Information security policies

Information security policies are standards or rules governing how organizations anticipate, guard against, and manage risks of damage to data, computer and communications equipment, and software, and injury to persons. Such policies set out and document an organization’s position in the security area.

In its policies, an organization defines what security means within it and indicates how such policies are to be implemented through the use of processes, procedures, and documentation manuals.

It is important to note that although policies set out companies’ positions in the security area, they are sufficiently general to include their approaches. It is hoped that such positions are not subject to constant modification. However, such policies are expected to be dynamic in that they are reviewed and evaluated on an ongoing basis to determine their relevance and, if appropriate, policies should be added, modified, or eliminated to reflect new needs or changes in the environment in which the organization operates.

In defining their security policies, organizations have the following objectives:

• To inform users (of all levels) of the provisions they must observe to protect information technology (IT) resources
• To serve as guidance for audits
• To establish the hierarchy of IT resources
• To provide guidance for implementation of security tools

Physical security policies

Physical security policies are the company’s guidelines for all aspects of access, safety, and management of tangible resources within the organization. These should take account, inter alia, of:

• Equipment access
• Blocking of equipment access
• Fire detection and protection
• Regulated current
• Power supply
• Network cabling layout
• Equipment maintenance
• Food, beverages, smoking
• Appropriate environmental conditions
• Equipment identification
• Access to hardware and software storage areas
• Document protection
• Contingencies and backups
• Persons

Software security policies

The objective of software security policies is to ensure that all network equipment, applications, and data may only be accessed and, in general, used, by authorized personnel.

Aspects such as the following must be taken into account: user accounts, passwords, user profiles, backups, access to applications and databases, systems being developed or maintained, operating systems, system updates, implementation of new applications, security tests for operating systems, applications, and databases, logbooks, system files, continuity planning, etc.

In defining policies, the following must be identified: elements to be protected (persons, hardware, software, information, documents), threats, individuals with information access and their responsibilities, required protection levels, and access sites.

In defining policies, the following must be borne in mind:

• It is highly important for policies to be clearly stated, so that they are not “impossible to follow” or “impossible to implement.”
• Legal provisions in force: Security policies defined within companies cannot contravene national legislation, e.g., establishing a policy that allows a company to view all information contained in employees’ e-mail, as this may violate their rights to privacy and/or intimacy.
• Date and version: It is important always to include this information in the policy document because, as mentioned above, policies are dynamic and it is important to know which document contains the policies governing security at the time and to prevent difficulties because employees are following instructions contained in an out-of-date document or one being drafted.

Claudia Patricia Santiago Cely
Julio Garavito Colombian School of Engineering