Creating Security Policy

Definition of a Policy

By definition, security policy refers to clear, comprehensive, and well-defined plans, rules, and practices that regulate access to an organization’s system and the information included in it. Good policy protects not only information and systems, but also individual employees and the organization as a whole.

A policy generally has these characteristics:

• Communicates a consensus of judgment
• Defines appropriate behavior for users
• Identifies what tools and procedures are needed
• Provides directives for Human Resources action in response to inappropriate behavior
• May be helpful if it is necessary to prosecute violators

Purpose. The purpose of this project is to ensure that appropriate measures are put in place to protect “Your Company’s” information and the Information Technology Services (ITS) systems, and equipment of the infrastructure.

Requirements:

1. Students are required to select a company of their choice. It could be an existing company or your own creation. This is an individual project; not a group project!
2. For the company/organization you selected or made up, create a comprehensive Security Policy you deem appropriate to address all aspects of their infrastructure. Please bear in mind that the purpose of this document is to ensure that appropriate measures are put in place to protect corporate information and the Information Technology Services (ITS) systems, services, and equipment of “Your Company” and associated  This means that the policy aspects you select should address all the functional areas of the organization. First, conduct a brief research of the company you intend to use for this project to learn more about their security functional areas. This will help you to determine the policy aspects you should use.

   Policy Templates designed for this purpose are available for use by the public from the SANS website at no cost (pages 4 – 5). A minimum of TWELVE aspects must be selected from all the FOUR major functional security areas (General Security, Network Security, Server Security, Application Security). Many of the Aspects listed in each main Security Functional area also have sub-categories, so you may have to dig further down to download those specific policy documents.  Don’t use any policy that is not applicable to “Your Company”.  For example, there is no need to use the Lab Security Policy if your company doesn’t have a lab.

   Your duty is to search and replace all generic company names in the template documents with your chosen “Company Name”.  You also have to customize the templates to match the needs of your company. Each template comes in pdf or Word format. For easy editing, it is recommended that you download the Word format.  Your document should be formatted in sections by each Security Policy Aspect. For example, if “Acceptable Use Policy” ends in the middle of page 20, start the next policy aspect on page 21.

3. Table of Content (ToC) – Create ToC listing all the policy and sub policy aspects used in your document.
4. Abstract – Create an Abstract describing the company’s functional security areas and explaining the need of this document by your company. In simple terms, describe/state how the company will benefit from this Security Policy document.
5. Formatting – Since this is a formal document, it must be formatted appropriately. Page number the document, create Header/Footer, insert company logo at appropriate page location, spell-check the entire document. You may use APA style for this project. Abstact and ToC pages should be numbered in Roman Numerals (not counted towards total page-count).  Apply regular page-numbering to the remaining document (Page 1 and up)
6. Definition of Terms – Use this section to help non-technical readers understand the technical jargons used in the document. The Templates provide that so use them.
7. References – Make sure to cite all used documents, graphics, etc., that were not your own creation.
8. Cover page – Create appropriate title for the cover page, stating phrases like: “Security Policy for Company Name”, Prepared by Your Name”, “Date/Semester”, etc. Simply, be creative!
9. Submit a hard copy to your professor and upload a digital copy to Blackboard Dropbox as instructed by your professor. Store your copy in a safe place for future reference. You never know when…!

   Words of Encouragement:

Don’t see this as a tedious task. Enjoy doing it and learn useful lessons from it.  Read this email statement from a former student who completed this project years ago:

“I wish to thank you for assigning the Security Policy project and guiding us through the process. On my new job, one of the first tasks I was assigned to do along with two other coworkers was to create a Security Policy for the company. The other two individuals had no clue as to how to start the project. Our job became much easier when I showed them my Monroe Project.”

Note: See next two pages for the SANS website address (URL) and other pertinent information.

https://www.sans.org/security-resources/policies

Find the Policy Template You Need! Below are links to the Policy Documents.

General

• Acceptable Encryption Policy
• Acceptable Use Policy
• Clean Desk Policy
• Data Breach Response Policy
• Disaster Recovery Plan Policy
• Digital Signature Acceptance Policy
• Email Policy
• Ethics Policy
• Pandemic Response Planning Policy
• Password Construction Guidelines
• Password Protection Policy
• Security Response Plan Policy
• End User Encryption Key Protection Policy

Network Security

• Acquisition Assessment Policy
• Bluetooth Baseline Requirements Policy
• Remote Access Policy
• Remote Access Tools Policy
• Router and Switch Security Policy
• Wireless Communication Policy
• Wireless Communication Standard

Server Security

• Database Credentials Policy
• Technology Equipment Disposal Policy
• Information Logging Standard
• Lab Security Policy
• Server Security Policy
• Software Installation Policy
• Workstation Security (For HIPAA) Policy

Application Security

• Web Application Security Policy

CAUTION: Policy, Standard, Guideline are terms often confused by many students.

The following definitions of Security Policy, Standard, and Guidelines, by SANS will be helpful as you plan your research project

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 8.1 workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows 8.1 workstation on an external network segment. In addition, a standard can be a technology selection, e.g. Company Name uses Tenable SecurityCenter for continuous monitoring, and supporting policies and procedures define how it is used.

A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.