Introduction to NonStop Operations Management
Security Management
Introduction to NonStop Operations Management–125507
9-3
Developing a Security Policy
The following subsections provide you with information that will help you implement
these rules.
Developing a Security Policy
A security policy is usually a high-level statement of the security goals and procedures
of an organization. Because security depends on the cooperation of all users, all users
must be made aware of the security policy and what they must do to comply with it.
For all departments in your organization, the policy should address the control and
disposition of sensitive information in all forms: online data, printed reports, data
communications, magnetic media, and off-site storage. To review a sample security
policy, refer to the Security Management Guide.
A security policy should accomplish three goals:
1. Set the basic scope and general tone of an organization’s security program.
2. Define who has overall responsibility for security and who is responsible for
maintaining the security policy.
3. Define the security procedures for all departments that handle sensitive information.
Some examples of security procedures that you should develop include:
•
Installation procedures for system and application software
•
Procedures for adding and removing users from the system
•
Procedures governing the actions of privileged users, including control of their
passwords
•
Procedures governing how passwords are assigned and when they should be
changed
•
Procedures for developers to follow regarding the security of applications and
utilities
Consider the following guidelines when developing your security policy.
Rule 8 The staff responsible for security monitoring and auditing should
periodically review adherence to security rules. Develop or acquire audit
tools and reports to support this activity.
Rule 9 The security program must have integrity. Actively test the validity of the
security program, the physical barriers, the administrative practices, and
the hardware-protection and software-protection mechanisms.