Sponsored by Keepnet Labs

What is IT Security Policy :0

28 Mar
By Cyber Security, General, ISO 20000/2700x 0 Comments

What is IT Security Policy ?

The essence of an IT security policy, is to establish guidelines and standards for accessing the organization’s information and application systems. As IT infrastructures have become more complex and organization’s resources have become more distributed, the need for improved information security has increased.

An IT security policy, facilitates the communication of security procedures to users and makes them more aware of potential security threats and associated business risks. A written IT security policy, helps to enhance the performance of the organization’s IT security systems and the e-business systems that they support.

Surveys regarding IT security all tend to show similar trends:

  • most organisations have been the victims of it security breaches,
  • IT security breaches cause significant damage,
  • IT security breaches are increasing,
  • insiders pose as significant a threat as outsiders.

If an organisation suffers an IT security breach it is likely to suffer negative impact. There are many costs associated with a security breach:

  • direct financial loss,
  • lost sales and reduced competitive advantage,
  • damage to organisation reputation and brand,
  • business disruption.

An IT security policy, mitigates the organisations legal exposure. The security policy guides the behaviour of employees. Having a written IT security policy, is essential if the organisation wants to be able to hold employees accountable for their actions.

An IT security policy forces an organisation to make return on investment decisions. Whilst, developing an IT security policy the organisation will have to make intelligent business decisions about the cost-effectiveness of reducing or eliminating business risks.

Developing and IT Security Policy

To develop and IT security policy a task force needs to be established and the task force will need to work through the following steps:

  • Access the requirements,
  • Identify the information assets, systems and facilities,
  • Identify the threats to the assets,
  • Assess the risks to the assets,
  • Develop an security policy to manage the risks,
  • Implement the security policy,
  • Communicate the security policy,
  • Enforce thesecurity policy,
  • Re-assess thesecurity policy,
IT Security Policy

IT Security Policy

IT Security Policy Contents

The IT security policy, should deal with security threats to the organisations information assets with respect to the following fundamental areas:

  • Authentication – ensuring a user is who he says he is,
  • Authorisation – controlling what information and applications a user can access,
  • Privacy and data integrity – preventing unauthorised users from seeing certain information, and preventing them from making unauthorised changes or deletions,
  • Non-repudiation – making sure that parties in a transaction can not deny what they said or what they did,
  • Disaster recovery and contingency planning,
  • Physical security.

In some countries today simple password only user identification schemes are considered to be inadequate. Two-factor authentication consisting of something you know (a password or pin) plus something you possess (smartcard with digital certificate) is now considered to be the norm.

The IT security policy, should have sections dealing with the following issues:

  • Access control
  • Electronic Mail
  • Internet security
  • Laptops, notebooks and handhelds
  • Software security
  • Network security
  • Physical security
  • Auditing and monitoring
  • Contingency planning

Implementing the IT Security Policy

Once the IT security policy, has be written it needs to be put in place within the organisation. It needs to be communicated to employees, contractors and other personnel to ensure that they understand the security policy and what is required.

The IT security policy, will then need to be enforced. IT and security staff will need to implement its contents. They will need to manage user accounts, passwords, group membership, two-factor authentication devices such as smartcards and digital certificates.

The rapid pace of technological change and use of the Internet mean that new security threats appear all the time. The IT security policy, will therefore need updating on a periodic basis.

IT Security Policy Summary

An IT security policy, is a formal statement of the rules that employees and others must follow when using an organisations IT infrastructure. Its purpose is to set down procedures for protecting the organisations information assets.

An IT security policy, which details a number of security procedures to minimise business risk is available below.

https://www.iso.org/isoiec-27001-information-security.html

More ISO Blog posts

https://www.erdalozkaya.com/category/iso-20000-2700x/

Share this post

Author

Erdal is an Australian IT Professional with business development & management skills who focuses on securing the Cyber Space & sharing his real-life skills as a Security Adviser, Speaker, Lecturer, Author and Cybersecurity Architect.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Attack Surface Analyzer
15 May

Announcing the all new Attack Surface Analyzer 2.0 – For FREE

Announcing the all new Attack Surface Analyzer 2.0 Few of us know what is really happening on our systems when... read more

Windows 10 Security in Real Life
20 Apr

Windows 10 Security in Real Life

As a Network Administrator, do you wonder how Windows 10 can help you protect against everyday security... read more

Global Siber Güvenlik Trendleri Erdal
09 Jun

Global Siber Güvenlik Trendleri – Join us 4 free

Global Siber Güvenlik Trendleri Turkish Webinar by Turkish Cyber Security Cluster (Türkiye Siber Güvenlik Kümelenmesi)  Post in Turkish (more…) read more

mark simos
23 Jul

Mark Simos Resource List – Absolutely 4 Free

Mark Simos , a Chief Security Advisor at Microsoft and a great friend of mine recently shared a very... read more

20 Oct

Turkish webinar with Business University – Free 2 join

Turkish webinar with Business University This post will be for my followers who can speak Turkish , its all about... read more

Chris Jackson & Erdal Ozkaya Feedback Microsoft
24 Nov

Azure Security – Watch and learn 4 Free

Azure Security Azure service that helps you prevent, detect and respond to threats with increased visibility and control over the... read more

update on the current cyber security threat profile
20 Mar

Erdal’s update on the current cyber security threat profile Free Webinar :

update on the current cyber security threat profile Join Microsoft #Cybersecurity Architect Dr Erdal Ozkaya tonight (7-8:30pm AEST) to hear... read more

Free Internet Security Threat Report
08 Jul

Free Internet Security Threat Report by Symantec 2019

Free Internet Security Threat Report Formjacking. Targeted Attacks. Living off the Land. Coming for Your Business. Symantec’s 2019 Internet Security Threat... read more

Siber Güvenlikte Tehdit Avcılığı Erdal Ozkaya
08 May

Siber Güvenlikte Tehdit Avcılığı -Free Webinar May 2020

Siber Güvenlikte Tehdit Avcılığı (Threat Hunting) This webinar will be in Turkish ... Siber tehditlerin artması ve saldırı vektörlerinin çeşitlilik göstermesiyle... read more

24 Apr

Knowing the threat actors behind a cyber attack

Knowing the threat actors behind a cyber attack This article is an excerpt taken from our latest book Hands-On Cybersecurity... read more