Chapter 10. Introducing Security Policy Concepts
A security policy (or information security policy) is documentation that defines the operating requirements, procedures and constraints that must be adhered to before an organization can be considered secure. A policy also makes it clear to staff what is expected of them and, as adhering to the security policy should be part of the conditions of employment, provides a disciplinary framework should the policy be ignored. However, a well written and executed policy is far more than simply a stick to beat employees with (although many companies, ignorant of basic operational security consider it to be nothing else). It is a tool that augments the security of an organization at every level:
Defines security operating procedures (the steps that must be taken when performing background checks on staff, the minimum length of a password, and so on);
Ensures that staff are aware of what is expected of them (in the handling of sensitive information, in not writing down passwords, and so on);
Outlines the steps to be followed in the event of a security incident.
You will notice that these purposes overlap; this is both intentional and unavoidable.
This chapter focuses on the aspects one must consider when drafting security policy documentation. Because virtually every aspect of business can be regulated in some way, this chapter concentrates on the most important areas (at least from the perspective of this book) so I'm not going to be paying ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
