SlideShare a Scribd company logo

Importance Of A Security Policy

Download as PPTX, PDF
C
charlesgarrett
1 of 14
IMPORTANCE OF A SECURITY POLICY Charles Garrett
WHAT IS A SECURITY POLICY?  A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for information security.  Policies exhibit the following attributes: 1. Require compliance 2. What are the consequences of not following policies? 3. Identifies what is desired now how it will be implemented. 4. Desired results are derived from standards and guidelines.
5 STEPS TO A SECURITY POLICY Identify Issues Conduct Analysis Draft Language Legal Review Policy Deployment
NEED FOR A SECURITY POLICY?  Protects organization through proactive policy stance.  Establishes the rules for user behavior and any other IT personnel.  Define and authorize consequences of violation.  Establish baseline stance on security to minimize risk for the organization.  Ensure proper compliance with regulations and legislation.
SECURITY POLICY BENEFITS  Minimizes risk of data leak or loss.  Protects the organization from “malicious” external and internal users.  Sets guidelines, best practices of use, and ensures proper compliance.  Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.  Promotes proactive stance for the organization when legal issues arise.
WHO USES A SECURITY POLICY?  Administration  Club Staff  Computer Users
POLICY DOCUMENT OUTLINE  Introduction  Purpose  Scope  Roles and Responsibilities  Sanctions and Violations  Revisions and Updating Schedule  Contact Information  Definitions/Glossary/Acronyms
COMPONENTS OF SECURITY POLICY Governing Policy Technical Policy Guidelines/Job Aids/Procedures
GOVERNING POLICY  Discusses high level information security concepts.  Defines what these information security concepts are, their importance, and the organizational stance on these security concepts.  Read by management and end users.  Aligns with other company policies.  Supports the rest of the components of the security policy.
TECHNICAL POLICIES  Covers some of the topics within the Governing Policy.  Technical policies are used for more specific technical topics.  Types of policies include: Operating Systems, Application, Network, and Mobile Devices.
JOB AIDS AND GUIDELINES  Job aids are documentation that outline step by step on how to implement a specific security measure. This serves as a backup if a staff member leaves and ensures security is still maintained.  An example of this is how to properly install DeepFreeze on a PC or how secure passwords will be constructed.  Both guidelines and job aides help to maintain security of the organization and help to explain how policies.
SECURITY POLICY TOPICS Physical Security Acceptable Use Privacy Account Management Security Training Admin/Special Access Software Licensing Change Management Virus Protection Incident Management Password
POLICY DEVELOPMENT PROCESS  Start small and then build upon the policy overtime with revisions.  Develop a set of policies that are critical and build the framework of the security policy.  Delicately balance the development of the policy with the bottom-up and top- down approach.  Work to develop a policy that balances between both current practices and what practices the organization would like to see in the future.  Most Importantly, make sure to develop the policy so that it provides mechanisms to protect the organization against the multiple types of threats.
RESOURCES  Diver, S. Information security policy – a development guide for large and small companies http://www.sans.org/reading_room/whitepapers/policyissues/infor mation-security-policy-development-guide-large-small- companies_1331

Recommended

Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101Donald E. Hester
 
Information security
Information security Information security
Information security razendar79
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentationmlw32785
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information securitySyaiful Ahdan
 

Recommended

Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101Donald E. Hester
 
Information security
Information security Information security
Information security razendar79
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentationmlw32785
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information securitySyaiful Ahdan
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Human resources security
Human resources securityHuman resources security
Human resources securityCAS
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Ethics in-information-security
Ethics in-information-securityEthics in-information-security
Ethics in-information-securityMilinda Wickramasinghe
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Network security
Network securityNetwork security
Network securityGichelle Amon
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2MLG College of Learning, Inc
 
IT Policy
IT PolicyIT Policy
IT PolicySensewareInfomedia
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Bonagiri Rajitha
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 

More Related Content

What's hot

Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Human resources security
Human resources securityHuman resources security
Human resources securityCAS
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2MLG College of Learning, Inc
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 

What's hot (20)

Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Information security
Information securityInformation security
Information security
 
