| Lesson 7 | Creating a Security Policy |
| Objective | Define acceptable and unacceptable activities at the resource level to build a comprehensive security policy. |
Creating a Security Policy: Defining Acceptable and Unacceptable Activities
A strong security policy defines what is permitted and what is prohibited across your organization’s information systems. This policy acts as a blueprint for your operational security architecture, ensuring consistent protection at all system levels according to data classification and business needs.
Setting Permissions and Access Control
A well-structured policy identifies who can perform specific actions on which resources. The table below illustrates an example of acceptable activities for a corporate website:
| Group | Permissions |
|---|---|
| User |
|
| System Administrators | Have full access to all directories for maintenance and security oversight. |
| Webmaster | Authorized to edit, upload, and maintain all public-facing content. |
Acceptable activities may vary across organizations. For instance, internal (intranet) systems may permit broader access than public (internet) systems.
When drafting or reviewing your organization’s policies, consult reputable cybersecurity resources such as SC Media for current best practices and case studies.
Defining Unacceptable Activity
Clearly listing prohibited actions is essential for effective enforcement. These should be reviewed and updated regularly to reflect changes in technology and threat landscapes.
Defining unacceptable behavior helps ensure that system protections, user education, and monitoring tools address specific organizational risks.
Core Policy Requirements
A complete security policy should include:
- Inventory of hardware, software, and related security requirements
- Physical and environmental protection measures
- Procedures for handling system failures and incident recovery
- Steps for reporting and responding to security breaches
- Defined roles and responsibilities for users and administrators
- Audit and compliance requirements
- Ownership and accountability for protecting each resource
Implementing Security Policy
To ensure consistency, implement your security policy using the following steps:
- Classify and document all organizational resources
- Publish and communicate the policy organization-wide
- Apply appropriate security controls to each resource
- Log, test, and validate all systems periodically
- Review and update your policy as technologies evolve
Creating and Maintaining a Security Policy
When drafting your policy, include clear information about:
- Who is authorized to use the system and under what conditions
- Access control procedures and revocation processes
- Guidelines for remote and privileged access
- Training requirements for users, administrators, and executives
- Acceptable use of corporate assets and network resources
- Incident response protocols and reporting structure
- Baseline server configuration and maintenance requirements
Technology Considerations
Technology acquisition and deployment should align with your policy’s protection objectives. A well-governed acquisition framework includes:
Creating a comprehensive, adaptable security policy is the foundation of an effective cybersecurity strategy. By establishing clear permissions, defining boundaries, and maintaining accountability, organizations can minimize risk and build a resilient security posture.
- A clearly documented organizational security policy
- Information assurance architecture and standards
- Guiding principles for secure system design
- Procurement criteria emphasizing validated, trusted components
- Configuration and hardening recommendations
- Vendor risk assessment and continuous evaluation
Creating a comprehensive, adaptable security policy is the foundation of an effective cybersecurity strategy. By establishing clear permissions, defining boundaries, and maintaining accountability, organizations can minimize risk and build a resilient security posture.