Security Standards  «Prev  Next»

Lesson 5 Planning a security policy
Objective Plan Security Policy for Business

Plan Security Policy for Business

A security policy is the foundation upon which all security decisions are made.
A security policy defines each rule to be followed and includes clear explanations of its purpose.
It should convey the core security values, roles, and responsibilities to the organization.

Create Security Policy
Click the above lit to read about prioritizing your system resources when developing a security policy.

Risk assessment

To determine exactly how much protection a resource requires, you must also decide how much risk it is exposed to. For example, an internal user workstation is at significantly less risk than a Web server because the latter is directly exposed to the Internet. To reduce risk, you should take the following steps:
  1. Classify your systems
  2. Assign risk factors
  3. Determine security priorities for each system
  4. Define acceptable and unacceptable activities
  5. Decide how you will educate all your employees about security
  6. Determine who will administer your policy

System privileges

Once you have determined the risks and priority of your resources, you can determine what measures you will apply to each resource. The table below shows information that is and is not necessary for users to connect with the system.

Internet Security :

Necessary and Unnecessary Information for users to Connect to their system.
Necessary information Unnecessary information
  1. InterNIC registration
  2. TCP Services
(Web, FTP and email servers)
  1. Contents of a Domain Name System (DNS) Server
  2. Routing tables
  3. User and account names
  4. Banner information


Document your security policy on a resource-by-resource basis. For instance, specify that all standard users' workstations must run the latest anti-virus software, and that your external router will filter Telnet at the exterior port. Your most critical resources, such as your email server, require the most detailed and stringent protections.

Publishing Security Policy

Define and publish the portions of your security policy that relate to your employees and their jobs.

Planning Security Policy - Exercise

Click the Exercise link below to locate more information on developing a security policy.
Planning Security Policy - Exercise