Developing a Security Policy
A security policy is the essential basis on which an effective and comprehensive security program can be developed. This critical component of the overall security architecture, however, is often overlooked. A security policy is the primary way in which management's expectations for security are translated into specific, measurable, and testable goals and objectives. It is crucial to take a top down approach based on a well-stated policy in order to develop an effective security architecture. Conversely, if there isn't a security policy defining and communicating those decisions, then they will be made by the individuals building, installing, and maintaining computer systems; and this will result in a disparate and less than optimal security architecture being implemented.
This article discusses the importance of security policies for organizations that plan to use electronic commerce on the Internet; for government organizations that want to automate forms processing; and for any entity that may have external exposure of data processing environments. These organizations need some form of security architecture. This article also describes the basic steps through which security policies are developed and includes a set of recommended policy components.
In addition, this article is accompanied by a Data Security Policy - Structure and Guidelines template that was built on the recommendations made in this article. The template provides commentary; specific recommendations on all of the security topics chosen for the policy; and a detailed list of security policy principles. The template is available from:
The objectives of this article are to:
Provide an overview of the necessity and criticality of security policies.
Recommend a set of security policy principles that capture management's primary security objectives.
Describe the basic characteristics of security policies.
Describe a process for developing security policies.
The definition of security principles is an important first step in security policy development as they dictate the specific type and nature of security policies most applicable to one's environment. Security principles are used to define a foundation upon which security policies can be further defined. Organizations should evaluate and review these security principles before and after the development and elaboration of security policies. This will ensure that management's expectations for security and fundamental business requirements are satisfied during the development and management of the security policies.
The security policies developed must establish a consistent notion of what is and what is not permitted with respect to control of access to your data and processing resources. They must respond to the business, technical, legal, and regulatory environment in which your organization operates.
The principles here are based upon the following goals:
Ensure the availability of data and processing resources.
Provide assurance for the confidentiality and integrity of customer data and allow for the compartmentalization of risk for customers and your organization.
Ensure the integrity of data processing operations and protect them from unauthorized use.
Ensure the confidentiality of the customer's and your processed data, and prevent unauthorized disclosure or use.
Ensure the integrity of the customer's and your processed data, and prevent the unauthorized and undetected modification, substitution, insertion, and deletion of that data.