security directive

Security directives are company-specific rules in which the objectives for all security-relevant work areas are defined. In companies, security directives define the rules that employees, who should be involved in the development of the directives, must follow in their area of work.

Key stakeholders in a company include security and network administration, employee representatives, user group representatives and management. The developed security policies should be implemented and accepted by users, should ensure the security of the network and systems, and should clearly define the rights and responsibilities of users, administration, and management. Components of the security guidelines include the procurement of the software, computer and network technology and the security standards implemented therein, the access authorizations and all measures that serve the data loss and the defense against attacks, the operation and maintenance guidelines and the reporting, to name just a few.

The national and international security standards for the evaluation and certification of IT systems are incorporated into the security guidelines. These include the European Information Technology Security Evaluation Criteria( ITSEC), the U.S. Trusted Computer Security Evaluation Criteria ( TCSEC), and the Common Criteria for Information Technology Security Evaluation( CC). In addition, Chapter 1 of the British BS 7799 standard for security management deals with security guidelines for the management and care of IT security.