Merlin's Computer
Usage and Policy
Guidelines

Corporate Security Policy

   
 

Feel free to
print this page
for future reference.

A properly drafted Security Policy will greatly assist a business to safeguard their computer systems against physcial harm as well as against attack by hackers and others with ill-intentions.

 

Introduction

Today's computer technology provides businesses with very valuable and flexible business tools, including: word processing of documents; spreadsheets; databases of information; systems for data entry, storage and retrieval; electronic mail and Internet access. Businesses need to be careful that any material that should not be seen by certain people is protected (eg. business strategy, customer's personal details or credit card numbers, product cost prices, product recipes, etc.).

An effective security policy can help to guard against unauthorised access of systems and data. This document aims to help businesses prepare and implement an effective security policy. The following guidelines can be finetuned by companies to suit particular preferences or business objectives.

Preparing the Security Policy

It is important for all members of the company to accept the Security Policy, and to cooperate with its implementation and enforcement. Therefore, bear in mind the following:

  1. Involve relevant staff members in its creation.
  2. Keep all staff briefed about its development, and pending implementation.
  3. Implement the policy by appropriately informing all staff, and ensure that all staff understand the purpose of the policy as well as the detail of the policy.
  4. Once implemented, make it a condition of employment that new staff members sign an agreement of acceptance of the security policy terms and conditions.
  5. Periodically review the policy to ensure that it is kept current, and still adequately covers all systems and access methods.

Brief checklist of considerations

  1. List all computer systems and repositories of data/information that the policy will refer to. For non-simple computing environments, such things as network diagrams will also be useful to highlight vulnerable points in the total network.
  2. Define the nominal owner of each system and repository. The owner will have a vested interest in ensuring that the security of the system or repository is sound, and maintained.
  3. Describe any ongoing awareness programs that are to be put in place.
  4. Describe the acceptable usage of the various systems and resources (and if appropriate refer to other policies for such things as e-mail and Internet usage).
  5. Access to systems and data includes such things as: physical/secure access into computer rooms; physical access into buildings; electronic access to systems via a logon process (using a user name and password).
  6. Describe the various accesses to systems (ie. privileges) that are available, and to which company positions they are available.
  7. Describe the consequences to staff of violating the policy.
  8. Describe the periodic review process for potential updating of the policy.

Purpose

The company is mindful that company information is stored across a number of systems and data repositories, and that due to the sometimes sensitive nature of the information, or its critical nature, access to systems and data must be controlled. This invariably means that access must be limited in varying ways and to varying degrees.

The purpose of this security policy is to guard against unauthorised access to information, and unauthorised processing of information. For its success, it is important that all staff proactively support the policy and its execution. Any breach of the policy must be reported.

Sample Policy Items

  1. Key computer systems (eg. large systems, servers and network infrastructure) are to be located in a physically secure environment, with very restricted access available to a defined list of people.
  2. To gain access to a system, users must logon using their own user name and password. User names are not to be shared, and passwords are to be kept secret.
  3. Passwords are to be at least 6 characters long, and include at least one numeric digit.
  4. Passwords are to be changed at least once per month (ie. every 31 days).
  5. Once a user has logged on to a computer terminal, screen or PC, that user is responsible for any information that is entered there, or changed there. Data stored in large systems may have the user's user name recorded against the change for audit purposes.
  6. Any modem that is used for dial-up access is to be configured for out-going calls only (to disallow hackers from dialling in). Any modems used for dial-in purposes are to have appropropriate controls in place to guard against hackers dialling in.
  7. When using a dial-up service, bear in mind that information being transmitted may not be encrypted and might be able to be viewed by people with the appropriate monitoring equipment.
  8. The e-mail facility is to be used carefully and responsibly (see the company's e-mail usage policy).
  9. The Internet access facility is to be used carefully and responsibly (see the company's Internet usage policy).

Home |  Merlins Techno-Guide |  On-line Glossary | Search this site | Back to Top | Help Index Page

This site built and maintained by Robert B. Brain (in his spare time).
Please feel free to send feedback and suggestions by email.
Email to: brain at the domain: hotkey.net.au
(Sorry, but this email address is coded to elude spammers).

© Copyright 1999-2003, Colonial Pioneer Publishing (ABN: 52 791 744 975).
http://www.hotkey.net.au/~brain
Last revised: 20 May, 2003.

Important: The information provided here is not advice. It is intended as a guide only, and may not be complete, nor relevant to every situation. It should not be relied upon. Any product or company names that might be mentioned here may be registered trade marks or trade names and owned by the respective companies, and they are are quoted here in good faith, without recommendation or endorsement.