5.4 Policy and Procedures
Security policy (or collection of policies) can be regarded as the strategy and practices concerning confidentiality, integrity and availability of data426. A policy or set of policies cannot be created or purchased until the company philosophy has been clearly defined.
Policies define what is to be protected. Once policies are defined procedures are created to ensure the policies that have been decided upon are implemented. Procedures determine how that protection happens. Procedures should also be in place for step-by-step instructions for abnormal events. Just as virtually every public place has an EXIT sign as a guide in the event of an emergency, a procedure should be written in a step-by-step manner for what to do & how to do it in the event of negative occurrences.
This work continues with some brief thoughts. All readers are strongly advised to refer to RFC 2196427. Readers of this document who do or are considering employment in the computer industry should consider studying carefully RFC 2196 mandatory.
When developing policies and procedures, its useful to have some familiarity with the current laws related to computer and network security and data privacy. An overview of key US Federal privacy laws as of 2002 can be found in Protect Your Digital Privacy: Survival Skills for the Information Age428 by Cady and McGregor. There are more than you might think, and worth a look though since Security+ is not a US-specific exam, exactly what laws apply in the US are outside the scope of the exam.
428. Cady, Glee Harrah and Pat McGregor, Protect Your Digital Privacy: Survival Skills for the Information Age, Que, December, 2001, http://www.nerdbooks.com/item.html?id=0789726041
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.