Operating System Security: Policies & Procedures

Instructor: Toya Stiger

Toya has a masters of computer science in computer science and has taught college students as an adjunct instructor.

In this lesson you will learn about the security policies and procedures associated with protecting users and the operating systems on their computers. We will define and discuss the importance of these procedures. We will also outline some common security policies and procedures organizations should implement when executing these guidelines.

Operating System Security Policies and Procedures

There are many different types of operating system (OS) security policies and procedures that can be implemented based on the industry you work in. By way of a general definition, an OS security policy is one that contains information which outlines the processes of ensuring that the OS maintains a certain level of integrity, confidentiality, and availability.

OS security protects systems and data from threats, viruses, worms, malware, ransomware, backdoor intrusions, and more. Security policies cover all preventative measures and techniques to ensure the safeguarding of an OS, the network it connects to, and the data which can be stolen, edited or deleted.

Since OS security policies and procedures cover a broad area (i.e. from threats to attacks), there are many ways to address them. Some of these areas include:

  • Ensuring systems are patched or updated regularly
  • Installing and updating anti-virus software
  • Installing a firewall and ensuring it is configured properly to monitor all incoming and outgoing traffic
  • Implementing user management procedures secure user accounts and privileges

In order to ensure you are defining and implementing the correct OS security policies and procedures, you need to first define which assets, data, systems, and hardware are the most vital to your organization. Once that is complete, a policy around these items can be built to properly secure and safeguard them.

Implementing OS Security Policy and Procedures

As mentioned earlier, before an organization starts implementing security policies and procedures, they first need to define their assets and networks, and then determine how they should be managed. What the organizations needs to work towards is an understanding of how to reasonably manage the risk that comes with the types of technologies they choose to implement.

The first step in establishing a security policy and procedure program is to designate a cybersecurity manager. This person will be responsible for creating the plan to manage the organizations risks. Operating security policies and procedures should include the following:

Acceptable Use Policy (AUP)

An AUP should be a standard onboarding document that all employees sign before being allowed to access the organizations digital resources. For example, the AUP outlines the restrictions and practices that an employee must follow when accessing the organizations network. What is included in the AUP will vary depending on the organization. Regardless of the contents, the document should be reviewed at least annually by the information technology (IT), security, cyber, legal and human resources (HR) departments to implement any changes that may have happed in the organization recently.

Access Control Policy (ACP)

The ACP defines what the employee will have access to. Some subjects that might be covered in the ACP include:

  • Access control standards
  • Password complexity rules
  • Password change policy
  • User and network access controls
  • User network access monitoring
  • Workstation security standards
  • Standards for removal of organizational equipment

Change Management Policy

A change management policy outlines the proper procedures for making a change to the organizations network, IT equipment, software, security and operational procedures. The purpose of the change management policy is to ensure that an organization properly tracks when changes to infrastructure occur, and that they are made using the least invasive methods, especially if those changes directly impact the employees and customers. Management plays a large part in change management policy execution. They are usually the ones who make the final decisions on whether changes will occur or not. They have an increased awareness and understand any change requests proposed across the organization.

Information Security Policy

The main objective of the information security policy is to inform users that there are guidelines around handling sensitive data, and that they will be held accountable for policy adherence. These policies can be broken down into many categories and cover many areas that include things like how the employee uses the IT assets, network usage and internet usage of the organization.

Incident Response (IR) Policy

The purpose of the IR policy is to outline the response procedures when incidents occur. It includes the steps that need to be taken to recover from things such as network outages, data loss, damage to normal business operations, and employee or customer issues. This will help reduce recovery time and with lower the impact cost.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account