Importance of Policies

With all the requirements on how security is to be implemented, or what is to be done in different situations, there must be one definite source for this information. Users must be able to go to a document, or a set of documents and be able to clearly see the policies and procedures that have been outlined for a particular organization. The Security Policy, as a document should defines how an organization will secure and manage its information technology assets.

By implementing a policy, it is easy for the management of an organization to define the procedures to all users.

Security Policies are usually not highly technical documents. If technical requirements are to be specified, there is often a separate policy defining those requirements. The overall policy itself will be broken down into several smaller policies, or statements. This allows for quick reference of any one area for a subject of interest.

Security policies cover a wide spectrum of topics and issues, such as:

	User Account Statement: covering clauses such as "Only the System Security Administrator may add new user account to the system", User account passwords must be at least 7 characters in length.
	General Protection Statement: covering clauses such as "Users may not share their computer or network access with anyone at any time", "Users may not access resources to which they have not been specifically granted access".
	Email Use Statement: covering clauses such as "Users may not send or receive personal email", "Users may not download attachments from unauthorized senders".
	Internet Access Statement: covering clauses such as "Users may not download anything without specific permission", "Users are not allowed access to web based email sites", "Users are not allowed to access websites that contain offensive, threatening, or harassing content"