A security policy is a collection of rules, guidelines, and checklists. Network technicians and managers of an organization work together to develop the rules and guidelines for the security needs of computer equipment. A security policy includes the following elements:
- An acceptable computer usage statement for the organization.
- The people permitted to use the computer equipment.
- Devices that are permitted to be installed on a network, as well as the conditions of the installation. Modems and wireless access points are examples of hardware that could expose the network to attacks.
- Requirements necessary for data to remain confidential on a network.
- Process for employees to acquire access to equipment and data. This process may require the employee to sign an agreement regarding company rules. It also lists the consequences for failure to comply.
A security policy should describe how a company addresses security issues. Though local security policies may vary between organizations, there are questions all organizations should ask:
- What assets require protection?
- What are the possible threats?
- What to do in the event of a security breach?
- What training will be in place to educate the end users?
NOTE: To be effective, a security policy must be enforced and followed by all employees.