Home‎ > ‎

Security policy design

Information Security Policy design. 2

Strategic Planning. 3

Schools of strategy. 3

Strategy development. 4

Integrated technology strategy. 4

From goals to an integrated strategy, balancing strategic imperatives. 5

Information security theories. 5

Integrating Risk management and susceptibility mapping. 6

Policy framework. 6

Addressing external-insider risks. 7

Top-down policy process. 7

Data-centric Security Approach. 8

Modular Policy approach. 8

Example modules (via SANS). 9

Acceptable Encryption Policy. 9

Anti-virus Guidelines. 9

Clean Desk Policy. 9

Disaster Recovery Plan Policy. 9

Email Policy. 9

End-user Encryption-key Protection Policy. 9

Ethics Policy. 9

Internet-usage Policy. 9

Password-construction Policy. 9

Remote-access Policy. 9

Removable-media Policy. 9

Risk-assessment Policy. 9

Router and Switch security Policy. 9

Security Response Policy. 9

Social-engineering Awareness Policy. 9

Server-audit Policy. 10

Web-application Security Policy. 10

Acceptable Use Policy. 10

1. Overview.. 10

2. Purpose. 10

3. Scope. 10

4. Policy. 10

4.1 General Use and Ownership. 10

4.1.1 Proprietary information. 10

4.1.2 Responsibility. 11

4.2 Security and Proprietary Information. 11

4.3 Unacceptable Use. 11

4.3.2 Email and Communications. 11

5. Policy Compliance. 11

6. Related Standards, Policies and Processes. 11

7 Definitions and Terms. 11

8 Revision History. 11

Document control 11

Revision history. 11


Information Security Policy design


Figure 1. Drivers influencing Information Security policies, processes and practices

Strategic Planning

Figure 2. Strategic planning reflected in policies; strategy and policy sometimes used interchangeably

Schools of strategy

Figure 3. Strategic planning views unfold into several schools of strategy

Strategy development

Figure 4. Strategic development

Integrated technology strategy

Figure 5. Gaston's approach

From goals to an integrated strategy, balancing strategic imperatives

Figure 6. Gaston's approach

Information security theories

Figure 7. Hong et al. (2003): Pick and combine theories to produce an integrated strategy for information security

Integrating Risk management and susceptibility mapping

Figure 8. Adapting risk management/susceptibility mapping into an integrated strategy

Policy framework

Figure 9. Policy Framework for Information Security: broader than a strategy involving policy-based security enforcement, with the aim of learning from existing organisational policy processes to adapt and improve them

Addressing external-insider risks

Figure 10. External-insider risks. Organisation model for alignment through liaison

Top-down policy process

Figure 11. Top-down security-setting process

Data-centric Security Approach

Figure 12. Data-centric architecture

Modular Policy approach

Figure 13. Modular security-setting process

Example modules (via SANS)

Acceptable Encryption Policy

Anti-virus Guidelines

Clean Desk Policy

Disaster Recovery Plan Policy

Email Policy

End-user Encryption-key Protection Policy

Ethics Policy

Internet-usage Policy

Password-construction Policy

Remote-access Policy

Removable-media Policy

Risk-assessment Policy

Router and Switch security Policy

Security Response Policy

Social-engineering Awareness Policy

Server-audit Policy

Web-application Security Policy

Acceptable Use Policy[1]

1. Overview

Infosec’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to the firm’s established culture of openness, trust and integrity. Infosec is committed to protecting the firm's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of the firm. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details.

It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2. Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at the firm. These rules are in place to protect the employee and the firm. Inappropriate use exposes the firm to risks including virus attacks, compromise of network systems and services, and legal issues.

3. Scope

This policy applies to the use of information, electronic and computing devices, and network resources to conduct the firm's business or interact with internal networks and business systems, whether owned or leased by the firm, the employee, or a third party.

All employees, contractors, consultants, temporary, and other workers at the firm and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with the firm's policies and standards, and local laws and regulation.

4. Policy

4.1 General Use and Ownership

4.1.1 Proprietary information

The firm's proprietary information stored on electronic and computing devices whether owned or leased by the firm, the employee or a third party, remains the sole property of the firm.

4.1.2 Responsibility

You have a responsibility to promptly report the theft, loss or unauthorized disclosure of firm's proprietary information.

4.2 Security and Proprietary Information

4.3 Unacceptable Use

4.3.2 Email and Communications

5. Policy Compliance

6. Related Standards, Policies and Processes

  • Data Classification Policy
  • Data Protection Standard
  • Social Media Policy
  • Minimum Access Policy
  • Password Policy

7 Definitions and Terms

[1] Consensus Policy Resource Community. SANS Acceptable Use Policy, Last Updated June 2014