What goes into a Security Policy Manual?
Some of the contents depend on whether you are providing Security Policy for the company as a whole, or just for the Information Technology. An integrated Security Policy for the company makes sense if you can get universal support from operations (COO), Legal and Corporate functions. Such things as document security, content and distribution can be integrated into a coherent whole when everyone agrees to work together. On the other hand, if you get push-back from territorial constituencies that see you as stepping on their toes, you might need to settle for a policy that covers IT functions alone.
Factors that determine the technical content of the Security Policy Manual depend on your level of exposure through the internet, and the extent to which you need to integrate your systems functions with those of customers, vendors and business partners. For example, if your customers’ data are stored on systems managed by your business partners, you need a policy for vetting the security policies of your business partners that ensures your customers’ data is demonstrably secure.
Let’s look at a possible outline for a Security Policy Manual:
Introduction
Objectives, motivation, definitions, scope, document organization, document development process, document update and revision schedule and process.
Security Process
Risk Assessment, Strategy, Implementation, Monitoring, Process Monitoring and Updating, Governance.
Risk Assessment
Security Controls Implementation
Access Control, Configuration Management (hardware, software), Physical and Environmental Protection / Data Center Security, Encryption, Malicious Code Prevention, Systems Development, Acquisition, and Maintenance, Software Development and Acquisition, Systems Maintenance (Hardening, Patch Management), Personnel Security (Background Checks, Confidentiality, Non-Disclosure, and Authorized Use Agreement, Training), Data Security, Business Continuity Plan.
Security Monitoring
Activity and Condition Monitoring, Security Incident Response, Independent Security Audit /penetration testing.
Security Process Monitoring And Updating
Monitor security policies for effectiveness, updated as necessary.
Possible Appendices:
· Remote Access Policy
· Router Security Policy
· Removable Media Policy
· Encryption Usage Policy
· Server Security Policy
· Virus/Malware Monitoring Policy
· Software Development and QA Security Policy
· ASP Security Policy
· Third Party Connection Policy
· Device Disposal/Loss/Replacement Policy
· Systems Acceptable Use Policy
· Workstation Security Policy
· Information Sensitivity Policy
· Wireless Infrastructure and Connection Policy
There is truly a lot to think about, but there are best practices and guidance available.
