security policy (SP)

The terms security policy, security policy( SP), information security policy (InSP) or IP security policy are used synonymously. The security policy, which is used here in the context of information technology, defines the rules and procedures according to which data transmission, processing and storage take place. It takes into account personnel, technical, organizational and legal influencing factors.

The personnel influencing factors are concerned with the operating personnel, their reliability, sensitivity and trustworthiness. It is about the rights and duties of the users and about compliance with safety-relevant specifications. In the case of personal factors, the answers to questions such as "Who is allowed to access which data?" or "Who is responsible for the security policy?" play a decisive role.

The technical influencing factors are shaped by the computers available, the type and sensitivity of the data and the software, but also by spatial conditions, the type of transmission media and techniques used, and the number of processes, etc. In the case of technology, questions arise regarding the data, the type of transmission or the traffic relationships. For example, "Which traffic relationships are allowed?" or "On which layer are the security services installed?".

Organizational influencing factors are those that deal with user workflows. These influencing factors are about the many security-related aspects, such as "To whom are alarms reported?" or "What measures are to be taken to ensure that the security policy is adhered to?"

In addition, there are the legal influen cing factors for the safety policy. These are based on laws, legal agreements, guidelines and implementing regulations. The Federal Data Protection Act(BDSG), Signature Act(SigG), Teleservices Data Protection Act (TDDSG) and others are worth mentioning. Ultimately, it is also a question of the legally binding nature of the information, its proof of origin or proof of communication.