Security Policies (Basic)

How secure is "secure"?

According to Fenzi, no computing system can be completely secure. The only thing that can be done is make difficult the way someone can compromise a system. To protect a system it is neccessary to determine the threat level of which it is desired to get protected from, which are the risk that should or should not be aware of, and how vulnerable is the system as a result.

Security Policies

To be able to provide security to a system, should begin by developing a security policy. Security Policies should be able to be read, understood and followed by users. This should protect the system, the data and the privacy of the users. In a security policy, the following points should be considered:

• Who develops the policies?

The policy creation has to be an effort from all the technical personnel, however, due to those policies affecting the whole organization, it is important for those policies to be accepted by the board of the organization.

• Responsabilities

One important element is, to be sure that all personnel knows that maintaining the security is their responsability. This assures that each one knows the problem that someone can carry with him due to the non-compliance of his responsabilities, of course, there are different levels of responsability, this is related to the kind of permissions and accesses that a person has assigned.

Hardware actives:

CPU
Keyboards
Terminals
Workstations
Printers
Disk Drives
Communication Lines
Dedicated Servers

Software actives:

Source Code
Utilities
Diagnosis Software
Operating Systems

Data actives:

Data repositories
Registry Audit (Logs)
Data Bases

Security and policies also include both physical and logical aspects, this policies normally can be established under the form "Whatever is not allowed is forbidden", that is, nobody can have access to a service unless previously authorized.

Physical Security
+ Controlled access to the servers.
+ Who has access to the server physically.
+ Who has the administrator passwords.

Logical Security
+ Who has access to the system.
+ Who has permissions to install software.
+ Who is the owner of the data.
+ Disaster Recovery.
+ Proper use of the systems.
+ Who is authorized to grant privileges.
+ How to protect sensitive data.

Of course, education and training are related to the security policies, because it is important that everyone in the organization knows what to do in an specific moment, this is, to establish rules and procedures for the use of equipment, the information including what to do to report problems.

By: Carlos Castillo.

This site use iBizCMS as the Free Content Management System | © 2009 All Rights Reserved by domaingrus.com