Implementing a Security Policy

  1. Planning Your Security Policy
    1. Identify what you need to protect
    2. Determine who may do harm to any of the items listed in step 1.
    3. Determine what types of threats exist.
    4. Determine your priorities
  2. Implementing Your Security Policy
    1. Automate the Security Process
      1. Identification and authentication
      2. Access control
      3. Accountability
      4. Audit trails
      5. Object resuse
      6. Accuracy
      7. Reliability
      8. Data Exchange
    2. Limit User Access
      1. Level 1: Systems administrator/network supervisor
      2. Level 2: Network administrators
      3. Level 3: Power Users
      4. Level 4: Task-oriented users
    3. Publish Your Policy
      1. The user will follow all established password practices set forth in the policy statement
      2. The user agrees not to allow any authorized personnel to access systems or data
      3. The user agrees not to gain access or attempt to gain access to any systems or data to which he or she does not have authority to access
      4. The user agrees not to introduce any foreign programs into the system without authorization
      5. The user agrees that the company has the right to monitor use of the system
    4. Avoid Danger
    5. Schedule Security Drills
  3. Performing Background Checks
  4. Striking a Balance Between Security and Privacy
  5. Responding to Violations
    1. Is it a Real Threat?
    2. Set Up an Action Plan
    3. Establish Policies for Different Types of Violators
    4. Non-Technology Security Policies
      1. Dumpster Diving
      2. Photocopy Regulations
      3. Phony Workmen
      4. The Secretary's Desk
      5. Meetings and Tradeshows
  6. Survivable Systems
back