemented policies enable the
information security program to function almost seamlessly within
the workplace.
• Although information security policies are the least expensive
means of control to execute, they are often the most difficult to
implement.
• Policies require constant modification and maintenance.
6
• Develop policies that you plan to enforce.
• Explain the purpose of the policy.
• Develop security policies that do not require updates too
frequently.
• Don’t develop your policies in a vacuum
• Make your security policies available to everyone.
• Make sure your policies stay current.
• Make sure your policies are understood
• Require acknowledgement of your policies.
• Include your policies as part of your security awareness training
7
Types of policies
• Senior Management Statement of policy
• Regulatory policy
• Advisory policy
• Informative policy
11
Write policies for
1. Employee hire policy
2. Employee termination policy
3. Anti-virus policy
4. Security awareness training
5. Back-up policy
6. Data classification policy
7. Access Control policy
8. Change management policy
9. Physical security policy
10. Encryption policy
11. Media disposal policy
12. Data retention policy
13. Acceptable use policy
14. Password policy
15. Email policy
12
References
• https://blog.eduonix.com/networking-and-security/learn-
different-types-policies-procedures-cissp/
• https://www.beyondtrust.com/resources/glossary/systems-
hardening
• https://www.tutorialspoint.com/computer_security/computer_
security_policies.htm
• https://blog.eduonix.com/networking-and-security/learn-
different-types-policies-procedures-cissp/
• Information systems security by Neena Godbole
• https://www.sans.org/
13