A security policy is a written statement describing:
- Which assets to protect and why they are being protected?
- Who is responsible for that protection?
- Which behaviors are acceptable and which are not?
The security policy primarily addresses physical security, network security, access authorizations, virus protection, and disaster recovery. The security policy is a living written document which is reviewed and updated at regular intervals.
Security policy also emphasizes the importance of e-commerce security and set out or references the specific policies, principles, standards and compliance requirements for achieving this. Security policies comprehensively describe the practices followed by a company with respect to maintenance of security of the information resources of the e-commerce infrastructure.
Such a policy should provide specific parameters. Though the security policies, the management of the company expresses its expectation with regard to the levels of information security to be maintained. It also conveys a commitment of the company towards ensuring information security.
For example, a company that stores its customers’ credit card numbers might decide that those numbers are an asset that must be protected from unauthorized access. Then, the organization must determine the level of access to the system for various people in the organization. Next, the organization determines what resources are available to protect the assets identified.
Using all this information, the organization develops a written security policy and commits resources required to implement the security policies. Absolute security is difficult to achieve but the deployment of a comprehensive security policy can help avoid most intentional breaches and reduce their impact.
In order to ensure the minimum level of acceptable security for most e-commerce operations, a comprehensive security policy should fulfill some basic requirements.
Following are these requirements:-
- Secrecy: It refers to preventing unauthorized persons from reading messages and business plans, obtaining credit card numbers or deriving other confidential information.
- Integrity: It refers to ensuring that communication received has not been altered or tampered with. For this, enclose information in a digital envelope so that the computer can automatically detect messages that have been altered in transit.
- Availability: It refers to ensuring access to a resource. It provides delivery assurance for each message segment so that messages or message segment cannot be lost undetectably.
- Key management: It provides secure distribution and management of keys needs to provide secure communication.
- Non-repudiation: It refers to ensuring that none of the parties involved can deny an operation at a later date. It provides end to end proof of each proof of each message’s origin and recipient.
- Authentication: It securely identifies clients and servers with digital signatures and certificates.
Elements of Security Policy:-
The security policy of a company not only should be well documented but also be comprehensive. Security also takes care of various issues pertaining to authorization, authentication, and non-repudiation.
In order to enhance the levels of trust among the users, a security policies needs to have statements relating to a large number of elements. Typical elements of a security policy include the following.
A security policy includes a well-defined security vision for the organization. The security vision should convey to the readers the intent of the policy in ensuring the confidentiality, integrity, and availability of data and resources through the use of effective and established security processes and procedures. The security policies are implemented and what it entails in terms of the mission and the business goals of the organization.
A security policy identifies how security policy is enforced and how a breach is managed. This requirement is necessary in order to ensure that incidents are handled in an appropriate manner while the security policies remain binding across the organization.
User access to computer resources:-
A security policy regards the roles and responsibilities of users accessing resources on the organization’s network. This section toes organizational procedures to individual roles and aims at controlling the acts or omissions of the human factor in security processes.
Additionally, some organizations may require that other organizations meet the terms and conditions identified in the organization’s security policies before granting access.
Specific elements of a security policy address the following points:
- Authentication: Who is trying to access electronic commerce?
- Access control: Who is allowed to log on to and access the electronic commerce site?
- Secrecy: Who is permitted to view selected information?
- Data integrity: Who is allowed to change data, and who is not?
- Audit: Who or what causes selected events to occur and when?