Security policies are the foundation basics of a sound and effective security implementation. Organizations usually implements technical security solutions without first creating this foundation of policies, standards, guidelines, and procedures, thus unintentionally creating unfocused and ineffective security controls. To avoid these security policies are required. Now the question is what exactly security policies are. Let discuss the same in this post. Security policy is an overall general statement produced by senior management or a selected policy board or committee of an organization that dictates what role security plays within that organization. There are certain factors that security policies should follow and some of these are:
- Very generic, non-technical and easily understood
- Provides “missions statement for security”
- Should represent business objectives
- Developed to integrate security into ALL business functions and processes
- Reviewed and modified as company changes
- Dated and version controlled
- Forward thinking
Regulatory: Regulatory policy ensures that the organization is following standards set by specific industry regulations. These policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies can be financial institutions, public utilities, or some other type of organization that operates in the public interest.
Advisory: Advisory policy strongly advises employees on their types of behaviors and on activities which should and should not take place within the organization. These policies are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them such as termination, a job action warning. A company with such policies wants most employees to consider these policies mandatory.
Informative: Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal i.e. within the organization or external parties. These are the various types of security policies. To know more, you can explore our training courses on Certified Information Systems Security Professional exam. Simplilearn offers extensive CISSP classroom training from expert tutors.