Organizational Security Policies

8/11/2019 Organizational Security Policies

1/19

Organizational Security

Policies

PRESENTED BY:ARTI DEEPAK SHINDE

MSC. CS-IIROLL NO.13521

1


2/19


3/19

Organizational Security Policies

Whocan access whichresources in whatmanner?

That describe as:

Whoshould be allowed access?

Whichsystem and organizational resources should access beallowed?

Whattypes of access should each user be allowed for each

resource?

3


4/19


Security policy -A high-level managementdocument to inform users of the objectives andconstraints on using a system.

The purposeof using the policy document:

Recognise sensitive information assets

Clarifying security responsibilities

Promoting awareness for existing staff

Giving guidelines to new employees.

4

Qu. Define security policy.?


5/19


6/19


A security policy must address the following:

The audience

who can access?

Contents which resources?

Characteristics of a good security policy. in what way?

6


7/19

Audience

Audience can be classified in four groups: users,

owners,

Beneficiaries (e.g. customers, clients)

Balance Among All Parties

Audience uses the security policy in important butdifferent ways.

For each policy define the degree of confidentiality,integrity, and continuous availability in thecomputing resources provided to them.

7


8/19


9/19

Audience

Beneficiaries: A business has paying customers orclients; they are beneficiaries of the products and servicesoffered by that business. At the same time the generalpublic may benefit in several ways:

As a source of employment or By provision of infrastructure

Balance Among All Parties: A security policy mustrelate to the needs of users, owners, and beneficiaries.

Unfortunately, the needs of these groups may conflict. Abeneficiary might require immediate access to data, butowners or users might not want to bear the expense orinconvenience of providing access at all hours.

9


10/19

Security Policies: Contents

Purpose:The policy should state the purpose of theorganizations security functions, reflecting the requirementsof beneficiaries, user and owners.

o There are typically three to five goals, such as:

Promote efficient business operation.

Facilitate sharing of information throughout the organization.

Safeguard business and personal information.

Ensure that accurate information is available to support business

process. Ensure a safe and productive place to work.

Comply with applicable laws and regulations.

10


11/19

Security Policies: Contents

Protected Resources:The risk analysis identified theassets (resources) that are to be protected.

These assets should be listed in the policy document:

The resources can be computers, networks, general data,management data,

Nature of the Protection: The policy should alsoindicate

whoshould have access to the protected resources, howthat access will be ensured and

howunauthorised people will be denied access.

11


12/19

Characteristics of a Good security policy

A good security policy should address the followingcharacteristics:

Coverage Comprehensive and general

Durability Survive the system's growth and expansion

Realism

Feasible to implement Usefulness The policy should be concise, clear, and direct.

12

Qu. What are the characteristics of a Good Security Policy ?


13/19


Coverage:A security policy must be comprehensive: Itmust either apply to or explicitly exclude all possiblesituations.

Durability:A security policy must grow and adapt well.In large measure, it will survive the systems growth andexpansion without change. If written in a flexible way, theexisting policy will be applicable to new situations.However there are times when the policy must change, so

the policy must be changeable when it needs to be. Animportant key to durability is keeping the policy free fromties to specific data or protection mechanisms that almostcertainly will change.

13


14/19

Realism: The policy must be realistic. That is, it must bepossible to implement the stated security requirementswith existing technology. Moreover, the implementationmust be beneficial in terms of time, cost and convenience;

the policy should not recommend a control that works butprevents the system or its users from performing theiractivities and functions

Usefulness:An obscure or implement security policy

will not be implemented properly, if at all. The policy mustbe written in the language that can be read, understood,and followed by anyone who must implement it or isaffected by it.


14


15/19

Nature of security policies

To understand the nature of security policies, we study aexample

Data Sensitivity Policy: Our first example is form an

organization that decided to classify all its data resourcesinto four levels, based on how severe might be the affect if aresource were damaged.

This levels are listed below..

15


16/19

Example: Defined Levels of Data Sensitivity.

Name:Sensitive Description: could damage competitive advantage.

Examples: Audit reports

Operating plans-----------------------------------------------------------------------

Name: Personal or protected

Description: could reveal personal, private, or protectedinformation.

Examples: Personal data:- employees salaries or performance reviews

Private data:- employee lists

Protected data:- data obligated to protect, such as those obtained under anondisclosure agreement

16


17/19

Example: Defined Levels of Data Sensitivity.

Name:Company confidential Description: could damage companys public image.

Examples:

Audit reports

Operating plans

-----------------------------------------------------------------------

Name: Open

Description: No harm.

Examples:

Press releases

White paper

Marketing materials

17


18/19

Conclusion

An organizational security policy is a document thatspecifies the organizations goals regarding security.

It lists policy elements that are statements of actions

that must or must not be taken to preserve thosegoals.

Policy documents often lead to implementationprocedures.

Also, users education and awareness activities ensurethat users are aware of policy restrictions

18


19/19

19

Organizational Security Policies

Documents

Transcript of Organizational Security Policies