Example: A computer may cost $3000 to replace. The information on that computer might cost $60K to replace. In the hands of a competitor, the losses might be even higher.
Example: If a company has a public web server which is used to distribute information, the cost of it going down from a "denial of service" attack might be the time required to bring the system back online (e.g. two hours from the MIS department). If this web server is used to perform financial transactions then the cost must also include the number of purchases lost while the server is down.
Example: The CEO does not need a password to enable him to gain access to the accounting system. If he has access and someone finds out his password (e.g. he uses one password for all systems) it can be misused.
Example: Itís often a good idea to locate all your important servers in a separate room with physical access constraints. This reduces the possibility of malicious or illegal activity occurring by happenstance (e.g. somebody with no access privileges glancing over and stealing a password while it is being input or making copies of classified information that happens to come out the printer).
Example: An Advertising Plan might be restricted to specific people in the Marketing and Business Development departments. An Engineering document that details trade secrets would be restricted to specific engineers. It might even be necessary to control and account for each document that is released, i.e. only one person has the ability to print the document and a limited number of photocopies are made and distributed to specific people only. Company policy would ensure that these people do not make unauthorised photocopies.
Example: Not all employees need access to the external World Wide Web. Aside from being a great time waster, it also increases the possibility of malicious software and ties up network bandwidth. A good alternative might be to restrict WWW access to specific times (e.g. lunchtime)
Example: Pick a worst case situation (usually you building burns down) and consider how you would stay in business and service you customers. This exercise will serve to highlight the data and equipment that is critical to your operation. It will also make you think about how long your operation can be "down" without suffering irreparable harm.
Example: The Network Administrator may be the person responsible for Internet access and other IT related functions, while a person in the HR department may take ownership of site security (alarm system maintenance, access card distribution). No two situations are identical.
Example: If the employees arenít reliable, then it may be necessary to institute mechanisms to automatically force password changes and run screen saver programs. Obviously, there will always be a situation where the employees need to be responsible, i.e. education is a necessity and security policy enforcement is a co-operative effort.
Example: Reviewing the security policy six months after it was written will frequently uncover a few major deficiencies. If an assumption was made that only a few people need to access a protected area and this really isnít the case, a change is in order. Perhaps some of the material in the protected area isnít really that sensitive and can be moved to another location.