This article has discussed the most important, and often least understood, aspect of security: the security policy. A security policy establishes the expectations of the customer or user, including what their requirements are for confidentiality, integrity, and appropriate management of their data, and the conditions under which they can trust that their expectations are met.
A security policy does not, in itself, establish the requirements of a customer on specific information systems. It is instead the bridge between the customer's expectations, and stated requirements that can be applied to develop an information system.
A security policy should clearly state the customer's expectations, and should be based on an evaluation of the risk to a customer should the customer's expectations not be met. This risk-based evaluation helps avoid an infeasible, intractable, or excessively restrictive security policy.
In order to ensure the policy correctly describes the expectations of all stakeholders, this article is accompanied by a template available from the Sun BluePrints_ Web site (http://sun.com/blueprints/tools/samp_sec_pol.pdf) which describes an outline business process for development of a security policy.
Additionally, to simplify the statement of a complete and effective security policy, the template accompanying this article also includes an outline of the necessary components of a security policy, and discusses the appropriate contents for each component. If applied with care and thought, this template should allow a well-documented security policy to be developed.
The security policy is the foundation on which effective security is built. As with any foundation, it must be well designed, and well constructed; it can then be trusted to support the customer's needs effectively, and enduringly.