Lesson 5	Planning a Security Policy
Objective	Develop and implement a business-wide security policy based on risk and system priorities.

Planning a Security Policy for Your Business

A security policy serves as the cornerstone of every organization’s security framework. It defines the rules, responsibilities, and standards that protect systems and data. An effective policy reflects core values, identifies risk levels, and provides employees with clear direction on acceptable behavior and operational safeguards.

1. Conduct a Comprehensive Risk Assessment

Before developing or revising a security policy, you must understand the level of risk facing each resource. Internal workstations, for example, are less exposed than Internet-facing web servers. A structured risk assessment enables prioritization of controls and budget allocation.

Classify systems by function and sensitivity (e.g., public, internal, confidential).
Assign risk factors based on exposure and potential impact.
Establish security priorities according to asset importance.
Define acceptable and prohibited activities for all users.
Develop an employee training plan to build security awareness.
Appoint a policy administrator responsible for enforcement and periodic review.

2. Define System Privileges and Access Levels

After determining risk levels, decide how much access is appropriate for each user or system role. Implement the principle of least privilege—grant users only the access required to perform their duties. This minimizes the potential damage if an account is compromised.

3. Manage Internet-Facing Services Responsibly

Internet-connected systems require careful configuration. Only necessary services should be exposed, and all data that could assist an attacker must remain private. Avoid insecure legacy protocols such as FTP (use FTPS or SFTP instead) and disable TELNET entirely in favor of SSH.

Necessary Information	Unnecessary Information
InterNIC registration details TCP-based services such as web, FTPS, and email servers	Complete DNS zone files or internal host mappings Routing tables and network topology details Usernames, account names, or banner information

4. Document and Enforce the Policy

Every system should have documented security requirements. For example:

All user workstations must run up-to-date antivirus and endpoint protection software.
External routers must block insecure protocols such as Telnet and filter unnecessary ports.
Critical systems (e.g., mail or database servers) require stricter change-control and auditing.

Documentation provides a baseline for audits and helps ensure accountability across departments.

5. Publish and Communicate the Policy

Distribute relevant sections of your security policy to employees and stakeholders. Use internal documentation portals or training modules to reinforce awareness. Each policy revision should be version-controlled and signed off by management to maintain authority and traceability.

Summary

Developing a well-structured security policy requires understanding risk, defining clear access levels, documenting system protections, and communicating expectations organization-wide. The result is a living document that aligns business goals with secure, compliant operations.

Planning Security Policy - Exercise

Click the Exercise link below to locate more information on developing a security policy.
Planning Security Policy - Exercise