How can set policy be used in achieving computer security?

 

Setting policy does not hinder development, it helps tailor development in the right channel.

This is also an issue in the information technology sector where policies are set in order to

achieve a common standard within the industry.

 

In order to protect computer data at any level there has to be set rules in place as to who

has access to the system at any point in time? What are the level to which an authorised

 access can go and what are the actions that can be performed on this information to

which the user is allowed access to?

 

Looking at a family computer, it is possible that every member of the family access the

computer but there has to be set rules as to what the parents can do on the system and

what the child can do on it. Parents might set a policy on what site the children can access

and what are the files which can be downloaded. This policy can be set and to achieve this,

there has to be mechanism in place which will enforce this policy. One of the common

 examples is pass word mechanism which automatically prevent access to some specific

areas which restriction has been placed.

 

Beyond the family home, an organization whose operation is technologically based will require

 a detailed list of policies which will guide and protect employee behaviour; this can then be

 used as a basis for protecting the organization assets which includes information and the technology

 used in processing that information.

 

The following are the types of computer security policies that can be set up by various establishments.

 

Program-framework policies.

 

These are set of rules that provide organization-wide direction on broad areas of program implementation.

 For example, they may be issued to assure that all components of an organization address

contingency planning or risk analysis. This policy can benefit an organization by ensuring

consistency in the way I perform its functions.

Program-framework policies are issued by a manager with sufficient authority to direct all

organization components on computer security issues. This may be the organization's

management official or the head of the computer security program.

 

Issue-specific policies

 

This set of policy helps to identify the specific area of concern and state the position of

the organization on it organization.

Depending upon the issue and attendant controversy, as well as potential impact, issue

 specific policy may come from the head of the organization, the top management official,

the Chief Information Officer, or the computer security program manager. 

 

System-specific policies.

 

 
This is when the security objectives of a system are set. 
It is here that the method by which the system are operated are set in order to achieve the 
security objectives and specify how the protections and features of the technology will be used
 to support or enforce the security objectives. A system refers to the entire collection of processes, 
both automated and manual. System-specific policy is normally issued by the manager 
or owner of the system (which could be a network or application), but may originate from a high official,
 particularly if all impacted organizational elements do not agree with the new policy. 

 

 

 

http://csrc.nist.gov/publications/nistbul/csl94-01.txt

 

 

Next Page                                                                                          Back to Home