Enterprise Security Policy

By David.K

A security policy is a formal statement of rules by which people who are given access to an
organization's technology and information must abide by.
A security policy should not determine how an enterprise operates; instead, the business of the
enterprise should dictate how a security policy is written. Business opportunities are what drive
the need for security in the first place. The main purpose of a security policy is to inform anyone
that uses the enterprise's network of the requirements for protecting the enterprise's technology
and information assets.
The policy should specify the mechanisms through which these requirements can be met. Of all
the documents an organization develops, the security policy is one of the most important.

Risk assessment
Prior to developing the security policy, you should conduct a risk assessment to determine the
appropriate corporate security measures. The assessment helps to determine areas in which
security needs to be addressed, how the security needs to be addressed, and the overall level
of security that needs to be applied in order to implement adequate security controls. A risk
assessment is a process whereby critical assets are identified and values are placed on the
assets.
You determine how much each asset is at risk of being compromised and how much you need
to upgrade or add to it to meet your business needs.
To develop a security policy that is not overly restrictive for users, that balances ease of use
with a certain level of security, and that is enforceable both technically and organizationally, the
policy should contain, at a minimum, some of the topics in the following list:

Acceptable use policy: Spells out what users are allowed and not allowed to do on the
various components within the network; this includes the type of traffic allowed on the
network. The policy should be as explicit as possible to avoid any ambiguity or
misunderstanding.

Remote access policy: Spells out to users acceptable or unacceptable behavior when they
have connected to the enterprise via the Internet, a dial−up connection, a virtual private
network (VPN), or any other method of remote connectivity.

Incident handling policy: Addresses planning and developing procedures to handle
incidents before they occur. This document also creates a centralized group to be the
primary focus when an incident happens. The incident handling policy can be contained
within the actual security policy, but due to corporate structure, this document often actually
exists as a subdocument to the security policy.

Internet access policy: Defines what the enterprise considers to be ethical, proper use of its
Internet connection.

Email policy: Defines the acceptable use of the enterprise's email systems, including
personal emails and Web−based email.

Physical security policy: Defines controls that pertain to physical device security and
access.
Audits
After you've completed the enterprise security policy, the last step is to perform regular audits.
Audits not only give you a baseline by which to judge what is deemed as normal activity or
network behavior, they also, in many cases, produce results that will be the first alert in the
detection of a security breach. Noticing unusual events within the network can help to catch
intruders before they can cause any further damage.