5.2. Security as a Policy

It is important to point out that you cannot implement security if you have not decided what needs to be protected, and from whom. You need a security policy; a kind of list of what you consider allowable and not allowable, upon which to base any decisions regarding security. The policy should also determine your response to security violations. What you should consider while compiling a security policy will depend entirely on your definition of security. The answers to the following questions should provide some general guidelines:

• How do you classify confidential or sensitive information?

• Does the system contain confidential or sensitive information?

• Exactly whom do you want to guard against?

• Do remote users really need access to your system?

• Do passwords or encryption provide enough protection?

• Do you need access to the Internet?

• How much access do you want to allow to your system from the Internet?

• What action will you take if you discover a breach in your security?

This list is not very comprehensive, and your policy will probably encompass a lot more before it is completed. Any security policy must be based on some degree of paranoia; deciding how much you trust people, both inside and outside your organization. The policy must, however, provide a balance between allowing your users reasonable access to the information they require to do their work and totally disallowing access to your information. The point where this line is drawn will determine your policy.