Human resources security
Human resources securityHuman resources security
Human resources security
 
Information security
Information securityInformation security
Information security
 
Ethics in-information-security
Ethics in-information-securityEthics in-information-security
Ethics in-information-security
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Information security management
Information security managementInformation security management
Information security management
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - English
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
 
Network security
Network securityNetwork security
Network security
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
 
IT Policy
IT PolicyIT Policy
IT Policy
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Information Security
Information SecurityInformation Security
Information Security
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security
 

Similar to Importance Of A Security Policy

Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Bonagiri Rajitha
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxManushiKhatri
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfkimangeloullero
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxamit657720
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxmccormicknadine86
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 

Similar to Importance Of A Security Policy (20)

Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdf
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
Operationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docxOperationaland Organizational SecurityChapter 3Princ.docx
Operationaland Organizational SecurityChapter 3Princ.docx
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Whitman_Ch04.pptx
Whitman_Ch04.pptxWhitman_Ch04.pptx
Whitman_Ch04.pptx
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 

Importance Of A Security Policy

  • 2. WHAT IS A SECURITY POLICY?  A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for information security.  Policies exhibit the following attributes: 1. Require compliance 2. What are the consequences of not following policies? 3. Identifies what is desired now how it will be implemented. 4. Desired results are derived from standards and guidelines.
  • 3. 5 STEPS TO A SECURITY POLICY Identify Issues Conduct Analysis Draft Language Legal Review Policy Deployment
  • 4. NEED FOR A SECURITY POLICY?  Protects organization through proactive policy stance.  Establishes the rules for user behavior and any other IT personnel.  Define and authorize consequences of violation.  Establish baseline stance on security to minimize risk for the organization.  Ensure proper compliance with regulations and legislation.
  • 5. SECURITY POLICY BENEFITS  Minimizes risk of data leak or loss.  Protects the organization from “malicious” external and internal users.  Sets guidelines, best practices of use, and ensures proper compliance.  Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.  Promotes proactive stance for the organization when legal issues arise.
  • 6. WHO USES A SECURITY POLICY?  Administration  Club Staff  Computer Users
  • 7. POLICY DOCUMENT OUTLINE  Introduction  Purpose  Scope  Roles and Responsibilities  Sanctions and Violations  Revisions and Updating Schedule  Contact Information  Definitions/Glossary/Acronyms
  • 8. COMPONENTS OF SECURITY POLICY Governing Policy Technical Policy Guidelines/Job Aids/Procedures
  • 9. GOVERNING POLICY  Discusses high level information security concepts.  Defines what these information security concepts are, their importance, and the organizational stance on these security concepts.  Read by management and end users.  Aligns with other company policies.  Supports the rest of the components of the security policy.
  • 10. TECHNICAL POLICIES  Covers some of the topics within the Governing Policy.  Technical policies are used for more specific technical topics.  Types of policies include: Operating Systems, Application, Network, and Mobile Devices.
  • 11. JOB AIDS AND GUIDELINES  Job aids are documentation that outline step by step on how to implement a specific security measure. This serves as a backup if a staff member leaves and ensures security is still maintained.  An example of this is how to properly install DeepFreeze on a PC or how secure passwords will be constructed.  Both guidelines and job aides help to maintain security of the organization and help to explain how policies.
  • 12. SECURITY POLICY TOPICS Physical Security Acceptable Use Privacy Account Management Security Training Admin/Special Access Software Licensing Change Management Virus Protection Incident Management Password
  • 13. POLICY DEVELOPMENT PROCESS  Start small and then build upon the policy overtime with revisions.  Develop a set of policies that are critical and build the framework of the security policy.  Delicately balance the development of the policy with the bottom-up and top- down approach.  Work to develop a policy that balances between both current practices and what practices the organization would like to see in the future.  Most Importantly, make sure to develop the policy so that it provides mechanisms to protect the organization against the multiple types of threats.
  • 14. RESOURCES  Diver, S. Information security policy – a development guide for large and small companies http://www.sans.org/reading_room/whitepapers/policyissues/infor mation-security-policy-development-guide-large-small- companies_1331