Security policy
Encyclopedia
Security policy is a definition of what it means to be secure for a system
System
System is a set of interacting or interdependent components forming an integrated whole....

, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.

Significance

If it is important to be secure, then it is important to be sure all of the security policy is enforced by mechanisms that are strong enough. There are organized methodologies and risk assessment strategies to assure completeness of security policies and assure that they are completely enforced. In complex systems, such as information systems
Information systems
Information Systems is an academic/professional discipline bridging the business field and the well-defined computer science field that is evolving toward a new scientific area of study...

, policies can be decomposed into sub-policies to facilitate the allocation of security mechanisms to enforce sub-policies. However, this practice has pitfalls. It is too easy to simply go directly to the sub-policies, which are essentially the rules of operation and dispense with the top level policy. That gives the false sense that the rules of operation address some overall definition of security when they do not. Because it is so difficult to think clearly with completeness about security, rules of operation stated as "sub-policies" with no "super-policy" usually turn out to be rambling ad-hoc rules that fail to enforce anything with completeness. Consequently, a top level security policy is essential to any serious security scheme and sub-policies and rules of operation are meaningless without it.

See also

  • Access control
    Access control
    Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...

  • Computer security policy
    Computer security policy
    A computer security policy defines the goals and elements of an organization's computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure...

  • Environmental design
    Environmental design
    Environmental design is the process of addressing surrounding environmental parameters when devising plans, programs, policies, buildings, or products...

  • Information Protection Policy
    Information Protection Policy
    Information protection policy is a document which provides guidelines to users on the processing, storage and transmission of sensitive information. Main goal is to ensure information is appropriately protected from modification or disclosure. It may be appropriate to have new employees sign policy...

  • Information security policy
  • National security
    National security
    National security is the requirement to maintain the survival of the state through the use of economic, diplomacy, power projection and political power. The concept developed mostly in the United States of America after World War II...

     policy, Military strategy
    Military strategy
    Military strategy is a set of ideas implemented by military organizations to pursue desired strategic goals. Derived from the Greek strategos, strategy when it appeared in use during the 18th century, was seen in its narrow sense as the "art of the general", 'the art of arrangement' of troops...

  • Network security policy
    Network security policy
    A network security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a...

  • Virtual security policy
  • Photo identification
    Photo identification
    Photo identification is generally used to define any form of identity document that includes a photograph of the holder.Some countries use a government issued card as a proof of age or citizenship.Types of photo ID cards include:*Passports...

  • Physical Security
    Physical security
    Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...

  • Policy
    Policy
    A policy is typically described as a principle or rule to guide decisions and achieve rational outcome. The term is not normally used to denote what is actually done, this is normally referred to as either procedure or protocol...

  • Remote Access Policy
    Remote Access Policy
    Remote access policy is a document which outlines and defines acceptable methods of remotely connecting to the internal network. It is essential in large organization where networks are geographically dispersed and extend into insecure network locations such as public networks or unmanaged home...

  • Security
    Security
    Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...

  • Security engineering
    Security engineering
    Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...

  • User Account Policy
    User Account Policy
    User Account Policy is a document which outlines the requirements for requesting and maintaining an account on computer systems or networks, typically within an organization. It is very important for large sites where users typically have accounts on many systems...

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK