Characteristics of a Good Security Policy

Characteristics of a Good Security Policy Characteristics of a Good Security Policy If a security policy is written poorly, it cannot guide the developers and users in providing appropriate security mechanisms to protect important assets. Certain characteristics make a security policy a good one. - Coverage

Characteristics of a Good Security Policy

If a security policy is written poorly, it cannot guide the developers and users in providing appropriate security mechanisms to protect important assets. Certain characteristics make a security policy a good one.

- Coverage

A security policy must be comprehensive/ all-inclusive: It must either apply to or explicitly exclude all possible situations. Furthermore, a security policy may not be updated as each new situation arises, so it must be general enough to apply naturally to new cases that occur as the system is used in unusual or unexpected ways.

- Durability

A security policy must grow and adapt well. In large measure, it will survive the system's growth and expansion without change. If written in a flexible way, the existing policy will be applicable to new situations. However, there are times when the policy must change (such as when government regulations mandate new security constraints), so the policy must be changeable when it needs to be.

An important key to durability is keeping the policy free from ties to specific data or protection mechanisms that almost certainly will change. It is preferable to describe assets needing protection in terms of their function and characteristics, rather than in terms of specific implementation.

- Realism

The policy must be realistic. That is, it must be possible to implement the stated security requirements with existing technology. Moreover, the implementation must be beneficial in terms of time, cost, and convenience; the policy should not recommend a control that works but prevents the system or its users from performing their activities and functions.

- Usefulness

An obscure or incomplete security policy will not be implemented properly, if at all. The policy must be written in language that can be read, understood and followed by anyone who must implement it or is affected by it. For this reason, the policy should be succinct, clear, and direct.

Risk Analysis:

Risks are events or conditions that may occur, and whose occurrence, if it does take place, has a harmful or negative effect. Exposure to the consequences of uncertainty constitutes a risk. In everyday usage, risk is often used synonymously with the probability of a known loss. In information security, a risk is defined as a function of three variables:
the probability that there is a threat
the probability that there are any vulnerabilities
the potential impact.

In general, there are three strategies for risk reduction:

- avoiding the risk, by changing requirements for security or other system characteristics

- transferring the risk, by allocating the risk to other systems, people, organizations, or assets; or by buying insurance to cover any financial loss should the risk become a reality

- assuming the risk, by accepting it, controlling it with available resources, and preparing to deal with the loss if it occurs

Good, effective security planning includes a careful risk analysis. Risk analysis is the process of examining a system and its operational context to determine possible exposures and the potential harm they can cause.

Steps of Risk Analysis

By following well-defined steps, we can analyze the security risks in a computing system. The basic steps of risk analysis are listed below.


1. Identify assets.

2. Determine vulnerabilities.

3. Estimate likelihood of exploitation.

4. Compute expected annual loss.

5. Survey applicable controls and their costs.

6. Project annual savings of control.


Access Control:

Access control is the ability to permit or deny the use of a particular resource by a particular entity. Access control mechanisms can be used in managing physical resources (such as a movie theater, to which only ticketholders should be admitted), logical resources (a bank account, with a limited number of people authorized to make a withdrawal), or digital resources (for example, a private text document on a computer, which only certain users should be able to read).

In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects.

You May Also Like...

Socialize with Us