Before you start on the security policy document, you need to perform a risk assessment to help all parties understand the cost of losing something, what it actually is they have to lose, and how they can lose it. For example, what is the risk should your building experience total power failure? How much will it cost the company if it is effectively shut down for an extended period of time? This is what your risk assessment helps to flush out. What if your ISP cuts off your service because of spamming and hacking attacks coming from your IP address? How long can you be without Internet access as a company, and how much will it cost? Following are three main points you should always be thinking about when creating your policy: What are the assets that need protection? What threats do they face? What is the cost of protecting them? Assets The first part of your risk assessment is to identify the assets that need protection. Assets are anything from physical computers, digital information, building security, and even intellectual property. All of these require some form of protection. Whether it is from a fire burning down the building or information being placed in the wrong hands, it could cost the company a substantial amount of money or embarrassment. Table A-1 lists basic items about which you should gather information as it pertains to your category of security policy. Table A-1. Basic Asset Information for a Security PolicyAsset Category | Description |
---|
Hardware | Computers/laptops Servers, routers, switches Printers, copiers | Software | Operating systems Source code | Data | Databases Archive tapes Transmitted information on the network Intellectual property | People | Administrators Users |
Threats The second part of risk assessment details the possible threats to these assets. To be realistic, this list will never be totally complete, but listing as much as possible can only help when planning for costs. Table A-2 lists some possible threats to your business. Table A-2. Possible Security ThreatsThreat Category | Description |
---|
Human | Cracker Hacker Disgruntled worker Untrained employee Terrorist Denial of service | Equipment | Power failure Hardware failure | Natural | Storm Fire Flood Earthquake Lightning Meteor strike |
Cost Last but not least is calculating the cost of protecting your assets. Business decisions always weigh heavily on costs. If it costs more to protect something than it is actually worth, you should seek an alternative method or solution or just not protect it. Table A-3 lists some different costs associated with company assets. Table A-3. Asset Protection CostsAsset | Cost |
---|
Computer | Hardware Software Installation and configuration | Data | Database data | Power failure | UPS Generator | Building | Replacement and repair | Personnel | Downtime Recruitment Training time Employee benefits |
Getting Acceptance After you have gathered all the risk assessment information, the next step is to present that data to the appropriate department heads. Getting managers from several different areas such as help desk, accounting, research, engineering, and human resources to place their input into the policy and sign off on it is critical to the successful implementation of the policy. People usually overlook this basic step, and the result is a new security policy that no one had input into. When this happens, managers do not rightfully enforce the policy onto their own departments. To prevent that from happening, get managers involved, get them excited about security, and let them know that their opinion is important. Security is their friend, not their enemy. Help people understand that having and following documented policies and procedures makes their jobs easier. They will no longer be out on a limb when refusing a request from a senior member of staff to reuse a password, because they can refer to the policy in support of their argument. When a company adopts this method of community policy building, everyone feels he has helped to contribute to the new security policy, which facilitates department acceptance and enforcement. |