The Security Policy
In order to meet these challenges, an organization must create and enforce a security policy. A security policy is a set of rules that defines how and by whom sensitive information should be accessed, handled, and distributed, both within and outside of the organization. For example, a security policy may include the following rules regarding visitors who arrive at an enterprise building's lobby:
- Visitors must sign in at the entrance desk.
- Visitors must wear a visitor badge and be escorted while in the building.
- Visitors cannot use their badge to open electronic doors.
Other types of security policy rules and measures might be:
- Only the executive manager has access to financial reports.
- Visitors must open their bags for a security check.
- Surveillance cameras should be positioned in the area of the building.
- Passwords must be changed on a daily basis.
- Confidential papers must be shredded after use.
An organization's security policy is usually designed by a person who is in charge of handling all security matters for the organization. This person is called a security manager.
In order for a security policy be effective, it must be accompanied by the following measures:
- Awareness - A security policy must be accompanied by steps taken to increase the employees' awareness of security issues. If employees are unaware of a security policy rule and the reason for it, they are likely to break it.
- Enforcement - To enforce a security policy, an organization can take various measures, both human and electronic. For example:
- Installing surveillance cameras in strategic locations throughout the organization
- Positioning human guards who have the authority to prevent other people from entering the premises or certain areas on the premises
- Installing alarms that are triggered upon certain conditions
- Using magnetic identification tags to enforce and log access permissions to different areas on the premises
- Using “red phones” to encrypt highly confidential voice phone calls
- Updating - A security policy is a living thing that must be updated from time to time according to changing situations.
Unfortunately, even when a security policy is accompanied by these measures, its effectiveness is limited against a person with malicious intent.