Please enable JavaScript.
Coggle requires JavaScript to display documents.
SECURITY POLICY REQUIREMENTS - Coggle Diagram
SECURITY POLICY REQUIREMENTS
IDENTIFICATION AND AUTHENTICATION
How users will be identified should be specified in the security policy.
The main method of system users' and administrators' authentication should be specified in the security policy.
As an illustration, a company uses username and password authentication to provide staff members access to their workstations. Each employee has a specific login that they use to log in, and they are required to use a secure password.
ACCESS CONTROL
Two requirements should be defined: the mechanism that is required and the default requirement for new files.
The mechanism may note that some form of user-defined access control must be available for each file on a computer system.
The default configuration for a new file should specify how the permissions will be established when a new file is created.
A university library, for instance, uses access control systems to only allow authorised students and staff members to enter. Entry into the library is restricted to those having access cards, guaranteeing that only those with valid identification can use its resources.
AUDIT
The security policy should outline the primary authentication technique for system users and administrators.
:check: Logins (successful and failed)
:check: Logouts
:check: Failed access to files or system objects
:check: Remote access (successful and failed)
:check: Privileged actions (those performed by administrators, both successes and failures)
:check: System events (such as shutdowns and reboots)
As an illustration, an e-commerce platform keeps thorough audit logs of consumer transactions. To help in auditing and troubleshooting, these logs keep track of the date, time, items purchased, and payment information.
NETWORK CONNECTIVITY
The security policy should specify the rules for connection and the protection mechanisms to be employed.
Dial-in Connections : The requirements for dial-in connections should specify the technical authentication requirements for such connections.
Permanent Connections : Permanent network connections are those that come into the organization over some type of permanent communication line.
Remote Access of Internal Systems : Often, organizations allow employees to access internal systems from external locations. The security policy should specify the mechanisms to use when this type of access is to be granted
Example: To ensure secure remote access for staff working from home, a corporate network makes use of a Virtual Private Network (VPN). VPN connections protect critical corporate information by encrypting data delivery.
MALICIOUS CODE
Where security programmes that scan for dangerous code (such as viruses and Trojan horse programmes) are to be installed should be specified in the security policy.
On file servers, desktop computers, and email servers are all acceptable sites.
This could involve mandating that these security programmes scan particular file types and check files when they are opened or on a regular schedule.
Example: To check for and eliminate dangerous code such as viruses and malware, antivirus software is installed on all company computers. Protection against new threats is ensured by routine upgrades.
ENCRYPTION
The information policy should be referenced in the security policy to indicate the suitable encryption algorithms to secure sensitive data. The security policy should also identify permissible encryption algorithms for use within the organisation.
Example: To protect email communications, an email service provider employs end-to-end encryption. Even if the communications are intercepted during transmission, only the sender and recipient may decode and read them.
APPENDICES
Appendices or independent setup procedures should contain the specific security configurations for each operating system. This enables the modification of these comprehensive papers as needed without altering the company's security policy.
An illustration of a security policy's appendix is the list of permitted encryption techniques and key lengths for data security. This gives employees clear instructions on encryption requirements.
WAIVERS
Making the systems follow the security policy will be less critical than the business necessity.
When this occurs, the security policy should provide a mechanism to assess the risk to the organization and to develop a contingency plan. The waiver procedure is used in this situation.
For illustration, a healthcare facility mandates ongoing security training for staff members who handle patient records. A medical professional with substantial expertise in the field who can show an equivalent level of security awareness, however, may be given a waiver.