Directly from googles search “security policies”. I came first to the definition of security policy just like that. Security Policy is a document with a protection plan on physical and information technology assets. Then I came to the definition of “network security policy” and that is a generic document that specifies or outlines rules for computer network access.
So I guess the second one was the one oriented for this course. With this sort of document organizations can greatly improve the security of their Information and Communications Technologies systems and keep the patched against known vulnerabilities.
Security policies must be subject to the following risks:
-Unauthorized changes to systems (remember.. THE CIA TRIAD OMG)
-Exploitation of unpatched vulnerabilities (Keep those databases updated)
-Exploitation of insecure system configurations (do not draw on intentional vulnerabilities they might cause backdoors).
So to get this sort of risks to be managed, security policies have to:
- Ensure that updates and system patchs are applied in a timeframe.
- Maintain hardware and software orientates
- Conduct regular vulnerability scans
- Disable unnecessary I/O devices and removable media access
- Maintain a whitelist and execution control.
- Limit user ability to change core configurations.
Whitelist: List with authorized applications and software that has permissions to execute.