Professional Documents
Culture Documents
SECURITY POLICIES
AND PROCEDURES
PREPARED BY : SITI KAMILA BINTI DERAMAN, JTMK
AT THE END OF THIS CHAPTER, YOU NEED TO:
Security starts with an organization determining what actions must be taken to create
and maintain a secure environment. That information is recorded in a formal security
policy.
A security policy is a document or series of documents that clearly defines the defense
mechanisms an organization will employ in order to keep information secure.
A good security policy should be a high-level, brief, formalized statement of the security
practices that management expects employees and other stakeholders to follow. It should
be concise and easy to understand so that everyone can follow the guidance set forth in
it.
Security Policy
A security policy lays down specific expectations for management, technical staff, and
employees.
A clear and well-documented security policy will determine what action an organization
takes when a security violation is encountered.
In the absence of clear policy, organizations put themselves at risk and often flounder in
responding to a violation.
Security Policy
For managers, a security policy identifies the expectations of senior management
about roles, responsibilities, and actions that should be taken by management with
regard to security controls.
For technical staff, a security policy clarifies which security controls should be used on
the network, in the physical facilities, and on computer systems.
For all employees, a security policy describes how they should conduct themselves
when using the computer systems, e-mail, phones, and voice mail.
WHY AN ORGANIZATION NEEDS
INFORMATION SECURITY POLICIES
Legal compliance with Information security regulations like HIPAA and Gramm-Leach
Bliley require information security policies and standards
MasterCard and Visa require organizations that accept their credit and debit cards to
have information security policies and standards
Every information security effective practice contains a requirement for organization-
wide information security policies and standards
1. The policy must be consistent to be effective. There must be similar levels of security in
multiple areas such as physical security, remote access, internal password policy
policies, and other policies.
3. Issues should be clearly defined and when they apply to the policy. Define services
affected such as email.
5. Staff and management must find the policy acceptable. This is why it is important to
justify each policy.
Continue..
6. Define roles of the staff with respect to the policies and security issues.
7. The policy must be enforceable from the network and system controls. Policies must be set
on servers to be sure domain passwords are reasonably complex, not repeated, changed
periodically, etc.
10. Provide contact information for those interested in more information about the policy.
7 Security Policy Requirements
_____________________________________________
_____________________________________________
_____________________________________________
Exercise 2
State 4 security policy requirements.
i. _____________________________________________
ii. _____________________________________________
iii. _____________________________________________
iv. _____________________________________________
USERNAME
AND
PASSWORDS:
Do and Don’ts
USERNAME DO AND DON’TS