A security policy should be concise and easy to understand so that everyone can follow the guidance set forth in it. In its basic form, a security policy is a document that describes an organization’s security requirements. A security policy specifies what should be done, not how; nor does it specify technologies or specific solutions. The security policy of application development companies defines a specific set of intentions and conditions that will help protect an organization’s assets and its ability to conduct business. It is important to plan an approach to policy development that is consistent, repeatable, and straightforward.
A top-down approach to security policy development provides the security practitioner with a roadmap for successful, consistent policy production. The policy developer must take the time to understand the organization’s regulatory landscape, business objectives, and risk management concerns, including the corporation’s general policy statements. As a precursor to policy development, a requirements mapping effort may be required in order to incorporate industry-specific regulation. Chapter 3 covered several of the various regulations as well as best practice frameworks that security policy developers may need to incorporate into their policies.
A security policy lays down specific expectations for management, technical staff, and employees. A clear and well-documented security policy will determine what action an application development company takes when a security violation is encountered. In the absence of clear policy, organizations put themselves at risk and often flounder in responding to a violation.
- For Managers, a security policy identifies the expectations of senior management about roles, responsibilities, and actions that should be taken by management with regard to security controls.
- For Technical Staff, a security policy clarifies which security controls should be used on the network, in the physical facilities, and on computer systems.
- For All Employees, a security policy describes how they should conduct themselves when using the computer systems, e-mail, phones, and voice mail.
A security policy is effectively a contract between the business and the users of its information systems. A common approach to ensuring that all parties are aware of the organization’s security policy is to require employees to sign an acknowledgement document. Human Resources should keep a copy of the security policy documentation on file in a place where every employee can easily find it.
Security Policy Development:
When developing a security policy of software development companies for the first time, one useful approach is to focus on the why, who, where, and what during the policy development process:
- Why should the policy address these particular concerns? (Purpose)
- Who should the policy address? (Responsibilities)
- Where the policy should be applied? (Scope)
- What should the policy contain? (Content)
Phased Approach If you approach security policy development in the following phases, the work will be more manageable:
- Requirements gathering
- Regulatory requirements (industry specific)
- Advisory requirements (best practices)
- Informative requirements (organization specific)
2. Project definition and proposal based on requirements
3. Policy development
4. Review and approval
5. Publication and distribution
6. Ongoing maintenance (and revision)
After the security policy is approved, standards and procedures must be developed in order to ensure a smooth implementation. This will require the policy developer in software development companies to work closely with the technical staff to develop standards and procedures relating to computers, applications, and networks.
Article Summary:
A security policy is the essential foundation for an effective and comprehensive security program. A good security policy should be a high-level, brief, formalized statement of the security practices that management expects employees and other stakeholders to follow.
No comments:
Post a Comment