A computer security policy is defined as the document that states in writing that how an organization should protect its Information Technology (IT) assets. This defines primarily the goals and elements of the organization’s computer systems. This document is considered as a ‘living document’ that means it is never marked as complete, it gets updated as the technologies are improved and as employee requirement change.
After the organization identifies the need of the computer security policy, following things have to be taken into account:
Once the computer security policy has been planned and outlined, it should be published and communicated to all employees of the organization. Since many of the company employees who are novice would be totally unaware of the risks that would happen to company by violating the security policy, communicating the defined security policy to all would make them aware of the importance of the company IT assets and their role in preventing the security breach.
Complying with the established security policy would be one of the important aspects in maintaining the computer security policy of the organization. By providing the proper training of the security policy to the employees we can ensure compliance.
Testing the setup of computer security policy is to ensure that the policy is set with high standards and is fully resilient to any type of security attack like brute force intrusion or outsider penetration.
We can see some of the examples of computer security policies approaches followed in most of the IT organizations.
Email Security Policies
Email would be one of the major modes of communication to any organizations with its clients or to any outside world. Hence it is more important to have a stringent and fool proof email security policy in place. Some approaches are as follows:
To have a email scanning software, that would detect any spam, inappropriate messages and will hold them for review by an administrator
By implementing the user authentication to send emails
Email Signing(non-repudiation) mechanism as found in PGP through some cryptographic mechanisms
Data Security Policies
Data stored in the organization would be very vital for their business, therefore data security policy should be efficient enough to protect the company data from any security breaches. Some approaches are:
Use of PDAs or flash drives should be properly authenticated by security personnel of the company by noting down the serial numbers of devices so that they can be signed out.
The smart phone usage should be secured by using the proper software in place and through safe protocols like SSL to prevent any outsider interception through any smart phone transactions. (Christian Cawley)
Setting up the computer security policy
For developing an efficient computer security policy there is a generally accepted approach that include following steps
1. Identification of the assets or entities that the organization is trying to protect
2. To decide from which the company IT assets are to be protected
3. Analyzing the intensity of the threats
4. Implementing the protection measures that will protect company’s assets in cost effective manner.
5. Last but not least, the reviewing the process continuously and make the necessary improvements to the policies whenever the weakness or the need for a change is found.
As we already seen, the computer security policy is a living document.
For any organization to implement an effective computer security policy there has to be a proper hold on risk assessment and the analysis of risk.
Risk analysis involves examining all the risks that can be faced by an organization and then ranking those risks by level of severity.
Main Elements of risk analysis
1. Identification of assets:
This is identifying all the things in organization that needs to be protected.
Some list of assets is as follows:
Hardware – CPUs, keyboards, workstations, printers
Softwares – Diagnostic programs, Operating systems, source codes
Data- Data stored in servers, databases
Documentations - Design diagrams, admin procedures, etc.
2. Identification of threats:
Threats are the potential dangers that can happen to company’s IT assets that causes huge loss to organization. Major threats that an IT organization would face are:
Unauthorized access to company’s confidential information
Unintended exposure of confidential data to outsider
Virus attacks on computer servers or workstations causing Denial of Service (DOS) (B.Fraser, IETF article)
Importance of computer security policy
An efficient and effective computer security policy would be the key for any organization to determine the security goals of it, without which the company would never know what are the risks involved and how to safe guard the assets if any threats occur.
The goal of the security policy would be decided based on the following key points,
Variety of services offered versus the security provided
Every service that an organization provides carries its own level of risks. And in some services the impact of risks would outweigh the benefits of the service itself and such services might be chosen to eliminate rather than securing it.
Risk of loss versus the cost of security measures.
Implementing the security measures would obviously involve different costs, say monetary costs and performance costs etc. For example, the company would need to buy the set of security hardware and software like firewall, encryption software etc.
Similarly there are many levels of risk that would have varying range of severity. For example, loss of privacy and loss of service, denial of network access (critical) etc.
Hence each risk of loss should be weighed against each type of cost.
Systems usability versus security
Systems that would allow any users without any restrictions would be much ease of use but with no security and is vulnerable at any time. Therefore the proper level of secure restrictions in place will make them secure with little less convenient.
The level of security to be implemented should be decided based on the criticality of the system in the organization. (B.Fraser, IETF article)
Persons to be involved in conception of the security policy
In order to have an efficient and appropriate policy in place, it would be better to involve all the key personnel from all levels of employee of the organization. Following are the list of individuals common for any organization:
Site security administrator
Security incident response team
Representative of user groups who may be affected by security policy
Implementing the security policy
Once the security policy has be outlined and defined that needs to be implemented in the organization. Implementation would generally have 3 steps as below
1. Communicate the policy
For successful implementation of security policy the policy has to be made aware to all levels of employees in the organization. This can be achieved through conducting meetings, presentations, email messages and posters
2. Enforce the policy
Bringing the defined policy into act in the organization is nothing but enforcing the policy, for enforcement of policy the organization might need to allocate additional resources to maintain the compliance of the policy across organization. There can be installation of additional security tools (like authentication tools, firewalls) to strictly watch the compliance of policy.
3. Reassess the policy
The security policy implemented would have to be revisited and revamped in timely manner. As the business of the organization grows the services would increase and so do the security threats. Hence it is important to keep the security policy updated in timely manner. (RSA Security)
Thus we can conclude that security policy would be the baseline for an organization in order to protect the technology and information assets. The sole purpose of the policy would be to communicate users, staff and managers about their obligatory requirements for protecting technology and information assets.
A best security policy would have the below given characteristics.
Implementable through administration procedures, by publishing acceptable methods or other appropriate ways.
Always enforceable with proper security tools in place.
Clear information on every individual’s responsibilities in order to protect the assets, should cover all level of employees in the organization.