What is the Purpose of a Security Policy?

 

Security policies are important because they help protect the organizations physical and digital assets. Alone they won’t protect an organization from vulnerabilities and attacks but they do identify all the company assets and the threats to those assets (Lutkevich, 2021). The basic purpose of security policies is to protect people and information, to set the rules for expected behaviors by users, define, and authorize the consequences of violation (Kemmerich & Momsen, 2015). These policies can come in the form of physical or information security policies.

As the names suggests, physical security policies help to protect all of the physical assets in the organization to include buildings, vehicles, machines, inventory, and IT equipment such as servers, computers, and hard drives. These policies identify and include physical sensitive areas of an organization and who has access to these areas, and who can handle or move physical assets in and around these areas. The policy also includes rules and procedures for accessing, handling, and monitoring these assets and the responsibilities of the individuals for the physical assets they have access to. Information security policies protect valuable assets, guard reputations, ensure legal and regulatory compliance, and dictate the role of employees (Lutkevich, 2021).

There are three types of security policies: organizational, system specific, and issue specific. Organizational policies are basically a master blueprint of the entire organizations security program. System specific policies cover the security procedures for an information system or network. Issue specific policies target certain aspects of a larger organizational policy. Issue related security policies can include: acceptable use, access control, change management, disaster recovery, and incident response policies (Lutkevich, 2021).

Simply having security policies in place does not mean that an organization is safe from threats. The proper application and adherence to the policies is what keeps the environment safe. For this to be successful, employees must be trained the organizations security policies (Duigan, 2003). This part is often overlooked but one of the most important keys to success. It is important also to receive the employees compliance in writing to these policies. Every employee should read, understand, and sign the policies upon employment. This helps to set the expectation early with the employees that the security policy is not a voluntary set of guidelines, but a contract of employment. If these policies are violated, employment can also be terminated (Duigan, 2003). Adherence to and enforcement of these security policies is as important as the policies themselves.

 

References

Duigan, A. (2003, October 8). 10 steps to a successful security policy. Computerworld. https://www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html

Kemmerich, T., & Momsen, C. (2015). Information security policy. The Cloud Security Ecosystem. https://www.sciencedirect.com/topics/computer-science/information-security-policy#:~:text=The%20basic%20purpose%20of%20a,violation%20(Canavan%2C%202006).

Lutkevich, B. (2021, September 17). What is a security policy? Security. https://www.techtarget.com/searchsecurity/definition/security-policy#:~:text=Security%20policies%20are%20important%20because,all%20threats%20to%20those%20assets.