What
is a Security Policy?
An Information
Security Policy is an important part of the overall operating
strategy of any business.
Objective
of a Security Policy
A
Security Policy provides clearly defined statements on how
security is to be carried out within the business.
Contents
of a Security Policy
A
Security Policy can be structured in two ways:
• A high level policy statement supported by a number
of separate supporting policies covering the different areas
of security.
• A single policy containing all areas of security.
The following
are some of the areas that you should consider when writing
a security policy:
• Physical and Environmental
Security
• Organisational and Personnel Security
• Information Classification and Handling
• IT Security (Including Access Controls)
• Communications and Operations Management
• Systems Development and Maintenance
• Business Continuity and Incident Management
• Audit and Compliance
Writing
a Security Policy
When
writing a Security Policy it is important that you involve
those who need to implement the policy. This can be achieved
by having them review the policy or having them write their
part of the policy.
Many people use
the BS7799/ISO17799 as a reference to write their Security
Policy. This is a Security Management standard that contains
security measures and requirements for compliance to the
standard.
Implementing
a Security Policy
As
stated previously, the people who need to implement the
policy should ideally be involved in the review and/or development
of the policy.
For successful
implementation, you must make all of those implementing
the policy aware of what they need to do. You can do this
by providing employees with access to the policy in a manual
or on your intranet. You can also have a security awareness
campaign.
It is also important
to note that the implementation road can be made smoother
if the Company Management support the Security Policy.
Keeping
a Security Policy Up to Date
Business
practices can change and the policy needs to be reviewed
once or twice a year to ensure it does not become out of
date.
It is also important
that you carry out audits against the policy once or twice
a year to make sure it is being implemented. It is amazing
how many Security Policies get written and then stored on
the shelf gathering dust.
