A.4 Chapter 3: Policies and Guidelines

  • Assess your environment. What do you need to protect? What are you protecting against?

  • Understand priorities, budget, and available resources .

  • Perform a risk assessment and cost-benefit analysis.

  • Get management involved.

  • Set priorities for security.

  • Identify your security perimeter.

  • Develop a positive security policy. Circulate it to all users.

  • Ensure that authority is matched with responsibility.

  • Ensure that everything to be protected has an "owner."

  • Work to educate your users on good security practice.

  • Don't have different, less secure rules for top-level management.

  • Conduct a compliance audit.

  • Outsource when appropriate, but with great care.

    Part VI: Appendixes