Definition of a Policy
By definition, security policy refers to clear, comprehensive, and well-defined plans, rules, and practices that regulate access to an organization’s system and the information included in it. Good policy protects not only information and systems, but also individual employees and the organization as a whole.
A policy generally has these characteristics:
• Communicates a consensus of judgment
• Defines appropriate behavior for users
• Identifies what tools and procedures are needed
• Provides directives for Human Resources action in response to inappropriate behavior
• May be helpful if it is necessary to prosecute violators
Purpose. The purpose of this project is to ensure that appropriate measures are put in place to protect “Your Company’s” information and the Information Technology Services (ITS) systems, and equipment of the infrastructure.
a. Students are required to select a company of their choice. It could be an existing company or your own creation. It would be nice if it’s not a gaming company but I’m not against it. This is an individual project.
b. For the company/organization you selected or made up, create a comprehensive Security Policy you deem appropriate to address all aspects of their infrastructure. Please bear in mind that the purpose of this document is to ensure that appropriate measures are put in place to protect corporate information and the Information Technology Services (ITS) systems, services, and equipment of “Your Company” and associated infrastructure. This means that the policy aspects you select should address all the functional areas of the organization. First, conduct a brief research of the company you intend to use for this project to learn more about their security functional areas. This will help you to determine the policy aspects you should use.
Policy Templates designed for this purpose are available for use by the public from the SANS website at no cost (pages 4 – 5). A minimum of TWELVE aspects must be selected from all the FOUR major functional security areas (General Security, Network Security, Server Security, Application Security). Many of the Aspects listed in each main Security Functional area also have sub-categories, so you may have to dig further down to download those specific policy documents. Don’t use any policy that is not applicable to “Your Company”. For example, there is no need to use the Lab Security Policy if your company doesn’t have a lab.
Your duty is to search and replace all generic company names in the template documents with your chosen “Company Name”. You also have to customize the templates to match the needs of your company. Each template comes in pdf or Word format. For easy editing, it is recommended that you download the Word format. Your document should be formatted in sections by each Security Policy Aspect. For example, if “Acceptable Use Policy” ends in the middle of page 20, start the next policy aspect on page 21.
c. Table of Content (ToC) – Create ToC listing all the policy and sub policy aspects used in your document.
d. Abstract – Create an Abstract describing the company’s functional security areas and explaining the need of this document by your company. In simple terms, describe/state how the company will benefit from this Security Policy document.
e. Formatting – Since this is a formal document, it must be formatted appropriately. Page number the document, create Header/Footer, insert company logo at appropriate page location, spell-check the entire document. You may use APA style for this project. Abstract and Table of Content pages should be numbered in Roman Numerals (not counted towards total page-count). Apply regular page-numbering to the remaining document (Page 1 and up)
f. Definition of Terms – Use this section to help non-technical readers understand the technical jargons used in the document. The Templates provide that so use them.
g. References – Make sure to cite all used documents, graphics, etc., that were not your own creation.
h. Cover page – Create appropriate title for the cover page, stating phrases like: “Security Policy for Company Name”, Prepared by Your Name”, “Date/Semester”, etc. Simply, be creative!
Definition of a Policy