| Lesson 7
| Creating a security policy
|Defining Acceptable and Unacceptable Activities
Defining Acceptable and Unacceptable Activities
Defining acceptable and unacceptable activities at the resource level to create a security policy.
Your security infrastructure is the implementation of your security policies at the operations level. It should include multiple levels of defense and varying degrees of protection as determined by each system's classification. Your security implementation should specify both acceptable (permitted) and unacceptable (forbidden) activity at the resource level.
An example of acceptable activities for a corporate Web site is shown in the table below.
- May browse only the contents of HTML pages in the public folders
- It is unacceptable for anyone except your Webmaster to modify the contents of the HTML document
|Have acces to all the directories on the Website for proper administration
|Has access that allows him or her to modify the contents of the HTML documents
The above suggestions for acceptability might not apply to all companies.
Acceptable activities are best used when applying security measures to an intranet site rather than an Internet site.
The SC - Security Magazine
Web site is an excellent resource
when first preparing to create a security policy.
Regularly define and list unacceptable activity. This might take some time and require frequent updates, but such repetition can also create an effective policy.
By listing specific activities, you can make sure that they are specifically accounted for in your protection mechanisms, and
that your users know the policies.
Your security policy should include
- Itemized hardware and software and security requirements
- Physical security
- Procedures for system failure
- Procedures for handling system breaches
- Policies for users and system administrators
- Requirements for auditing
- Administrative responsibilities for securing specific systems
Apply your security policy as consistently as possible by
- Categorizing and documenting resources
- Defining and publishing your security policy
- Secure each resource and service
- Log, test, and evaluate all systems
- Keep current and update your policy
Creating Security Policy Guidelines