Designing Access Controls
Comprehensive Security Policy
No matter what format you use, your security policy should include the following information:
■Goals—Clearly state your overarching goals for writing a comprehensive security policy. These goals should align with your company’s business strategy. Having clear goals will help you determine if your security policy is successful. Over time, you can measure your company’s progress in reaching these goals.
■Audience—List the people who will be using this policy. When listing employees, you may want to list upper management (such as the chief executive officer [CEO], the board of directors, and vice presidents) separately.
Roles and responsibilities—Outline who is responsible for implementing the individual security policies.
Management approval—Provide a statement from management that endorses the security policies and asks each employee to adhere to them.
Business needs—Explain why each security policy is needed from a business perspective. Describe how it will help users do their jobs and protect the company and its assets.
■Individual security policies—Clearly define each security policy, explaining why it is needed, how it is implemented, and what the employ- ees must do to comply with it.
■Consequences for non-compliance—Explain what actions will be taken if an employee or an endpoint does not comply with a security policy.
■Evaluation of security policies—Schedule a formal evaluation to deter- mine how well the security policies have been implemented. Provide the criteria for success or failure. How will you measure whether or not the company is meeting the goals for the security policy?
■Updates—Determine when the security policies should be reviewed and possibly updated. For example, you may want to update the policies after you complete the evaluation. This may occur annually or every six months.
You should begin by writing the goals for your company’s comprehensive security policy. Before writing individual security policies, however, you must go through the process of designing your access control security. For example, the first step in designing access control security is to choose the access control methods you will use. After completing this step, you can determine how many security policies you need for access control and which policy applies to each group and each network zone.
