(Incomplete DRAFT page)
Security is founded on policy.
Although your organisation may have an
Local practice may be that detailed procedures for the implementation
of policy are published in the policy document itself,
or it may be considered normal for policies to be concise documents
establishing principles which are rarely altered,
keeping other details separately
where they can be maintained at a lower level.
This second way results in more individual documents
and
Your security policy should say what you mean by security, what kinds of things it applies to and who is responsible for any tasks and duties identified.
)
A connection policy might set out how an item of equipment
becomes authorised to connect to all or part of your network,
on the basis of its ownership, its type, the status of its software
or any other relevant information.
For wired networks both the specification and the enforcement
of the policy are normally straightforward;
the application of the policy to a wireless network is likely
to be looser, leaving more to be resolved by Acceptable Use.
)It may be appropriate to separately describe the categories of people entitled to use the network in various ways, the procedures for authorisation, such as registration, and the procedures for removing or terminating authorisation.
An AUP contains the requirements on authorised users of the network. Normally it will state (for the avoidance of uncertainty) that no illegal activity is allowed, and there may be other classes of activity forbidden such as giving access to third parties, sharing credentials, or use in the course of a business other than that of the organization concerned. There will be some indication of the procedures for enforcement, although the details may be in separate documents; and of any arrangements for monitoring and limiting use.
)
)