Implementing & Maintaining a Secure Framework
Home > 
Implementing & Maintaining a Secure Framework
< back

Implementing & Maintaining a Secure Framework

Following the results obtained from your security risk assessment, the security management cycle enters a phase of implementation and maintenance, where appropriate security protection measures and safeguards are implemented in a way that builds a secure protection framework. This includes developing security policies and guidelines, assigning security responsibilities and implementing technical and administrative security measures. All these steps are crucial in contributing to the safeguards of your business assets.

Set up and Implement a Security Policy

A good security policy sets out the basic rules for information security within your organisation. These rules are mandatory and must be observed throughout the organisation. Since security requirements vary from one organisation to another, so should the security policy. Therefore, it is of the utmost importance that the security policy be in accordance with requirements and the organisation's business goals and policies such that it is supported by all employees, and is enforceable.

In fact, a security policy can be very high-level and technology-neutral or detailed and technology-specific. A security policy can be categorised into three basic types:

Program-level policy
Issue-specific policy
System-specific policy

The System-specific policy focuses on policy issues which management has decided for a specific system. It addresses only one system. The program-level policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organisation.

The choice to develop a particular type of policy depends on your organisation's requirements. However, the most important thing is that policy sets the direction, and that it can be used as the basis for making other lower level decisions.

A Bird-eye View of the Development Cycle of a Security Policy

Defining project scope and planning
Flow direction down
Information collection
Flow direction down
Constructing security policy framework
Flow direction down
Developing policy statements
Flow direction down
Implementing, promoting and enforcing security policy
Flow direction down
Periodic review and evaluation

An I.T. security policy should cover the company's expectations of the proper use of its computer and network resources as well as the procedures to prevent and respond to security incidents. During the drafting of the policy, the company's own requirements on security should be considered. The drafting of the policy should consider the following aspects:

goals and direction of the company
existing policies, rules, regulations and laws of the Government of HKSAR
company's own requirements and needs
implementation, distribution and enforcement issues

You may refer to IT Security Standards and Best Practices for some internationally recognised information security standards, guidelines and effective security practices.

Set up and Implement Management and Administrative Processes

Depending on the direction and parameters set out in the Security Policy, management and administration processes will need to be set up to support policy implementation.

These are the major management and administrative activities:

Assign Roles and Responsibilities

Development of an IT security policy requires active support and ongoing participation of individuals from multiple ranks and functional units. Thus, clear definitions and proper assignment of accountability and responsibility for securing the company's information and system assets is necessary and may involve the following roles depending on the business needs and environment:

IT Security Officer
Senior Management
Information Owners
Users of Information Systems

Guidelines and Standards

Guidelines and standards are tools used to implement the security policy. Because a policy may be written at a broad level, it is essential to develop standards, guidelines and procedures to offer users, administrators, computer personnel and top management a clearer approach with regards to implementing the security policy and meeting their departmental goals.

Security Awareness and Training

Security Awareness is crucial to ensuring that all related parties understand the risks, and accept and adopt the good security practices. Training and education can provide users, developers, system administrators, security administrators and other related parties with the necessary skills and knowledge for implementation of security measures.

No policy is considered to have been implemented unless users or related parties have commitment and communication. This means users and related parties:

are informed about the policy through briefings or orientations,
are invited to participate in developing policy proposals,
are trained in the skills needed to follow the policy,
feel that security measures are created for their own benefit,
are periodically reminded and refreshed about new issues,
have signed an acknowledgement, and
are provided with policy guidance in manageable units.


This refers to the task of enforcement of rights arising from implementation of the policy and redress for violations of those rights. The company should set up procedures to provide prompt assistance in investigative matters relating to breaches of security. Establishing a company incident management team and setting up a security incident handling procedure can improve the effectiveness of any enforcement policy.

On-going Involvement of All Parties

An effective security policy also relies on continuous exchange of information, consultation, co-ordination and co-operation among users and companies. Injection of knowledge on standards, methods, codes of practice and other expertise on IT security from all parties involved will also help to keep the security policy up-to-date and relevant.

Select and Implement Technological Measures

Besides management and administrative processes, the implementation of a Security Policy might involve technological measures through selection and implementation of appropriate technologies and products. These technological measures should undergo proper testing before entering operation.

Selection and Implementation

Anti-malware software
Access Control Systems
Intrusion Detection Systems
Key Management and Key Distribution Systems
Network Management Systems and Security Management Systems


Adopt proper procedures to manage issues
Adopt proper procedures to keep track of system activities and alerts
Adopt proper procedures to monitor the health of the security infrastructure
Adopt proper procedures to manage and control changes