Security policies form the foundation of a security infrastructure. Data security policy defines the fundamental security needs and rules to be implemented so as to protect and secure organization’s data systems. While not them, it’s attainable} to protect the corporate from possible lawsuits, lost revenue, and bad publicity, to not mention the fundamental security attacks.
A security policy could be a high-level document or set of documents that describes, in detail, the safety controls to implement in order to protect the corporate. It maintains confidentiality, availability, integrity, and asset values.
A security policy also protects the corporate from threats like unauthorized access, theft, fraud, vandalism, fire, natural disasters, technical failures, and accidental damage. Additionally, it protects against cyber-attack, malicious threats, international criminal activity foreign intelligence activities, and terrorism.
Policies are not technology specific and accomplish 3 things;
• They reduce or eliminate legal liability of employees and third parties.
• They protect confidential and proprietary data from theft, misuse, unauthorized disclosure, or modification.
• They forestall stage of the company’s computing resources.
All security policies should documented properly and that they should focus on the security of all departments in a company. Management should take into consideration the areas in which security is most significant, and prioritize its actions accordingly, however it’s important to appear into every department for doable security breaches and ways that to safeguard against them.
The following data security systems in a company would possibly need a lot of attention in terms of security:
• Encryption mechanisms ? Antivirus systems
• Access control devices ? web sites
• Authentication systems ? Gateways
• Firewalls ? Routers and switches
There are 2 types of security policies: technical security and administrative security policies. Technical security policies describe the configuration of the technology for convenient use; body security policies address however all persons should behave. All workers should conform to and sign each the policies.
In a company the high-level management is responsible for the implementation of the organization’s security policies. High-level officers concerned within the implementation of the policies embody the following:
– Director of data Security
– Chief Security Officer
The following are the goals of security policies:
To maintain an outline for the management and administration of network security
To protect an organization’s computing resources
• To eliminate legal liabilities arising from workers or third parties
• To prevent wastage of company’s computing resources
• To prevent unauthorized modifications of the data
• To scale back risks caused by illegal use of the system resource
• To differentiate the user’s access rights
• To protect confidential, proprietary data from theft, misuse, and unauthorized disclosure
Types of Security Policies
A security policy is a document that contains data about the way the company plans to protect its data assets from known and unknown threats. These policies help to keep up the confidentially, availability, and integrity of data. The four major forms of security policy are as following:
This policy doesn’t impose any restrictions on the usage of system resources. for example, with a promiscuous net policy, there’s no restriction on net access. A user will access any web site, transfer any application, and access a laptop or a network from a foreign location. whereas this may be helpful in company businesses wherever people that travel or work branch offices need to access the structure networks, several malware, virus, and Trojan threats are present on the internet and because of free net access, this malware will return as attachments while not the data of the user. Network directors should be very alert whereas selecting this kind of policy.
Policy begins wide-open and only the known dangerous services/attacks or behaviors are blocked. for instance, in a very permissive net policy, the bulk of net traffic is accepted, however many proverbial dangerous services and attacks square measure blocked. as a result of solely proverbial attacks and exploits are blocked, it’s not possible for directors to stay up with current exploits. directors are perpetually enjoying catch-up with new attacks and exploits. This policy ought to be updated often to be effective.
A prudent policy starts with all the services blocked. The administrator permits safe and necessary services singly. It logs everything, like system and network activities. It provides most security whereas permitting only proverbial however necessary dangers.
A paranoid policy forbids everything. There’s a strict restriction on all use of company computers, whether or not it’s system usage or network usage. There’s either no net association or severely restricted net usage. Because of these to a fault severe restrictions, users typically try and notice ways that around them.
Examples of Security Policies
Given below square measure samples of security policies that organizations use worldwide to secure their assets and vital resources.
Access management Policy:Access management policy outlines procedures that facilitate in protective the structure resources and also the rules that management access to them. It permits organizations to trace their sets.
Remote-Access Policy:A remote-access policy contains a collection of rules that define authorized connections. It defines who will have remote access, the access medium and remote access security controls. This policy is critical in larger organizations during which networks are geographically unfold, and people during which employees work from home.
Firewall-Management Policy:A firewall-management policy defines a standard to handle application traffic, like net or e-mail. This policy describes the way to manage, monitor, protect, and update firewalls within the organization. It identifies network applications, vulnerabilities related to applications, and creates an application-traffic matrix showing protection strategies.
Network-Connection Policy:A network-connection policy defines the set of rules for secure network connectivity, including standards for configuring and extending any part of the network, policies related to private networks, and detailed information about the devices attached to the network. It protects against unauthorized and unprotected connections that allow hackers to enter into the organization’s network and affect data integrity and system integrity. It permits only authorized persons and devices to connect to the network and defines who can install new resources on the network, as well as approve the installation of new devices, and document network changes, etc.