Security and Privacy in a Networked World/Procedures: Thou shalt not...

Introduction
As illustrated by the title above, any larger community of humans throughout the history has had "the rules of game" (written or unwritten). The larger the difference between the "initiates" and the "mere mortals", the more vital are written, universal and enforced rules (they are usually called laws) - and security of a larger organization tends to have large difference here. And due to the the principle of the weakest link determining the strength of the whole chain, the axiom of ignorantia juris non excusat also applies, necessitating efforts both training to promote security awareness and policies to maintain and enforce it.

That said, while not everyone can be a security professional in an organization, universal security awareness, shared responsibility and active participation (understanding and following the policies rather than complying mechanically) should be the goals.

Site and infrastructure policies
This is the most physical aspect of security policies, covering the security of premises (building(s), offices) as well as computing infrastructure (servers, desktops, laptops, mobile devices, networking equipment etc).

Facilities
As seen from previous topics, many kinds of cybercrime actually benefit from physical access to the facilities (good examples include the Levin/Citibank case and many feats of Kevin Mitnick).


 * Acceptable Use
 * Data value classification
 * Data disclosure and destruction
 * Roles and responsibilities
 * Change control
 * Disaster recovery

Additional reading and links

 * ANONYMOUS. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. 3rd ed. Sams Publishing, 2001.