Security policies--where to start

by Mitch Tulloch [Published on 13 Oct. 2005 / Last Updated on 13 Oct. 2005]

If you tell IT managers they need to create a formal, written security policy for their company (many small- and mid-sized companies don't have one) what's the first thing they'll say in response?

If you tell IT managers they need to create a formal, written security policy for their company (many small- and mid-sized companies don't have one) what's the first thing they'll say in response?

"Can you show me a template I can use to create one?"

That's wrong thinking. You don't want to create your security policy based on some general set of principles abstracted from companies in various business sectors. Instead, you want to base your security policy on your own company's needs and nothing else. What information assets does your company have that need protecting? What risks do these assets realistically face? Prioritize your assets according to value and risks according to likelihood. Then create a policy that addresses each risk appropriately.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links