Security tips - Information security policies

Most companies have firewalls and antivirus software to defend themselves against the multitude of nasties on the internet.

Many have IDS systems as well, which keep track of activity on their Lan. So why is it that very few have a formal, written information security policy?

It's probably because it seems rather boring, but almost certainly because it's not seen as a priority. It's better to secure the network first and then worry about things like this later, right? Wrong.

A sound infosec policy is the foundation you need to base the security of your network on. If you don't have a formal security policy in place, then how do you know you've applied all the correct security measures?

How do you know exactly what you should be applying them to?

Without any baseline to measure your work against, you cannot possibly tell how much security is enough and may consequently under-spend, or even over-spend.

More importantly, if you do not let your users know what they should and should not be doing in respect to security, then you only have yourself to blame if something serious goes wrong.

While writing a policy may seem a daunting task, there are plenty of resources available on the internet to help you, and many even supply sample policies for you to modify.

Try www.sans.org/newlook/resources/policies/policies.htm

Matthew Moore is a security architect at Westpoint www.westpoint.ltd.uk

Contact: