Many organizations, especially smaller ones do not have a specified security policy. This may cause several different problems, among those that users have different perceptions of what the security policy of the organization actually is.

When an organization decides to create a formal security policy many advantages about this will appear during the process. The first revelation will probably be that when one formulates the policy, one has to think thoroughly about all aspects which have to do with security. Among these are: access to the premises, physical access to important data and information - who should have such access, what policy to use for passwords on workstations and network rescources, are there recovery plans for destructions due to fire in the building, etc. One will discover that there are parts of the organization which influence the overall security - areas which formerly were not considered to be security issues at all.

With respect to information technology in particular an organization might want to make it part of its security policy issues like:

• What kind of software is going to be used as office applications?
• Who shall be allowed to install software?
• What about Internet access? Full access? Only e-mail? Web? FTP and Telnet? Should there be limitations with respect to which sites the employees are allowed to visit?
• Are freeware and shareware programs allowed? For whom in the organization?
• Should one upgrade to newer versions of the applications immediately after release or wait till e.g. the next sub-version?
• Are employees allowed to work from home? Which security implications arise from this?
• What is the policy about people who leave the organization? How does one act with respect to their user accounts, passwords and e-mail addresses?

One should also be aware that a security policy is not something which is created once and for all. Creating and maintaining an organization's security policy is an continous process. And recourses have to be allocated on an on-going basis.

As a part of the security policy one should formulate the penalties for those who do not oblige to the policy. Hopefully these will not come into effect, but one should be aware of the fact that there are such.

When the security policy is finished (i.e. formulated on paper for the first time) it should be distributed to all employees. One might consider internal seminars to inform about the policy. All levels in an organization should know the security policy and follow it. Several organizations require that its employees sign a statement that they are obliged to follow the policy.

One person/department should be responsible for the organizations security. It is important that she/it has the full support of the top management. Fortunately there seems to be an increasing awareness on this level of how crucial security is.

Per Olav Førland