Security Policy and Procedures

A well-defined Security Policy and subsequent procedures will ensure the security of your organization. It would incorporate all areas pertaining to security - physical, social, network/computer. When designing your policy a risk assessment must be drawn up. Risk is composed of three components, threat or the likelihood of vulnerability; vulnerability is a weakness in any system hardware, processes and methodology, etc and the subsequent cost.

This document needs to encorporate how a business conducts itself, whether a five person operation or 25,000 person operation. How information and works flows with in an organziation is critical to the development of the policy. By examing the business processes and methodology, lapses in security are easier to spot (also redunancy or duplication of work has been known to become evident). The commitment of senior level executives is required to ensure adherance to the policy and that the subsequent procedures are followed. It does not make sense to state that passwords must not be divulged and need to be changed every six weeks, only to have an employee write passwords on the bottom of their keyboard and rotate between two passwords. It is also recommended that the policy and procedures are review throughtout the year. Businesses and the internet are not static, rather than are constant evolving and as such your policy and procedures need to reflect changes.