In the network security realm, policies are usually point specific, which means they
cover a single area. A security policy is a document that expresses exactly what the security level should be by
setting the goals of what the security mechanisms are to accomplish. Security policy is written by higher
management and is intended to describe the "whats" of information security. The next section gives a few
examples of security policies. Procedures, standards, baselines, and guidelines are the "hows" for
implementation of the policy. Information security policies underline the security and well-being of information
resources; they are the foundation of information security within an organization.
Trust is one of the main themes in many policies. Some companies do not have policies because they trust in
their people and trust that everyone will do the right thing. But, that is not always the case, as we all know.
Therefore, most organizations need policies to ensure that everyone complies with the same set of rules.
In my experience, policies tend to elevate people's apprehension because people do not want to be bound by
rules and regulations. Instead, people want freedom and non-accountability.
Pages:
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55