Example Security Policy

Contents: Front Matter Introduction Overview Security Policies Responsibilities Appendices

The following is an example security policy for the Global Personal Marketplace (GPM), a Web-based auction and sales application intended for private individuals and small businesses.

Front Matter

The frontmatter of this security policy includes the following:

Title Page
Revision History

Introduction

The introduction of this security policy has the following subsections:

Document Definition
Document Objectives
Intended Audiences
References

Document Definition

This document contains the security policy for the Global Personal Marketplace (GPM) application.

Document Objectives

The objectives of this security policy document are to:

Formally document the security policy of the Global Personal Marketplace application.
Formally communicate this security policy to its stakeholders.

Intended Audiences

The intended audiences for this security policy include all internal stakeholders of the GPM application:

Customer Organization
Development Organization
Maintenance Organization
Operations Organization
Subcontractor Organization(s)

References

The security policy for the GPM application references the following documents:

Overview

The overview of this security policy has the following subsections:

Importance Of Security
Security Goals
Security Principles
Security Policy Scope

The services provided by the Global Personal Marketplace (GPM) application are very valuable and the primary source of our income. The information that GPM controls, whether belonging to the company or held in trust for and on behalf of our customers and our personnel, is also a valuable asset. These services and information must be protected to an extent corresponding to their value and the extent of the damage that could result from their unautorized use or misuse including disclosure, modification, destruction, or intentional lack of availability.

Security Goals

The following are the security goals for the Global Personal Marketplace application:

Restricted GPM services and information will only be available to identified, authenticated, and authorized individuals including properly:
- Registered users in good standing.
- Vetted employees performing assigned roles.
The GPM application shall be immune from infection by malicious programs.
The integrity of all data, whether stored or communicated, is secured.
Attempted and actual intrusion by unauthorized individuals and programs shall be detected and properly acted on.
Parties to all transactions shall not be able to repudiate their involvement in the transaction.
All confidential data shall remain private.
The GPM application shall enable the proper auditing of security mechanisms.
The GPM shall be able to survive directed physical attack.
The GPM shall provide physical security to its components including data, hardware, software, and personnel.
Routine maintenance shall not lower the security of the GPM application.

Security Principles

The following are general security principles for the Global Personal Marketplace (GPM) application:

Security will be based on a comprehensive, balanced, cost-effective collection of security mechanisms and packages that is the result of a thorough security needs assessment.
Security mechanisms will include an appropriate mixture of systems (hardware/software) security, procedural security, personnel security, and physical security, etc.
To the extent practical, access will be provided on a need to do and need to know basis.

Security Policy Scope

The scope of this security policy includes the security of the Global Personal Marketplace (GPM) application including its:

Components:
- Data Components
- Hardware Components
- Software Components
- Personnel Components
Related Environments:
- Management Environments
- Development Environments
- Production Environments
Related Facilities:
- Contact Centers
- Data Centers
- Development Facilities
Entire Lifecycle:
- Initiation Phase
- Construction Phase
- Delivery Phase
- Usage Phase
- Retirement Phase

Security Policies

The security policies for the GPM application fall into the following categories:

Identification
Authentication
Authorization
Immunity
Integrity
Intrusion Detection
Nonrepudiation
Privacy
Security Auditing
Physical Protection
System Maintenance Security

Identification

The GPM will identify all buyers, sellers, and employees before allowing them to perform their associated tasks.

Authentication

The GPM will verify the identity of all buyers, sellers, and employees before allowing them to perform their associated tasks.

Authorization

Each user and employee shall be granted only sufficient access required to perform the tasks for which they have explicitally been authorized.

Immunity

The GPM application will include sufficient mechanisms to ensure immunity from infection by malicious programs such as viruses, worms, Trojan horses, and logic bombs.

Integrity

TBD

Intrusion Detection

TBD

Nonrepudiation

TBD

Privacy

TBD

Security Auditing

TBD

Physical Protection

TBD

SystemMaintenanceSecurity

TBD

Responsibilities

The following organizations, teams, and roles are responsibile for the security policy:

Responsibility for the security of the GPM application and its associated data resides with all employees and managers.
All employees shall obey all applicable laws and regulations regarding the security of the GPM application and its associated data.
All employees are required to meet the highest ethical standards in dealing with users, the public, other employees, and other stakeholders in the GPM application.
Implemention.
Evaluation.
Compliance.
Communication and Training.
Monitoring and Enforcement.

Appendices

The security policy has the following appendices:

Applicable Regulations
Major Issues
TBDs
Assumptions