The Security Policy

In order to meet these challenges, an organization must create and enforce a security policy. A security policy is a set of rules that defines how and by whom sensitive information should be accessed, handled, and distributed, both within and outside of the organization. For example, a security policy may include the following rules regarding visitors who arrive at an enterprise building's lobby:

• Visitors must sign in at the entrance desk.
• Visitors must wear a visitor badge and be escorted while in the building.
• Visitors cannot use their badge to open electronic doors.

Other types of security policy rules and measures might be:

• Only the executive manager has access to financial reports.
• Visitors must open their bags for a security check.
• Surveillance cameras should be positioned in the area of the building.
• Passwords must be changed on a daily basis.
• Confidential papers must be shredded after use.

An organization's security policy is usually designed by a person who is in charge of handling all security matters for the organization. This person is called a security manager.

In order for a security policy be effective, it must be accompanied by the following measures:

• Awareness - A security policy must be accompanied by steps taken to increase the employees' awareness of security issues. If employees are unaware of a security policy rule and the reason for it, they are likely to break it.
• Enforcement - To enforce a security policy, an organization can take various measures, both human and electronic. For example:
  • Installing surveillance cameras in strategic locations throughout the organization
  • Positioning human guards who have the authority to prevent other people from entering the premises or certain areas on the premises
  • Installing alarms that are triggered upon certain conditions
  • Using magnetic identification tags to enforce and log access permissions to different areas on the premises
  • Using “red phones” to encrypt highly confidential voice phone calls
• Updating - A security policy is a living thing that must be updated from time to time according to changing situations.

Unfortunately, even when a security policy is accompanied by these measures, its effectiveness is limited against a person with malicious intent.