Defining a security policy for a system

Question

Most of the literature on security talks about the importance of defining a security policy before starting to workout on the mechanisms and implementation. While this seems logical, it is quite unclear as to what defining a security policy really means.

Has anyone here had any experience in defining a security policy, and if so:

1) What is the outcome of such a definition? Is the form of such a policy, for say distributed system, a document containing a series of statements on the security requirements (what is allowed and what is not) of the system?

2) Can the policy take the a machine readable form (if that makes sense) and if so how can it be used?

3) How does one maintain such a policy? Is policy maintained as documentation (as with all the rest of the documentation) on the system?

4) Is is necessary to make references to the policy document in code?

Brian

Answer 1

You should take one of the standard security policies and work from there. The one that is most common is PCI compliance (Payment Card Industry). It's very well thought out and except for a few soft spots, generally good. I've never heard of a machine readable policy except for a Microsoft Active Directory definition or a series of Linux iptables rules.

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

EDIT:

Check out SE Linux policies also:

http://en.wikipedia.org/wiki/Security-Enhanced_Linux

Answer 2

The Open Web Application Security Project OWASP is a language-agnostic project to educate about security and provide tools to test and support software. While it is web-centric, many of the core ideas are widely applicable. The website is geared towards both software engineers as well as management.