Security Standards  «Prev  Next»

Lesson 7 Creating a security policy
Objective Defining Acceptable and Unacceptable Activities

Defining Acceptable and Unacceptable Activities

Defining acceptable and unacceptable activities at the resource level to create a security policy.
Your security infrastructure is the implementation of your security policies at the operations level. It should include multiple levels of defense and varying degrees of protection as determined by each system's classification. Your security implementation should specify both acceptable (permitted) and unacceptable (forbidden) activity at the resource level.

Setting permissions

An example of acceptable activities for a corporate Web site is shown in the table below.

Group Permissions
  1. May browse only the contents of HTML pages in the public folders
  2. It is unacceptable for anyone except your Webmaster to modify the contents of the HTML document
System administratorsHave acces to all the directories on the Website for proper administration
Webmaster Has access that allows him or her to modify the contents of the HTML documents

The above suggestions for acceptability might not apply to all companies.
Acceptable activities are best used when applying security measures to an intranet site rather than an Internet site.
The SC - Security Magazine Web site is an excellent resource when first preparing to create a security policy.

Unacceptable activity

Regularly define and list unacceptable activity. This might take some time and require frequent updates, but such repetition can also create an effective policy.
By listing specific activities, you can make sure that they are specifically accounted for in your protection mechanisms, and that your users know the policies.

Policy requirements

Your security policy should include
  1. Itemized hardware and software and security requirements
  2. Physical security
  3. Procedures for system failure
  4. Procedures for handling system breaches
  5. Policies for users and system administrators
  6. Requirements for auditing
  7. Administrative responsibilities for securing specific systems

Implementing security

Apply your security policy as consistently as possible by
  1. Categorizing and documenting resources
  2. Defining and publishing your security policy
  3. Secure each resource and service
  4. Log, test, and evaluate all systems
  5. Keep current and update your policy

Creating Security Policy Guidelines

The link below discusses the steps and guidelines involved in creating a security policy.
Creating Security Policy