What is a security policy? A security policy represents an official statement of the organization or plan that includes goals, objectives and eligible actions. The security policy describes how and why a certain action is needed. When implementing security in an information system, the first step is to establishing a security policy. This is usually followed by selecting a standard by which to establish a security policy, and eventually find guidelines that will enable efficient management and policy implementation. This includes the following requirements:
· The need to respect the rules that define the security policy.
· Disregard of the rules established by a security policy may result in sanctions or penalties.
· The staff needs to focus on achieving results, not on implementing a security policy.
· Defining a security policy is based on pre-defined standards and guidelines.
Unlike security policies, standards are a set of mandatory procedures or rules that aim to makesecurity policies meaningful and effective, and must include one or more technical description of the components of computers, programs, and handling them.
Security policy is one very important element of information security management.
In conditions when the organization does not have all available resources to establish a full information security management system, it is recommended to make at least a basic security policy.
They relate to:
- rules for passwords,
- policy of computer use for private purposes,
- rules of computer use beyond the physical space organization,
- rules for the data backup.