business , security

Administrative Policies vs. Technical Policies

November 16, 2012

Technical security policies describe how technology should be configured and used, and administrative security policies describe how people (end-users and management) should behave. The intended security rules for technology systems and data should be explicitly described in technical security policies. Technical security policies describe a rule or regulation pertaining to a piece of equipment, facility, or data.

Administrative security policies describe the intended behavior rules for people. Serving as a guide for both end-users and management, administrative policies should spell out the roles and responsibilities for all users of technology systems in the organization. It is very important to inform end-users and other management team members of administrative security policies. Users cannot be expected to follow policies if they do not know what they are.

After reviewing the administrative policies, it is a good idea to get the user to sign the policy document attesting to the fact that they have read it, understand it and will abide by it.

Many organizations take the time to define technical security policies, while administrative security policies are often overlooked. While many technical security policies can be audited with online scanning tools, administrative security policies can only be audited with an in-person review. Auditors who review administrative policies will typically ask to see the actual formal policy document. Efficient auditors will also interview end-users and management to see if they understand their roles and responsibilities.

If your organization was being audited, here are some questions that an auditor might ask in regards to your technical security policies:

  1. Are stored passwords on the Web site encrypted? How?
  2. How is the logical access to the Web site server controlled?
  3. What controls are in place to protect audit log files?
  4. Is there a master backup of router and firewall configuration files?
  5. What outbound and inbound connections and services are being allowed through the firewall?
  6. What is the process for authenticating firewall administrators?
  7. Are Web servers protected from buffer overflow attacks? How?
  8. What security controls exist to protect credit cards numbers? Are the credit card number encrypted?
  9. How is the security of dial-up connections controlled?
  10. Does the enterprise system architecture documentation include all physical and logical (VLAN) connections?

www.bestitdocuments.com