What Is a Computer Security Policy?

A computer security policy is a set of security protocols that a user or organization establishes for their computers. It typically includes intrusion detections, firewall set-ups, user access passwords, logins, and procedures for using certain hardware and software applications. The type of computer security policy used can vary widely for different business and home computer networks.

An organization's information technology department is usually responsible for determining and setting up a computer security policy. The department must establish a set of protocols concerning user level access. For instance, some users may be granted permission to certain software functions and packages that others are not. In some cases, certain types of access are restricted for all employees. A common example is that computer users in most places of business are prevented from visiting certain websites that contain objectionable material or allow a worker to conduct personal business while at work.

External security is a vital component of any policy model. Encryption methods and private networks may be employed to prevent unwanted access. In addition, a computer security policy may also establish firewalls and individual security settings.

Part of a computer security policy specifies how data is able to be stored and transferred between users. Some protocols allow data to be transferred from a user's individual workstation to an external drive or uploaded as an e-mail attachment. Other policies may restrict those privileges and only allow users to share data on a common network folder. Remote access to certain programs and network folders may be permitted with certain login credentials.

Another big part of any computer security policy determines how users can access the Internet and programs that send data over it, such as e-mail and instant messaging. It is fairly common for a computer security policy to grant access and usage to some of these programs to certain users while restricting others. For example, in a call center, higher level positions that require a greater amount of communication may need access to these tools, while lower level agents who primarily take inbound calls would find them distracting. Some companies employ a blanket policy and only grant access to managerial staff.

Disaster recovery policies are sometimes a part of a formal computer security protocol. Most of this area of security has to do with backup storage and who can access certain data in the event of natural disasters that wipe out complete systems. Planning for viral infections or server crashes can also affect data backup policies. An organization's information technology department will usually be responsible for designing recovery plans, assigning points of contact and responsibilities, and educating users in the workplace about what to do to prepare for such events.