23.3 Security Policy

	If the main risks have been determined in your company, then all you need is to develop a security policy for protecting the assets.
	A security policy includes statement that ranks information risks, identify goals of acceptable security, and the mechanism to achieve it.
	What are the most important information assets to the firm? What security policies are in place to protect the information?
	What level of risk that could be accepted by management for each of these assets?
	Is it willing for example to lose credit data of customer once every 10 years or will it build a security system for credit card data that can withstand the once in a hundred year disaster?
	The role of management is to estimate the cost to achieve this level of acceptable risk.
	The security policy determines the acceptable use of the information and which employees can access to the information assets.
	An acceptable use policy (AUP) identifies the uses of information resources and computing equipment which are acceptable, and that include desktop and laptop computers, wireless devices, telephones, and the internet.
	Also clarifies company policy regarding privacy, user responsibility, and personal use of company equipment and network.

23.3 Security Policy

	Strong AUP that can define unacceptable and acceptable actions for each user and the consequences of noncompliance.
	Authorization policies determine differing levels of information assets access for different level of users.
	Authorization management systems are systems consist of rules that allow users where and when to access certain parts of a web site or a corporate database.

23.3 Security Policy

Figure 23.1 Security Profiles for a personnel System

23.3 Security Policy

Figure 23-1 as an example shows what information each user is permitted to access and the security allowed for two sets of users of an online personnel data that contains sensitive information as shown in the figure.