Security policies are a collection of rules and settings for managing the security of digital systems — including operating systems, applications, networks, and devices.
System security policies are set and configured by the system administrator.
The term “security policy” can also refer to a document that outlines security rules and regulations. When a security policy (document) is in place, security policies (settings) provide a technical means of enforcing it.
What are security policies for?
Security policies enable centralized control over the security configurations of digital systems. This prevents users from inadvertently choosing vulnerable settings, like weak or compromised passwords. Additionally, policies reduce an organization’s attack surface by implementing measures such as restricting unauthorized access to sensitive data and filtering incoming network traffic.
However, an excessive number of security policies can hinder the organization’s operations. For example, overly strict policies might misidentify legitimate actions as malicious, and block them. The system administrator defines the optimal set of security policies based on the digital system’s specific architecture and capabilities, and the range of functions it performs.
What do security policies regulate?
Security policies can apply to specific assets, users, or groups of similar assets. This categorization enables precise control over access, permissions, and other configuration settings.
From the standpoint of functions performed, the following types of security policies can be distinguished:
- Access control policies define which users can access specific resources, and what actions they are permitted to perform.
- Network traffic control policies decide what kind of internet traffic is permitted or prohibited based on specific details such as port numbers, IP addresses, and network protocols.
- Security audit policies determine which types of events need to be logged.
- Software and driver installation policies allow for control over which applications users can install and run on a system.
- Password policies set rules for passwords, such as minimum length, required character types (like numbers or special symbols), expiration dates, and how many previous passwords a user can’t reuse.
- Data privacy policies outline the steps taken to safeguard sensitive information from being accessed, altered, or erased without proper authorization. These rules cover the encryption and masking of data.