The process for developing a written security policy typically involves a task force with representatives from a variety of functional groups. You have to be sure to include some business" people, and not just IT, engineering and security staff. These business people - whether sales, finance or operations- will ensure that the policy you develop supports business practices rather than hinder them. Ultimately, it will be very important for you to get senior management involved, and to get the CEO to endorse your security policy. Upper management needs to send a clear message to everyone in the organization that information security is vitally important to the company.
During this process, keep in mind that your security policy can't be so strict that it incapacitates your business. And it needs to be enforceable; otherwise, your employees will ignore it. Also consider the role of outsiders — contractors and business partners may require access to your information assets. Your task force's initial job will be to assess security threats to your organization's information assets with respect to each of the following fundamental areas:
Authentication — ensuring that a user is who he says he is.
Authorization —controlling what information and applications a user can access. Privacy and data integrity —preventing unauthorized users from seeing certain information, and preventing them from making unauthorized changes or deletions.
Non-repudiation — making sure that parties in a transaction can't deny what they said or what they did.
Disaster recovery & contingency planning
Physical security
As the security task force makes decisions relating to the above security topics, it will also need to balance four distinct business factors:
• the information access requirements of different constituencies, both inside and
