A company''s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company''s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.
Trang 1Information Security Policy
Manjunath KV
Samvardhana Coaching Centre,Bangalore, India
manjunathkvcs@gmail.com
Abstract
In business, a security policy is a document that
states in writing how a company plans to protect the
company's physical and information technology (IT)
assets A security policy is often considered to be a
"living document", meaning that the document is
never finished, but is continuously updated as
technology and employee requirements change A
company's security policy may include an acceptable
use policy, a description of how the company plans to
educate its employees about protecting the company's
assets, an explanation of how security measurements
will be carried out and enforced, and a procedure for
evaluating the effectiveness of the security policy to
ensure that necessary corrections will be made
Information security policy is designed to protect the
confidentiality, integrity and availability of computer
system data from those with malicious intentions
Confidentiality, integrity and availability
1 Introduction
1.1 Threats
Computer system threats come in many different
forms Some of the most common threats today
are software attacks, theft of intellectual
property, identity theft, theft of equipment or
information, sabotage, and information
extortion
Governments, military, corporations, financial
institutions, hospitals and
private businesses amass a great deal of
confidential information about their employees,
customers, products, research and status Most
of this information is now collected, processed
and stored on electronic computers and
transmitted across networks to other computers
Should confidential information about a
business' customers or finances or new product
line fall into the hands of a competitor or a black
hat hacker, a business and its customers could
suffer widespread, irreparable loss, as well as
damage to the company's reputation Protecting
confidential information is a business
requirement and in many cases also an ethical and legal requirement Hence a key concern for organizations today is to derive the optimal information security investment The renowned Gordon-Loeb Model actually provides
a powerful mathematical economic approach for addressing this critical concern
For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures
1.2 Information assurance
The act of ensuring that data is not lost when critical issues arise These issues include but are not limited to: natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arise
Trang 21.3 Information security
Information security is the set of business
processes that protects information assets
regardless of how the information is formatted
or whether it is being processed, is in transit or is
being stored
Information security is not a single technology;
rather it a strategy comprised of the processes,
tools and policies necessary to prevent, detect,
document and counter threats to digital and
non-digital information Processes and policies
typically involve both physical and digital
security measures to protect data from
unauthorized access, use, replication or
destruction
1.4 Information Security Policy
Information Security Policy /ISP/ is a set or
rules enacted by an organization to ensure that
all users or networks of the IT structure within
the organization’s domain abide by the
prescriptions regarding the security of data
stored digitally within the boundaries the
organization stretches its authority
An ISP is governing the protection of
information, which is one of the many assets a
corporation needs to protect The present writing
will discuss some of the most important aspects
a person should take into account when
contemplates developing an ISP Putting to work
the logical arguments of rationalization, one
could say that a policy can be as broad as the
creators want it to be: Basically, everything from
A to Z in terms of IT security, and even more
For that reason, the emphasis here is placed on a
few key elements, but you should make a mental
note of the liberty of thought organizations have
when they forge their own guidelines
2 Elements of Information Security Policy
2.1 Purpose
Institutions create ISPs for a variety of reasons:
Confidentiality ‐ information must be protected from unauthorised access and disclosure throughout its lifecycle, from creation to final disposal
Integrity ‐ the accuracy and completeness of information must be safeguarded and unauthorised amendment or destruction prevented
Availability ‐ information and associated services must be available to authorised users in line with business and funding body requirements
2.2 Scope
ISP should address all data, programs, systems, facilities, other tech infrastructure, users of technology and third parties in a given organization, without exception
This Policy applies to:
All information created or received in the course of business which must be protected according to its sensitivity, criticality, and value, regardless of the media on which it is stored, the location of the data, the manual or automated systems that process it or the methods by which it is distributed
All contractors, suppliers, business partners and external researchers and visitors who may
be authorised access to information
All locations from which information is accessed including home and off‐site/remote use
