Security Solutions
3-6
Designing Access Controls
Comprehensive Security Policy
ness interests, and it is a complex process, encompassing many factors. The
more careful you are in addressing each factor, the more effective your
security controls will be.
You can also enlist help from the people who will be most affected by your
security policy—the users. As described in Chapter 3: “Designing Access
Controls,” one option for conducting a needs assessment is to create a
committee, with each member representing one group or several groups of
users. If you set up such a committee, it should include some members who
are managers and some who have no management responsibilities. These
committee members can explain their business needs for network access so
that your technical solution supports these needs. They can also advise you
on what to include in the security policy and how to phrase particular security
policies. Finally, they can review the first draft of the comprehensive security
policy and make suggestions before you submit it for a more general review.
Several other groups should review the comprehensive security policy. For
example, you should ask your company’s legal and human resources depart-
ments to review it. You should also ask upper management to approve your
security policy. These reviews will ensure that you have covered any legal
issues and that your security policies match the company’s guidelines for
employees and are incorporated into the instructions new employees receive
during training. The endorsement of upper management will have the added
benefit of encouraging employees to take the security policy seriously.
When you submit the comprehensive security policy for review, you should
set a reasonable deadline for reviewers to return their comments to you. A
couple of days before the review is due, send a friendly reminder, informing
reviewers of the impending deadline.
You may need two sets of reviews if you receive a lot of review comments.
Implement the comments from the first review and send an updated copy to
reviewers.
The Components
There is no set format or template for writing a comprehensive security policy.
You can use the format that meets the needs of your company. To view some
examples, search for security policies in your favorite Internet search engine.
Some organizations, such as universities, publish their security policies
online. You might also find it helpful to review the SANS Institute’s guidelines
for writing a comprehensive security policy (http://www.sans.org/resources/
policies/).