II. Organizational Policies & Procedures

It is critical that policies procedures be loped which reflect the significance of the information resource

A. Scope Of Security Mechanisms

Security policies specify the rules that govern how information is to be protected; security mechanisms enforce these policies. Since a secure system is one that should be part of the total organization, the scope of the security mechanism may include all the administrative, procedural, physical, operational and technical aspects of the organization.

B. Basic Goals

Basic goals of a secure system are:

  • Prevention includes those organizational, operational and physical methods thought necessary to keep a system secure from both internal and external penetration;

  • Deterrence includes those policies, procedures and actions designed to discourage penetration of the system;

  • Containment focuses on keeping sensitive data within the system;

  • Detection means to find the nature, existence, presence or fact of the system penetration;

  • Recovery is the action necessary to restore a system’s computational capability and data files after a system failure or penetration. A disaster plan is part of recovery.

C. Written Management Policies & Procedures

Once sensitive data are identified, and policies and procedures for handling sensitive data have been established, these policies and procedures must be communicated to those who are affected. A variety of methods including training and a security manual may be used for communicating this information.