Security policies and procedures
Security policies protect your company against external or internal threats to important data. If you create password policies, install Firewall, limit access to data but forget to create security policies and establish a procedure to implement them, you’re locking all your doors but leaving an open window. All your safety measures are useless if you do not set a good security practice to protect the data of your company.
An information security policy is a set of rules and practices that define how sensitive information of a company should be managed, protected and distributed within the company. The different aspects of an information security policy include label information, the information of the changes, responsibility and proprietary information.
Each company has an organizational structure, and employees at different levels access different types of data. The classification of information and the distribution of data policies are therefore important for a company, then those employees at lower levels should not be allowed access data stored to the upper levels of employees.
In addition, all kinds of information that a company stores are not equal and therefore do not require the same level of protection. Therefore, the information security classification and identification of high-level as owner of the information manager are important.
Remember that for each type of information, a company must develop policies about what information is available and for what purpose it will be disseminated. The main objectives of information security policy are:
- Confidentiality – property that limits access to information solely to legitimate entities, or those authorized by the owner of the information.
- Integrity – property that ensures that the manipulated information to keep all its original features established by the owner of the information, including change control and guarantee of its life cycle (birth, maintenance and destruction).
- Availability – property that ensures that information is always available for legitimate use, that is, for those users authorized by the owner of the information.
- Authenticity – property that ensures that the information is advertised from the source and that has not been targeted mutations throughout a process.
Another important part of a security policy is to define the authority and the delegation of authority for policy. A system can define four types of users involved in security processes. These types, they are:
A policy should define the roles and responsibilities of each type of user role involved in security processes. If the security system supports groups so the policy should define whether a user can belong to more than one group, how to resolve conflicts between demands for the provision of individual accounts within a group, individual user and group privileges.