10 Essential Security Polices

Thursday, July 08, 2010

Global Knowledge


Writing a corporate security policy might seem complex, but ultimately it is a collection of many small policies. By writing each of the essential sub-policies from this list, you are well on your way to creating (updating or revising) a corporate security policy.

From firewalls, to backup, to personnel management, these are 10 common essential security policies your organization needs yesterday.

There are hundreds of sub-policies that a company eventually needs to construct in order to fully address and manage the security concerns of the organization. The focus on these ten does not imply that other policies are any less essential.

This is an article not an exhaustive treatise, and the goal is to spur action toward writing or improving security guidelines. These ten security policies (or sub-policies) are essential to every organization, regardless of size, location, age, mission, or the product or service produced, and are presented here (in no particular order).

1. Acceptable Use Policy

The Acceptable Use Policy (AUP) defines what are and are not an allowed activities on company premises, with company equipment, and when using company resources.

It often defines actions that are specifically prohibited, such as accessing pornography, pirated content, or running a side-business. These prohibitions are enforced with consequences in the event an employee is found in violation.

The AUP can also define activities that are allowed within reason or within specific boundaries. For example, it may be acceptable to surf the Internet, participate in chat and e-mail conversations, and even play games up to 10 minutes per hour, as long as it does not interfere with accomplishing work tasks.

The goal of the AUP is to guide employees toward working productively without burning out or putting the organization at risk due to risky or non-business behaviors. Employees should focus on work tasks while at work. Some downtime and distraction is expected, even necessary, but abusing Internet access to the detriment of work assignments is a choice and has consequences.

2. Privacy Policy

The privacy policy clearly defines what is and is not private when working on company equipment or when on company property. There are a variety of laws and regulations that address privacy.

When privacy protection is legally mandated, a company must enforce and protect privacy in compliance with the regulations. Some organizations choose to grant additional privacy beyond that mandated by law.

The privacy policy should include issues such as the use of security cameras, logging of user activity, recording of keystrokes, monitoring of Internet usage, etc.

This policy defines what information is collected, what information is not collected, what can or cannot be disclosed, to whom information may be disclosed, and for what purposes the data was collected.

3. Password Policy

The password policy is directed toward improving the security of passwords. If the policy addresses topics beyond just passwords, it could be re-branded as an authentication policy.

A password policy defines the minimum length of a password, the types of characters allowed or required in the password, minimum and maximum age of the password, and the prevention of password re-use.

The password policy might also include account lockout parameters that define the number of unsuccessful logon attempts granted before an account is temporarily or permanently disabled.

The password policy might also prescribe that password auditing or cracking be performed as a security assessment in order to discover weak passwords. Users should be trained on how to select more secure passwords.

This would include selecting longer passwords and focusing on passphrases rather than individual words.

4. Disposal and Destruction Policy

The disposal and destruction policy defines when and how to get rid of stuff. There is always waste to be disposed of in every organization. Whether coffee grounds, sensitive printed documentation, or old storage devices, there needs to be a plan other than just tossing it in the bin.

Dumpster diving is a serious threat to security. Anything thrown away can be collected and examined by outsiders. Assume everything thrown out is obtained by your competitors, your enemies, and the government. With this in mind, define a procedure to properly dispose, destroy, and/or recycle everything.

Shredding and incineration are often solutions for both printed materials and storage devices. However, in today's green culture, companies seek to "zeroize" and re-use or recycle equipment whenever possible. (Note: to zeroize is to low-level format a storage device so that every single bit is reset to a zero value. This prevents all known concepts of data remnant recovery.)

Download the rest of this White Paper Here

Global Knowledge is the worldwide leader in IT and business skills training. We deliver via training centers, private facilities, and the Internet, enabling our customers to choose when, where, and how they want to receive training programs and learning services.


Possibly Related Articles:
Enterprise Security Content Security Policy
Post Rating I Like this!
Ray Tan Although those are basic requirements for security, it is useful and great athat when someones need reference, there it is.
Katie Weaver-Johnson This is a great list to build off of!

It is critical for organizations to not only have these policies, but to actually implement the policies and ensure they have been communicated, understood and acknowledged by all appropriate personnel (employees, staff, third-parties, vendors, contractors, etc.).
Kelly Monroe Using media sites puts a company’s network security and privacy at risk. Some of the threats include Malware, brand hijacking, lack of control over content and identity theft among others. It is therefore necessary to have a social media policy in place. ecision-makers and IT managers should check out To Block or Not. Is that the question?” here: http://bit.ly/d2NZRp and know the issues surrounding social media in the workplace. This white paper will help them to make informed decisions about whether or not to block social media sites, and to create a sound social media policy for their companies.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.