2.3 Objectives
An Information Security Policy usually has the following objectives:
To protect the organisation's business information and any client or customer information within its custody or safekeeping by safeguarding its confidentiality, integrity and availability
To establish safeguards to protect the organisation's information resources from theft, abuse, misuse and any form of damage
To establish responsibility and accountability for Information Security in the organisation
Trang 3 To encourage management and staff to
maintain an appropriate level of awareness,
knowledge and skill to allow them to
minimise the occurrence and severity of
Information Security incidents
To ensure that the organisation is able to
continue its commercial activities in the
event of significant Information Security
incidents
2.4 Authority & Access Control Policy
The organization develops formal, documented
access control policy that addresses purpose, scope,
roles, responsibilities, management commitment,
coordination among organizational entities, and
compliance This control is intended to produce the
policy and procedures that are required for the
effective implementation of selected security controls
and control enhancements in the access control
family The policy and procedures are consistent with
applicable federal laws, Executive Orders, directives,
policies, regulations, standards, and guidance
Existing organizational policies and procedures may
make the need for additional specific policies and
procedures unnecessary The access control policy
can be included as part of the general information
security policy for the organization Access control
procedures can be developed for the security program
in general and for a particular information system,
when required The organizational risk management
strategy is a key factor in the development of the
access control policy
2.5 Data classification System
Classifying data is the process of categorizing data
assets based on nominal values according to its
sensitivity For example, data might be classified as:
public, internal and confidential
Public – Information that may or must be open to the
general public
Internal – Information that must be guarded due to
proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use
Confidential – Highly sensitive data intended for
limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know.
2.6 Reclassification
On a periodic basis, it is important to reevaluate the classification of Institutional Data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well
as changes in the use of the data or its value to the University This evaluation should be conducted by the appropriate Data Steward Conducting an evaluation on an annual basis is encouraged;
however, the Data Steward should determine what frequency is most appropriate based on available resources
2.7 Security Awareness Sessions
Sharing IT security policies with staff is a critical step Making them read and sign to acknowledge a document does not necessarily mean that they are familiar with and understand the new policies A training session would engage employees in positive attitude to information security, which will ensure that they get a notion of the procedures and mechanisms in place to protect the data, for instance, levels of confidentiality and data sensitivity issues
Such an awareness training should touch on a broad scope of vital topics: how to collect/use/delete data, maintain data quality, records management, confidentiality, privacy, appropriate utilization of IT systems, correct usage social networking, etc A small test at the end is perhaps a good idea
2.8 Responsibilities, Rights and Duties of Personnel
General considerations in this direction lean towards responsibility of persons appointed to carry out the implementation, education, incident response, user access reviews, and periodic updates of an ISP
Trang 4Prevention of theft, information know-how and
industrial secrets that could benefit competitors are
among the most cited reasons why a business may
want to employ an ISP to defend its digital assets and
intellectual rights
3 Conclusion
A high-grade ISP can make the difference between
growing business and successful one Improved
efficiency, increased productivity, clarity of the
objectives each entity has, understanding what IT and
data should be secured and why, identifying the type
and levels of security required and defining the
applicable information security best practices are
enough reasons to back up this statement To put a
period to this topic in simple terms, let’s say that if
you want to lead a prosperous company in today’s
digital era, you certainly need to have a good
information security policy
References
[1] " Information Security Key Elements"
http://www.i-runway.com/images/pdf/iRunway%20Information%2
0Security.pdf
[2] "Information Security Policies, Procedures and
Guidelines"www.lse.ac.uk/intranet/LSEServices/IMT
/about/policies/home.aspx
[3] "Information security - Wikipedia, the free
encyclopedia."
https://en.wikipedia.org/wiki/Information_security
[4] Infosecurity Magazine - Information Security &
IT Security www.infosecurity-magazine.com
[5] Olson, I & Abrams, M "Information Security
Policy"
http://www.acsac.org/secshelf/book001/07.pdf
[6] Techopedia "Information Security Policy"
http://www.techopedia.com/definition/24838/informa
tion-security-policy