The first document you’ll draft is the “Root Security Policy.” This is also the easiest to write, as it is the framework which points to the other policy documents.
As you draft a Root Security Policy, you will also enumerate the initial list of subordinate policies that you should produce next.
Your list will be specific to your organization, but will probably include the following subordinate policies:
- Computer Acceptable Use. A general document covering all computer use by employees and contractors, including desktop, mobile, home PCs, and servers.
- Password. A description of the requirements for password protecting computer systems, the rules for choosing passwords, and how the password policy is enforced
- Email. This policy covers the use of email sent from any company email address and received at any company computer system.
- Web. A specification of what browsers may be used, how they should be configured, and any restrictions on which sites employees can visit.
- Mobile Computing and Portable Storage. A description of who owns the mobile computing and portable storage on your network, how they are supported, and what specific devices (if any) are authorized for use on the company network.
- Remote Access. A policy stating who can access what information from which locations under what circumstances.
- Internet. A description of your Internet-facing gateway configuration, stating what is allowed in and out, and why.
- Wireless. A specification stating how wireless access will be managed on your network; how access points will be plugged in, secured, and maintained; who is allowed to use them; and under what circumstances.
- Servers. A statement of the company standards for servers, what services are enabled or disabled by default, and important distinctions between production, test, and development environments.
- Incident Response Plan. No policy is complete until it also specifies what to do when defenses fail: what is considered a security incident; who gets called; who is authorized to shut things down if needed; who is responsible for enforcing applicable local laws; who speaks for the company.
No comments:
Post a Comment