Policy

Policy

Policy provides the rules that govern how systems should be configured and employees with the corporation understand how to act. It defines what security should be within organization and puts everyone on the same page so everyone understands what is expected.

In the following Policy Table, some exceptions exist for certain user who has permission for certain policy. For instance, some staff couldn’t access Internet before they have permission to do so. Thus, only those staff that already got permission could access the Internet. There are also some other exceptions for other policy. Please look at the Policy Table to find out more.

Policy Table

Policy	CEO	Manager	Staff	System Admin
Installing software on computer	Allow	Allow	Deny	Allow
Internet Access	Allow	Allow	Deny (except for staff who has permission)	Allow
Accessing department file in File Server	Allow	Allow (Only to his own department files)	Allow (Only to his own department files)	Allow
Internal Mail	Allow	Allow	Deny (except for staff who has permission)	Allow
External Mail	Allow	Allow	Deny (except for staff who has permission)	Allow
Login to server	Deny	Deny (except for the IT Department manager)	Deny	Allow
Accessing shared folder	Allow	Allow	Deny (except for staff who has permission)	Allow
Intranet Access	Allow	Allow	Allow	Allow
Use of chatting software (e.g. Yahoo Messenger, MIRC)	Allow	Allow	Deny (except for staff who has permission)	Allow
Downloading files from the Internet	Allow	Allow	Deny (except for staff who has permission)	Allow
Accessing company confidential file	Allow	Deny (except for manager who has permission)	Deny	Deny
Login to domain	Allow	Allow (Only to his own domain)	Allow (Only to his own domain)	Allow
Network Administration (e.g. adding and deleting user, changing IP, log reviewing, network monitoring, etc)	Deny	Deny	Deny	Allow

However, these policies will not last forever. The policy should be reviewed on a regular basis to make sure it still relevant for the organization. Some procedures, such as incident response procedure or disaster recovery plan, may require more frequent reviews.

During a review, all stakeholders should be contacted along with departments that felt left out of the original process. By reviewing comments, we might consider to make some policy adjustments.