Security Solutions
3-7
Designing Access Controls
Comprehensive Security Policy
No matter what format you use, your security policy should include the
following information:
■ Goals—Clearly state your overarching goals for writing a comprehensive
security policy. These goals should align with your company’s business
strategy. Having clear goals will help you determine if your security policy
is successful. Over time, you can measure your company’s progress in
reaching these goals.
■ Audience—List the people who will be using this policy. When listing
employees, you may want to list upper management (such as the chief
executive officer [CEO], the board of directors, and vice presidents)
separately.
■ Roles and responsibilities—Outline who is responsible for implement-
ing the individual security policies.
■ Management approval—Provide a statement from management that
endorses the security policies and asks each employee to adhere to them.
■ Business needs—Explain why each security policy is needed from a
business perspective. Describe how it will help users do their jobs and
protect the company and its assets.
■ Individual security policies—Clearly define each security policy,
explaining why it is needed, how it is implemented, and what the employ-
ees must do to comply with it.
■ Consequences for non-compliance—Explain what actions will be
taken if an employee or an endpoint does not comply with a security
policy.
■ Evaluation of security policies—Schedule a formal evaluation to deter-
mine how well the security policies have been implemented. Provide the
criteria for success or failure. How will you measure whether or not the
company is meeting the goals for the security policy?
■ Updates—Determine when the security policies should be reviewed and
possibly updated. For example, you may want to update the policies after
you complete the evaluation. This may occur annually or every six
months.
You should begin by writing the goals for your company’s comprehensive
security policy. Before writing individual security policies, however, you must
go through the process of designing your access control security. For example,
the first step in designing access control security is to choose the access
control methods you will use. After completing this step, you can determine
how many security policies you need for access control and which policy
applies to each group and each network zone.