Next: Slide 20
Up: Network Security
Previous: Slide 18
Components of a good security policy
-
Computer Technology Purchasing Guidelines which specify
required, or preferred, security features. These should
supplement existing purchasing policies and guidelines.
-
A Privacy Policy which defines reasonable expectations of
privacy regarding such issues as monitoring of electronic mail,
logging of keystrokes, and access to users' files.
-
An Access Policy which defines access rights and privileges to
protect assets from loss or disclosure by specifying acceptable
use guidelines for users, operations staff, and management.
-
An Accountability Policy which defines the responsibilities of
users, operations staff, and management. It should specify an
audit capability, and provide incident handling guidelines
(i.e., what to do and who to contact if a possible intrusion is
detected).
-
An Authentication Policy which establishes trust through an
effective password policy, and by setting guidelines for remote
location authentication and the use of authentication devices
(e.g., one-time passwords and the devices that generate them).
-
An Availability statement which sets users' expectations for the
availability of resources. It should address redundancy and
recovery issues, as well as specify operating hours and
maintenance down-time periods. It should also include contact
information for reporting system and network failures.
-
An Information Technology System & Network
Maintenance Policy
which describes how both internal and external maintenance
people are allowed to handle and access technology.
-
A Violations Reporting Policy that indicates which types of
violations (e.g., privacy and security, internal and external)
must be reported and to whom the reports are made. A non-
threatening atmosphere and the possibility of anonymous
reporting will result in a greater probability that a violation
will be reported if it is detected.
-
Supporting Information which provides users, staff, and
management with contact information for each type of policy
violation; guidelines on how to handle outside queries about a
security incident, or information which may be considered
confidential or proprietary; and cross-references to security
procedures and related information, such as company policies and
governmental laws and regulations.
Next: Slide 20
Up: Network Security
Previous: Slide 18
Sridhar Iyer
2001-01-08