This post will be about I.T security policy. Firstly, a Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.

The policy statement of the I.T security policy is "It shall be the responsibility of the I.T. Department to provide adequate protection and confidentiality of all corporate data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorised members of staff, and to ensure the integrity of all data and configuration controls." and the summary of main security policies are as follows:


1.1. Confidentiality of all data is to be maintained through discretionary and
mandatory access controls, and wherever possible these access
controls should meet with C2 class security functionality.

1.2. Internet and other external service access is restricted to authorised
personnel only.

1.3. Access to data on all laptop computers is to be secured through
encryption or other means, to provide confidentiality of data in the
event of loss or theft of equipment.

1.4. Only authorised and licensed software may be installed, and
installation may only be performed by I.T. Department staff.

1.5. The use of unauthorised software is prohibited. In the event of
unauthorised software being discovered it will be removed from the
workstation immediately.

1.6. Data may only be transferred for the purposes determined in the
Organisation’s data-protection policy.

1.7. All diskette drives and removable media from external sources must be
virus checked before they are used within the Organisation.

1.8. Passwords must consist of a mixture of at least 8 alphanumeric
characters, and must be changed every 40 days and must be unique.

1.9. Workstation configurations may only be changed by I.T. Department
staff.

1.10. The physical security of computer equipment will conform to
recognised loss prevention guidelines.

1.11. To prevent the loss of availability of I.T. resources measures must be
taken to backup data, applications and the configurations of all
workstations.

1.12 A business continuity plan will be developed and tested on a regular basis.