What Makes a Good Security Policy?

What Makes a Good Security Policy? The characteristics of a good security policy are: 1. It must be implementable through system administration procedures, publishing of acceptable use guidelines or other appropriate methods. 2. It must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible.

What Makes a Good Security Policy?

The characteristics of a good security policy are:

1. It must be implementable through system administration procedures, publishing of
    acceptable use guidelines or other appropriate methods.

2. It must be enforceable with security tools, where appropriate, and with sanctions,
    where actual prevention is not technically feasible.

3. It must clearly define the areas of responsibility for the users, administrators, and
    management.


Basic Properties of Security (Basic Principles of Security):

Confidentiality: Let X be a set of entities and let I be some information. Then I has the property of confidentiality with respect to X if no member of X can obtain information about I. Confidentiality implies that information must not be disclosed to some set of entities. It may be disclosed to others. The membership of set X is often implicit – for example, when we speak of a document that is confidential. Some entity has access to the document. All entities not authorized to have such access make up the set X.

Integrity: Let X be a set of entities and let I be some information or a resource. Then I has the property of integrity with respect to X if all members of X trust I. In addition to trusting the information itself, the members of X also trust that the conveyance and storage of I do not change the information or its trustworthiness (this aspect is sometimes called data integrity). If I is information about the origin of something, or about an identity, the members of X trust that the information is correct and unchanged (this aspect
is sometimes called origin integrity or, more commonly, authentication). Also, I may be a resource rather than information. In that case, integrity means that the resource functions correctly (meeting its specifications). This aspect is called assurance. As with confidentiality, the membership of X is often implicit.

 Availability: Let X be a set of entities and let I be a resource. Then I has the property of availability with respect to X if all members of X can access I. The exact definition of "access" varies upon the needs of the members of X, the nature of the resource, and the use of the resource. If a book-selling server takes up to 1 hour to service a purchase request, that may meet the client's requirements for "availability." If a server of medical information takes up to 1 hour to service an anesthetic allergy information request, that will not meet an emergency room's requirements for "availability."

Policy can be expressed in:

- Natural language, which is usually imprecise but easy to understand;
- Mathematics, which is usually precise but hard to understand;

- Policy languages, which look like some form of programming language and try to    balance precision with ease of understanding.

You May Also Like...

Subscribe Us