Computer Security Policy Requirements

Security policies are an excellent way to complement the hardware and software security measures of your organization. Security policies can determine the method that both hardware and software are used. The policies will enable everyone in the organization to be on the same track.

Every organization should have a stated security policy. It should be carefully written and checked by an attorney to be sure it does not create unnecessary liability.

Requirements of the Policy

The policy must be consistant to be effective. There must be similar levels of security in multiple areas such as physical security, remote access, internal password policy policies, and other policies.
The policy statement should be assessable.
Issues should be clearly defined and when they apply to the policy. Define services affected such as email.
Clearly define goals of the policy.
Staff and management must find the policy acceptable. This is why it is important to justify each policy.
Define roles of the staff with respect to the policies and security issues.
The policy must be enforceable from the network and system controls. Policies must be set on servers to be sure domain passwords are reasonably complex, not repeated, changed periodically, etc.
Define consequences of security policy violation.
Define expected privacy for users.
Provide contact information for those interested in more information about the policy.

Policy Definitions

Policies may define procedures to be used or limitations to what can and can not be done in the organization. Items that policies should define may include:

Why the policy exists or why a procedure is done and what it is.
Who enforces the policy or performs the procedure and why.
Where is the policy effective or where is the procedure done.
When is the policy in effect or when is the procedure used.

The where and the when items define the policy scope.

Policy Wording Suggestions

If security policy is worded incorrectly, it can be ineffective or become a source of trouble. Be careful not to imply guarantees over items you cannot fully control. For example, you cannot guarantee that employees will be unable to view pornographic web sites from their workplace. It may also be worth considering a disclaimer to the policy indicating that the policy is not created to guarantee safety or circumvent accidental exposure of employees to objectional material, but the policy is intended to protect the organizational network from abuses from within and without. It should be noted that the policy cannot guarantee that abuses cannot occur.

It is worth making policy abuse statements at logon screens to indicate that anyone logging on to a particular machine or domain who is not authorized may be prosecuted. This wording should be done in a legal manner and those who create the policies should consider consulting with their attorneys about the proper wording of these statements.

Access Control Policy

An access control policy can be part ot the security policy document, or it may be separate. Access control policy will define how access to the network is allowed and how it can be done. It should also define how access to external resources such as the internet should be done. This access policy should define how access to other business resources (places that your organization may regularly do business with or exchange data with) is done. For example, this access may be done over the internet using some form of Virtual Private Networking (VPN), or it may be done by modem. In any case, it should be covered in the policy to be sure these external accesses, whether incoming or outgoing are secure.

One suggestion for this policy is to forbid employee access from inside the network to the internet through any source other than the firewall. At the least, any access to the internet should be through an approved secure interface.

This policy should state:

Allowed access across the network both inside and outside.
How services are to be routed both in and out, and whether they are accepted in specific directions. Some services of concern include HTTP, FTP, and mail.
Acceptable traffic should be specified and all other traffic should be blocked at the firewall and at other possible locations in the network. Include: