Defining the policy

When you define a policy, consider the following elements:

• Objectives, or what you want to accomplish with your security policy.
• Scope, or who and what your security policy should cover. Your policy should state who can perform an action, not who cannot perform it.
• Data, or what needs to be secured.

To help you define the objectives, scope, and data of your security policy, use the following tips:

1. Before defining your security policy, assemble all of the people who are stakeholders in the security of your business. These people will want to contribute to the definition of your security policy. These can include the following types of people:
   • Business leaders
   • Data owners
   • System administrators
   • Legal analysts
   • Internal auditors
2. Identify the regulations and practices that influence your security needs. This information can come from the following types of sources:
   • Government or industry regulations or standards.
   • Requirements of the stakeholders in the security of your business.
   • Possible threats to your security.
3. Identify the assets your security policy must control. The following types of sources can help you identify your assets:
   • The regulations that need to be followed.
   • The types of data you use in your business, such as sales data or shipping data.
   • The points at which data is created, accessed, or deleted.
4. Identify the various roles individuals play as they interact with the data protected by your security policy. To help identify these roles, determine the following:
   • The types of individuals who are interacting with the data assets.
   • The nature of the interactions between the individuals and the assets.