Designing Access Controls
Comprehensive Security Policy
ness interests, and it is a complex process, encompassing many factors. The more careful you are in addressing each factor, the more effective your security controls will be.
You can also enlist help from the people who will be most affected by your security
Several other groups should review the comprehensive security policy. For example, you should ask your company’s legal and human resources depart- ments to review it. You should also ask upper management to approve your security policy. These reviews will ensure that you have covered any legal issues and that your security policies match the company’s guidelines for employees and are incorporated into the instructions new employees receive during training. The endorsement of upper management will have the added benefit of encouraging employees to take the security policy seriously.
When you submit the comprehensive security policy for review, you should set a reasonable deadline for reviewers to return their comments to you. A couple of days before the review is due, send a friendly reminder, informing reviewers of the impending deadline.
You may need two sets of reviews if you receive a lot of review comments. Implement the comments from the first review and send an updated copy to reviewers.
The Components
There is no set format or template for writing a comprehensive security policy. You can use the format that meets the needs of your company. To view some examples, search for security policies in your favorite Internet search engine. Some organizations, such as universities, publish their security policies online. You might also find it helpful to review the SANS Institute’s guidelines for writing a comprehensive security policy (http://www.sans.org/resources/ policies/).
