The essence of an IT security- policy is to establish guidelines and standards for accessing the organization’s information and application systems. As IT infrastructures have become more complex and organization’s resources have become more distributed, the need for improved information security has increased.
An IT security – policy facilitates the communication of security procedures to users and makes them more aware of potential security threats and associated business risks. A written IT -security policy helps to enhance the performance of the organization’s IT security systems and the e-business systems that they support.
Surveys regarding IT -security all tend to show similar trends:
- most organizations have been the victims of it security breaches,
- IT security breaches cause significant damage,
- IT security breaches are increasing,
- Insiders pose as significant a threat as outsiders.
If an organization suffers an IT security breach it is likely to suffer negative impact. There are many costs associated with a security breach:
- direct financial loss,
- lost sales and reduced competitive advantage,
- damage to organization reputation and brand,
- business disruption.
An IT -security policy mitigates the organizations legal exposure. The security policy guides the behavior of employees. Having a written IT -security policy is essential if the organization wants to be able to hold employees accountable for their actions.
An IT -security policy forces an organization to make return on investment decisions. Whilst developing an IT -security policy the organization will have to make intelligent business decisions about the cost-effectiveness of reducing or eliminating business risks.
Developing an IT Security Policy
To develop and IT -security policy a task force needs to be established and the task force will need to work through the following steps:
- Access the requirements,
- Identify the information assets, systems and facilities,
- Identify the threats to the assets,
- Assess the risks to the assets,
- Develop a security -policy to manage the risks,
- Implement the security -policy,
- Communicate the security -policy,
- Enforce the security -policy,
- Re-assess the security policy,
IT Security Policy Contents
The IT security policy should deal with security threats to the organizations information assets with respect to the following fundamental areas:
- Authentication – ensuring a user is who he says he is,
- Authorization – controlling what information and applications a user can access,
- Privacy and data integrity – preventing unauthorized users from seeing certain information, and preventing them from making unauthorised changes or deletions,
- Non-repudiation – making sure that parties in a transaction cannot deny what they said or what they did,
- Disaster recovery and contingency planning,
- Physical security.
In some countries today simple password only user identification schemes are considered to be inadequate. Two-factor authentication consisting of something you know (a password or pin) plus something you possess (smartcard with digital certificate) is now considered to be the norm.
The IT security -policy should have sections dealing with the following issues:
- Access control
- Electronic Mail
- Internet security
- Laptops, notebooks and handhelds
- Software security
- Network security
- Physical security
- Auditing and monitoring
- Contingency planning
Implementing the IT Security Policy
Once the IT security- policy has been written it needs to be put in place within the organisation. It needs to be communicated to employees, contractors and other personnel to ensure that they understand the security policy and what is required.
The IT security- policy will then need to be enforced. IT and security staff will need to implement its contents. They will need to manage user accounts, passwords, group membership, two-factor authentication devices such as smartcards and digital certificates.
The rapid pace of technological change and use of the Internet mean that new security threats appear all the time. The IT security -policy will therefore need updating on a periodic basis.
IT -Security- Policy Summary
An IT security- policy is a formal statement of the rules that employees and others must follow when using an organization’s IT infrastructure. Its purpose is to set down procedures for protecting the organization’s information assets.
An IT security- policy which details a number of security procedures to minimize business risk is available below.
Update: Feb 2023 (Originally posted October 1, 2010)
What is a security policy?
A security policy is a document that states in writing how a company plans to protect its physical and information technology (IT) assets. Security policies are living documents that are continuously updated and changing as technologies, vulnerabilities and security requirements change.
A company’s security policy may include an acceptable use policy. These describe how the company plans to educate its employees about protecting the company’s assets. They also include an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the policy to ensure that necessary corrections are made.
Why are security policies important?
Security policies are important because they protect an organization’s assets, both physical and digital. They identify all company assets and all threats to those assets.
Physical security policies are aimed at protecting a company’s physical assets, such as buildings and equipment, including computers and other IT equipment. Data security policies protect intellectual property from costly events, like data breaches and data leaks.
Physical security policies
Physical security policies protect all physical assets in an organization, including buildings, vehicles, inventory and machines. These assets include IT equipment, such as servers, computers and hard drives.
Protecting IT physical assets is particularly important because the physical devices contain company data. If a physical IT asset is compromised, the information it contains and handles is at risk. In this way, information security policies are dependent on physical security policies to keep company data safe.
Physical security policies include the following information:
- sensitive buildings, rooms and other areas of an organization;
- who is authorized to access, handle and move physical assets;
- procedures and other rules for accessing, monitoring and handling these assets; and
- responsibilities of individuals for the physical assets they access and handle.
Security guards, entry gates, and door and window locks are all used to protect physical assets. Other, more high-tech methods are also used to keep physical assets safe. For example, a biometric verification system can limit access to a server room. Anyone accessing the room would use a fingerprint scanner to verify they are authorized to enter.
Information security policies
These policies provide the following advantages.
Protect valuable assets. These policies help ensure the confidentiality, integrity and availability — known as the CIA triad — of data. They are often used to protect sensitive customer data and personally identifiable information.
Guard reputations. Data breaches and other information security incidents can negatively affect an organization’s reputation.
Ensure compliance with legal and regulatory requirements. Many legal requirements and regulations are aimed at security sensitive information. For example, Payment Card Industry Data Security Standard dictates how organizations handle consumer payment card information. Health Insurance Portability and Accountability Act details how companies handle protected health information. Violating these regulations can be costly.
Dictate the role of employees. Every employee generates information that may pose a security risk. Security policies provide guidance on the conduct required to protect data and intellectual property.Identify third-party vulnerabilities. Some vulnerabilities stem from interactions with other organizations that may have different security standards. Security policies help identify these potential security gaps.
Protect valuable assets. These policies help ensure the confidentiality, integrity and availability — known as the CIA triad — of data.
They are often used to protect sensitive customer data and personally identifiable information.
Types of security policies
Security policy types can be divided into three types based on the scope and purpose of the policy:
- Organizational. These policies are a master blueprint of the entire organization’s security program.
- System-specific. A system-specific policy covers security procedures for an information system or network.
- Issue-specific. These policies target certain aspects of the larger organizational policy. Examples of issue-related security policies include the following:
– Acceptable use policies define the rules and regulations for employee use of company assets.
– Access control policies say which employees can access which resources.
– Change management policies provide procedures for changing IT assets so that adverse effects are minimized.
– Disaster recovery policies ensure business continuity after a service disruption. These policies typically are enacted after the damage from an incident has occurred.-
- Incident response policies define procedures for responding to a security breach or incident as it is happening.
Key elements in a security policy
Some of the key elements of an organizational information security policy include the following:
- statement of the purpose.
- statement that defines who the policy applies.
- statement of objectives, which usually encompasses the CIA triad.
- authority and access control policy that delineates who has access to which resources.
- data classification statement that divides data into categories of sensitivity — the data covered can range from public information to information that could cause harm to the business or an individual if disclosed.
- data use statement that lays out how data at any level should be handled — this includes specifying the data protection regulations, data backup requirements and network security standards for how
- data should be communicated, with encryption, for example.
- statement of the responsibilities and duties of employees and who will be responsible for overseeing and enforcing poliosted in October 2010 cy.
- security awareness training that instructs employees on security best practices — this includes education on potential security threats, such as phishing, and computer security best practices for using company devices; and
- effectiveness measurements that will be used to assess how well security policies are working and how improvements will be made.
- Source : TechTarget
SECURITY POLICY – empower your knowledge N0W =- security policy – what is an information security policy –