The American Heritage Dictionary defines security policies as a “plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters”. Information that needs to be confidentially secured as a matter of law, include federal records, medical records, student and employment records, attorney-client communications and research records and intellectual property-related records etc.
Confidentiality means that the systems only allow access to authorized personnel to protect private, proprietary and other sensitive information. Using the authentication principle, policies for passwords and other authentication mechanisms such as biometrics need to be established.
Integrity means to protect the system from unauthorized modification including data modification, destruction or subversion. All users need to be accountable and responsible when handling sensitive information.
Availability must guarantee that all information and information systems are functional and available to support critical business processing. It establishes the hours of resource availability, system redundancy and recovery, and defines the periods of maintenance downtime.
Security policies have to be applied to different areas of security to protect all sensitive data:
- Operational Security includes environmental controls, power equipment and operational activities.
- Procedural Security gives guidelines to information technology staff, business partners, employees, management, and individual users.
- Physical Security needs to ensure that the IT personnel and equipment are prepared to handle all security issues under standard conditions as well as in threat situations.
- Computer System/Applications Security and Network Security define security requirements of central and peripheral operating systems, data, communications equipment, transmission paths and network protection software.
Today questions around physical and internet security are the biggest concerns of risk management. Proper risk management starts with best practices for creating secure password policies, virus protection, software installation policies, removable-media use policies, defining the rules for encryption, system backups, maintenance, and continues with incident handling and report creations. Questions about internet threat prevention defines rules for web browsing, use of email and instant messaging software and safe download policies.
Creating a security policy requires innovation and refinement when defining the rules. A final version of the security policy must be available for educating all personnel on each of the core elements of security policy rules and requirements. Each security policy, however, is never really finished, but needs constant updates as technology and staff requirements change.