Organizational Security

Policies
PRESENTED BY:
ARTI DEEPAK SHINDE
MSC. CS-II
ROLL NO. 13521
1
Outline
Organizational Security Policies
Purpose
Audience
Contents
Characteristics of a Good security policy.
Nature of security policies.
Data sensitivity policy
Defined Levels of Data Sensitivity.
Conclusion




2
Organizational Security Policies
Who can access which resources in what manner?
That describe as:
Who should be allowed access?
Which system and organizational resources should access be
allowed?
What types of access should each user be allowed for each
resource?
3
Organizational Security Policies
Security policy - A high-level management
document to inform users of the objectives and
constraints on using a system.
The purpose of using the policy document:
Recognise sensitive information assets
Clarifying security responsibilities
Promoting awareness for existing staff
Giving guidelines to new employees.

4
Qu. Define security policy.?
Organizational Security Policies
The policy statement should specify the following:
The organization's goals on security:
For example should the system protect data from leakage to
outsiders example, outsiders, protect against loss of data due to
physical disaster, protect the data's integrity, or protect against loss
of business when computing resources fail?
What is the higher priority: serving customers or securing data?
Where the responsibility for security lies:
For example, should the responsibility rest with a small computer
security group with each employee or with relevant managers?
The organization's commitment to security:
For example, who provides security support for staff and where does
security fit into the organization's staff, organizations structure?

5
Organizational Security Policies

A security policy must address the following:
The audience
who can access?
Contents
which resources?
Characteristics of a good security policy.
in what way?

6
Audience
Audience can be classified in four groups:
users,
owners,
Beneficiaries (e.g. customers, clients)
Balance Among All Parties
Audience uses the security policy in important but
different ways.
For each policy define the degree of confidentiality,
integrity, and continuous availability in the
computing resources provided to them.

7
Audience
Users: Users legitimately expect a certain degree of
confidentiality, integrity, and continuous availability in the
computing resources provided to them. Although the
degree varies with the situation, a security policy should
reaffirm a commitment to this requirement for service.
Owner: Each piece of computing equipment is owned by
someone, and the owner may not be a system user. An
owner provides the equipment to users for purpose, such as
to further education, support commerce, or enhance
productivity.
8
Audience
Beneficiaries: A business has paying customers or
clients; they are beneficiaries of the products and services
offered by that business. At the same time the general
public may benefit in several ways:
As a source of employment or
By provision of infrastructure
Balance Among All Parties: A security policy must
relate to the needs of users, owners, and beneficiaries.
Unfortunately, the needs of these groups may conflict. A
beneficiary might require immediate access to data, but
owners or users might not want to bear the expense or
inconvenience of providing access at all hours.
9
Security Policies: Contents
Purpose: The policy should state the purpose of the
organizations security functions, reflecting the requirements
of beneficiaries, user and owners.
o There are typically three to five goals, such as:
Promote efficient business operation.
Facilitate sharing of information throughout the organization.
Safeguard business and personal information.
Ensure that accurate information is available to support business
process.
Ensure a safe and productive place to work.
Comply with applicable laws and regulations.
10
Security Policies: Contents
Protected Resources: The risk analysis identified the
assets (resources) that are to be protected.
These assets should be listed in the policy document:
The resources can be computers, networks, general data,
management data,
Nature of the Protection: The policy should also
indicate
who should have access to the protected resources,
how that access will be ensured and
how unauthorised people will be denied access.

11
Characteristics of a Good security policy
A good security policy should address the following
characteristics:
Coverage
Comprehensive and general
Durability
Survive the system's growth and expansion
Realism
Feasible to implement
Usefulness
The policy should be concise, clear, and direct.

12
Qu. What are the characteristics of a Good Security Policy ?
Characteristics of a Good security policy
Coverage: A security policy must be comprehensive: It
must either apply to or explicitly exclude all possible
situations.
Durability: A security policy must grow and adapt well.
In large measure, it will survive the systems growth and
expansion without change. If written in a flexible way, the
existing policy will be applicable to new situations.
However there are times when the policy must change, so
the policy must be changeable when it needs to be. An
important key to durability is keeping the policy free from
ties to specific data or protection mechanisms that almost
certainly will change.

13
Realism: The policy must be realistic. That is, it must be
possible to implement the stated security requirements
with existing technology. Moreover, the implementation
must be beneficial in terms of time, cost and convenience;
the policy should not recommend a control that works but
prevents the system or its users from performing their
activities and functions
Usefulness: An obscure or implement security policy
will not be implemented properly, if at all. The policy must
be written in the language that can be read, understood,
and followed by anyone who must implement it or is
affected by it.
Characteristics of a Good security policy
14
Nature of security policies
To understand the nature of security policies, we study a
example
Data Sensitivity Policy: Our first example is form an
organization that decided to classify all its data resources
into four levels, based on how severe might be the affect if a
resource were damaged.
This levels are listed below..
15
Example: Defined Levels of Data Sensitivity.

Name: Sensitive
Description: could damage competitive advantage.
Examples:
Audit reports
Operating plans
-----------------------------------------------------------------------
Name: Personal or protected
Description: could reveal personal, private, or protected
information.
Examples:
Personal data:- employees salaries or performance reviews
Private data:- employee lists
Protected data:- data obligated to protect, such as those obtained under a
nondisclosure agreement
16
Example: Defined Levels of Data Sensitivity.

Name: Company confidential
Description: could damage companys public image.
Examples:
Audit reports
Operating plans
-----------------------------------------------------------------------
Name: Open
Description: No harm.
Examples:
Press releases
White paper
Marketing materials
17
Conclusion
An organizational security policy is a document that
specifies the organizations goals regarding security.
It lists policy elements that are statements of actions
that must or must not be taken to preserve those
goals.
Policy documents often lead to implementation
procedures.
Also, users education and awareness activities ensure
that users are aware of policy restrictions
18
19