|
|
 |
PKI Policies and Procedures: Security Policy and Procedures
The security policies and procedures tempate follows the general format of ISO/IEC IS 17799, as a formal security policy with procedures and guidelines. The security policies and procedures document is internal, but is subject to external review for audit, certification, or accreditation.
A security policy should be based on an organization's business objectives and business requirements. In a PKI environment, the security policy is based an organization's business objectives and business requirements and on the certificate policy. It is important that all policy documentation derive from one common directing strategy, which is normally dictated by business objectives. Certain elements of the security policy and procedures duplicate the requirements and guidelines of the certificate policy and certification practices statement, but thesecurity policy and procedures can also stand alone.
SPYRUS participates in the development of many of these guides and on committees determining international standards on risk management, and we incorporate the most up-to-date and respected risk mangement guides into our security policy and procedures template.
The objective of security policy and procedures is to provide a framework for adequate, cost-effective protection of information and assets. High-level requirements for meeting this objective include the following:
- Accountability
- Authorization
- Information management
- Asset management
- Security risk management
- Ongoing security awareness
These requirements are met by the development, implementation, ,and monitoring of procedures addressing all areas of security, including personnel, physical, information technology, contracting, business continuity, configuration management, and audit. The SPYRUS security policy and procedures template covers all elements of security.
|
|
