Appendix C. Security Policy
A security policy is a document that does just that: it polices security. It's a foundation tool to help us in staying one step ahead of a compromised site. We like that.
These working documents can be as simple or complex as an outfit needs. At enterprise level, you'd have a legally-adjusted multi-tiered approach or, for sole bloggers, something more akin to a checklist. In any case, here are the kinds of elements to weave in:
Goals
Roles and responsibilities
Assets such as domains, hardware, and security tools
Procedures
Enforcement rules
Note
Isn't this overkill?
The breadth of a policy can be excessive but, for any site, writing up a policy is a smart exercise to highlight weaknesses and to nudge improvements. They may have a built-in schedule setting out what tasks are done by whom and when.
The importance of a policy boils down to creating awareness and discipline and, for teams, sharing well-defined goals and designating responsibility and tasks.
