A computer security policy is a set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
A security policy will cover the following aspects of computer operations:
Types of facilities in which systems can be located.
Who is allowed physical access to the system.
Who is allowed to log on to the system.
What audit records are to be logged.
Types of permissible access to files.
Types of permissible access to devices.
Which security features will be enabled (for example):
Use of ACDs to protect files and devices.
Embedded passwords in jobs not allowed.
This list is not intended to be a comprehensive statement of a security policy, but a guide to what should be included in your security policy. Current and new users must be made familiar with the guideline and indoctrinated in its use. Periodic reinforcement of the message is a must to assure continuing compliance with the policy and its updates.
