A security policy is a written statement describing:
- Which assets to protect and why they are being protected?
- Who is responsible for that protection?
- Which behaviors are acceptable and which are not?
The security policy primarily addresses physical security, network security, access authorizations, virus protection and disaster recovery. The security policy is a living written document which is reviewed and updated at regular intervals.
Security policy also emphasizes the importance of e-commerce security and set out or references the specific policies, principles, standards and compliance requirements for achieving this. SP comprehensively describes the practices followed by a company with respect to maintenance of security of the information resources of the e-commerce infrastructure.
Such a policy should provide the specific parameters. Though the SP, the management of the company expresses its expectation with regard to the levels of information security to be maintained. It also conveys a commitment of the company towards ensuring information security.
For example, a company that stores its customers’ credit card numbers might decide that those numbers are an asset that must be protected from unauthorized access. Then, the organization must determine the level of access to the system for various people in the organization.
Next, the organization determines what resources are available to protect the assets identified. Using all this information, the organization develops a written security policy and commits resources required to implement the security policy. Absolute security is difficult to achieve but deployment of a comprehensive SP can help avoid most intentional breaches and reduce their impact.
In order to ensure the minimum level of acceptable security for most e-commerce operations, a comprehensive security policy should fulfill some basic requirements. Following are these requirements:-
- Secrecy: It refers to preventing unauthorized persons from reading messages and business plans, obtaining credit card numbers or deriving other confidential information.
- Integrity: It refers to ensuring that a communication received has not been altered or tampered with. For this, enclose information in a digital envelope so that the computer can automatically detect messages that have been altered in transit.
- Availability: It refers to ensuing access to a resource. It provides delivery assurance for each message segment so that messages or message segment cannot be lost undetectably.
- Key management: It provides secure distribution and management of keys needs to provide secure communication.
- Non-repudiation: It refers to ensuring that none of the parties involved can deny an operation at a later date. It provides end to end proof of each proof of each message’s origin and recipient.
- Authentication: It securely identifies clients and servers with digital signatures and certificates.
Elements of security policy:-
A security policy of a company not only should be well documented but also be comprehensive. A security also takes care of various issues pertaining to authorization, authentication and non-repudiation.
In order to enhance levels of trust among the users, a security policy needs to have statements relating to large number of elements. Typical elements of a SP include the following.
1. Security definition:-
A security policy includes a well-defined security vision for the organization. The security vision should convey to the readers the intent of the policy in ensuring the confidentiality, integrity and availability of data and resources through the use of effective and established security processes and procedures. The SP is implemented and what it entails in terms of the mission and the business goals of the organization.
A security policy identifies how a security policy is enforced and how a breach is managed. This requirement is necessary in order to ensure that incidents are handled in an appropriate manner while the security policy remains binding across the organization.
User access to computer resources:-
A security policy regards the roles and responsibilities of users accessing resources on the organization’s network. This section toes organizational procedures to individual roles and aims at controlling the acts or omissions of the human factor in secure processes. Additionally, some organizations may require that other organizations meet the terms and conditions identified in the organization’s SP before granting access.
Specific elements of a SP address the following points:
- Authentication: Who is trying to access the electronic commerce?
- Access control: Who is allowed to log on to and access the electronic commerce site?
- Secrecy: Who is permitted to view selection information?
- Data integrity: Who is allowed to change data, and who is not?
- Audit: Who or what causes selected events to occur and when?