In Software Development Company, security policy is the essential
foundation for an effective and comprehensive security program. A good security
policy should be a high-level, brief, formalized statement of the security
practices that management expects employees and other stakeholders to follow.
A security policy should be concise and easy to understand so that
everyone can follow the guidance set forth in it.
In its basic form, a
security policy is a document that describes an organization’s security
requirements. A security policy specifies what should be done, not how; nor
does it specify technologies or specific solutions. The security policy defines
a specific set of intentions and conditions that will help protect an
organization’s assets and its ability to conduct business. It is important to
plan an approach to policy development that is consistent, repeatable, and
straightforward.
A top-down approach to
security policy development provides the security practitioner with a roadmap
for successful, consistent policy production. The policy developer must take
the time to understand the organization’s regulatory landscape, business
objectives, and risk management concerns, including the corporation’s general
policy statements. As a precursor to policy development, a requirements mapping
effort may be required in order to incorporate industry-specific regulation.
Chapter 3 covered several of the various regulations as well as best practice
frameworks that security policy developers may need to incorporate into their
policies.
A security policy lays
down specific expectations for management, technical staff, and employees in IT Companies. A
clear and well-documented security policy will determine what action an
organization takes when a security violation is encountered. In the absence of
clear policy, organizations put themselves at risk and often flounder in
responding to a violation.
For Managers, a security
policy identifies the expectations of senior management about roles,
responsibilities, and actions that should be taken by management with regard to
security controls.
For Technical Staff, a
security policy clarifies which security controls should be used on the
network, in the physical facilities, and on computer systems.
For All Employees, a security
policy describes how they should conduct themselves when using the computer
systems, e-mail, phones, and voice mail.
A security policy is
effectively a contract between the business and the users of its information
systems. A common approach to ensuring that all parties are aware of the
organization’s security policy is to require employees to sign an
acknowledgement document. Human Resources should keep a copy of the security
policy documentation on file in a place where every employee can easily find
it.
Security Policy
Development
When developing a
security policy for the first time, one useful approach is to focus on the why,
who, where, and what during the policy development process:
1.
Why should the policy address these
particular concerns? (Purpose)
2.
Who should the policy address?
(Responsibilities)
3.
Where the policy should be applied?
(Scope)
4.
What should the policy contain?
(Content)
Phased Approach If you
approach security policy development in the following phases, depicted in
Figure 5-1, the work will be more manageable:
1. Requirements gathering
ü
Regulatory
requirements (industry specific)
ü
Advisory
requirements (best practices)
ü
Informative
requirements (organization specific)
2. Project definition and proposal based on requirements
3. Policy development
4. Review and approval
5. Publication and distribution
6. Ongoing maintenance (and revision)
After the security
policy is approved, standards and procedures must be developed in order to
ensure a smooth implementation in Software Development Companies. This will require the policy developer to work
closely with the technical staff to develop standards and procedures relating
to computers, applications, and networks.
No comments:
Post a Comment