An IT or cyber security policy defines the rules and guidelines that should be followed by all the people in an organization to ensure confidentiality, integrity and availability of data and resources. A good IT security policy should be realistic and its information should be clear and provide enough guidance to developing specific procedures. A good security policy will provide high level of data and resource protection from both internal and external threats to an organization.
An IT security policy should be developed in such a way that it will be flexible with the changes in technology. The components of security policy may vary by organization based on the technology they use, services they provide, their size and budget available. Most of the organization’s security policies include, User Access to classify the roles of the users who access resources in an organization’s network. Password policy to protect the infrastructure and the integrity of data. Email usage policy to restrict personal usage, filter the attachments with specific extensions etc. Internet usage policy to restrict access to some websites which are vulnerable to malwares and viruses. Policies to have anti-virus software in machines to detect and mitigate viruses, identify and scan files when removable media devices are connected.
Our company uses User Access control to provide access resources to users based on their roles. For example, a person with developer role will not have permission to deploy an application. Administrator will have the permissions to deploy. Password policy contains rules such as change of password prompt when a user log in to the system for first time, password length, restricting the user from using previous three passwords, prompting user to change password for every 90 days etc. Email policy includes restricting users from personal usage, blocking the attachments which has extensions like .jar, .exe etc. Other policies include sending notifications to users to install security updates, automatic anti-virus scan for all incoming and outgoing files, and external media devices.