Security policy

Security policy

Security policy is a definition of what it means to "be secure" for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.

Because the security policy is a high level definition of secure behavior, it is meaningless to claim an entity is "secure" without knowing what "secure" means. It is also foolish to make any significant effort to address security without tracing the effort to a security policy.

Significance

If it is important to be secure, then it is important to be sure all of the security policy is enforced by mechanisms that are strong enough. There are organized methodologies and risk assessment strategies to assure completeness of security policies and assure that they are completely enforced. In complex systems, such as information systems, policies can be decomposed into sub-policies to facilitate the allocation of security mechanisms to enforce sub-policies. However, this practice has pitfalls. It is too easy to simply go directly to the sub-policies, which are essentially the rules of operation and dispense with the top level policy. That gives the false sense that the rules of operation address some overall definition of security when they do not. Because it is so difficult to think clearly with completeness about security, rules of operation stated as "sub-policies" with no "super-policy" usually turn out to be rambling ad-hoc rules that fail to enforce anything with completeness. Consequently, a top level security policy is essential to any serious security scheme and sub-policies and rules of operation are meaningless without it.

ee also

*Access control
*Computer security policy
*Environmental design
*Information Protection Policy
*Information security policy
*National security policy, Military strategy
*Network security policy
*Photo identification
*Physical Security
*Policy
*Remote Access Policy
*Security
*Security engineering
*User Account Policy


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • security policy — saugumo politika statusas T sritis informatika apibrėžtis Taisyklės ir procedūros, nusakančios, kaip tam tikra organizacija arba kompiuterinė sistema teikia ↑saugumo paslaugas išteklių saugumui užtikrinti. pavyzdys( iai) liudijimų įstaigos… …   Enciklopedinis kompiuterijos žodynas

  • security policy — saugumo taisyklės statusas T sritis informatika apibrėžtis Taisyklės, kuriomis nusakoma, kaip tam tikra organizacija arba kompiuterinė sistema teikia ↑saugumo paslaugas išteklių saugumui užtikrinti. Gali būti pateiktos formaliu pavidalu (tam, kad …   Enciklopedinis kompiuterijos žodynas

  • Security Policy — Eine Sicherheitsrichtlinie (auch Sicherheitsleitlinie, Sicherheitspolitik) beschreibt den erstrebten Sicherheitsanspruch einer Institution (Behörde, Unternehmen, Verband etc.). Mit Sicherheit ist hier in der Regel Informationssicherheit gemeint.… …   Deutsch Wikipedia

  • Security Policy —   Formally listed as a EC objective in the Single European Act (SEA), and institutionalized in the Treaty on European Union, but not yet established in practice …   Glossary of the European Union and European Communities

  • Common Foreign and Security Policy — This article deals with the workings of European Union foreign policy. For the relations between the European Union and third countries, see Foreign relations of the European Union. European Union This a …   Wikipedia

  • Center for Security Policy — infobox Organization name = Center for Security Policy size = abbreviation = motto = formation = 1988 type = National security Think Tank headquarters = location = leader title = leader name = website = http://www.centerforsecuritypolicy.org The… …   Wikipedia

  • Computer security policy — A computer security policy defines the goals and elements of an organization s computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical… …   Wikipedia

  • Council for Foreign and Security Policy — The Council for Foreign and Security Policy (CFSP) (Ukrainian: Рада із зовнішньої та безпекової політики) is a non governmental research organization focusing on the Ukrainian national and foreign security policy to develop well grounded… …   Wikipedia

  • Information security policy documents — An information security policy document contains the written statements for how an organization intends to protect information. Written information security policy documents are required for compliance with various security and privacy… …   Wikipedia

  • Network security policy — A network security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”