A security policy for an organization can be defined as a set of rules, formed to secure a company's intellectual property. A security policy describes data flow limitations and restrictions to access by external sources, such as malicious programs, code files, and data. A security policy is used by the company's staff, IT users, and administrators, and so on. A security policy must be enforced on an organization's network so it helps them to protect the network from potential attack and threats.

The following should be considered before creating a security policy:

• A security policy can be formed to balance access and security, and to minimize risk
• A security policy created should not replace the thoughts of the user
• When a potential threat is identified, a security policy must be created in such a way that it can be changed

Also, the policies created should define the following:

• Aims of the policy
• Actions by the policy
• The device on which the policy is configured
• Consequences if there is a failure in the policy

Upon completing this chapter, you will:

• Understand the purpose of a security policy
• Understand the components of a security policy
• Understand risk and the purpose of implementing a risk-analysis mechanism
• Understand vulnerability and how it will affect the network and systems
• Understand threats and their different consequences
• Identify different asset levels of assets
• Understand the importance of countermeasures
• Identify the different types of security zones
• Understand the security mechanisms implemented on the data, management, and control planes
• Understand the different regulatory compliance mechanisms