Appendix A. Preparing a Security Policy

The infamous security policy! What is it, what is in it, who creates it, and who enforces it? These are just some of the questions that a junior security officer has when the term security policy is mentioned. Creating your first functional e-mail usage security policy can be a daunting experience. You wonder if you will get it right and if the company will believe in the need for such a document. It takes abundant information gathering and preparation to gain company acceptance of why it should expend time and effort on a policy document that states some common sense things like, "Don't use company e-mail servers as a central spam server for your home business." In the end, however, your managers will feel confident that they have a simple written document that they can use to enforce compliance on their employees and uphold the integrity of the company.

Ultimately, any weakness found during the process of penetration testing is not a flaw in the technology. Instead, it is a problem with noncompliance to an existing security policy or the lack of coverage in a policy (or, worse yet, no policy at all!). This appendix provides an overview of what you need to create your first security policy and what you should expect to find contained within it.