An ecommerce website security policy is a manuscript that explains
- The common idea towards security in your ecommerce website.
- What is to be protected (e.g. software, hardware, data)
- Who is accountable for defending these items
- Standards for security and metrics, which quantify how well those standards are being met
A good guideline for writing your security policy is that it’s like writing a set of functional requirements for ecommerce website. The policy should not have a discussion about exact implementations or solutions, but instead about the goals and security necessities in your environment.
You should maintain a separate document that sets out strategies for how the requirements of the security policy are met in a specific environment. You can have different policy for different parts of your website. This is more along the lines of a design document or a course of action manual that documents what is actually done in order to make sure the level of security that you require.