What is IT Security Policy :0

28Mar
By Cyber Security, General, ISO 20000/2700x 0 Comments

What is IT Security Policy ?

The essence of an IT security policy, is to establish guidelines and standards for accessing the organization’s information and application systems. As IT infrastructures have become more complex and organization’s resources have become more distributed, the need for improved information security has increased.

An IT security policy, facilitates the communication of security procedures to users and makes them more aware of potential security threats and associated business risks. A written IT security policy, helps to enhance the performance of the organization’s IT security systems and the e-business systems that they support.

Surveys regarding IT security all tend to show similar trends:

  • most organisations have been the victims of it security breaches,
  • IT security breaches cause significant damage,
  • IT security breaches are increasing,
  • insiders pose as significant a threat as outsiders.

If an organisation suffers an IT security breach it is likely to suffer negative impact. There are many costs associated with a security breach:

  • direct financial loss,
  • lost sales and reduced competitive advantage,
  • damage to organisation reputation and brand,
  • business disruption.

An IT security policy, mitigates the organisations legal exposure. The security policy guides the behaviour of employees. Having a written IT security policy, is essential if the organisation wants to be able to hold employees accountable for their actions.

An IT security policy forces an organisation to make return on investment decisions. Whilst, developing an IT security policy the organisation will have to make intelligent business decisions about the cost-effectiveness of reducing or eliminating business risks.

Developing and IT Security Policy

To develop and IT security policy a task force needs to be established and the task force will need to work through the following steps:

  • Access the requirements,
  • Identify the information assets, systems and facilities,
  • Identify the threats to the assets,
  • Assess the risks to the assets,
  • Develop an security policy to manage the risks,
  • Implement the security policy,
  • Communicate the security policy,
  • Enforce thesecurity policy,
  • Re-assess thesecurity policy,
IT Security Policy
IT Security Policy

IT Security Policy Contents

The IT security policy, should deal with security threats to the organisations information assets with respect to the following fundamental areas:

  • Authentication – ensuring a user is who he says he is,
  • Authorisation – controlling what information and applications a user can access,
  • Privacy and data integrity – preventing unauthorised users from seeing certain information, and preventing them from making unauthorised changes or deletions,
  • Non-repudiation – making sure that parties in a transaction can not deny what they said or what they did,
  • Disaster recovery and contingency planning,
  • Physical security.

In some countries today simple password only user identification schemes are considered to be inadequate. Two-factor authentication consisting of something you know (a password or pin) plus something you possess (smartcard with digital certificate) is now considered to be the norm.

The IT security policy, should have sections dealing with the following issues:

  • Access control
  • Electronic Mail
  • Internet security
  • Laptops, notebooks and handhelds
  • Software security
  • Network security
  • Physical security
  • Auditing and monitoring
  • Contingency planning

Implementing the IT Security Policy

Once the IT security policy, has be written it needs to be put in place within the organisation. It needs to be communicated to employees, contractors and other personnel to ensure that they understand the security policy and what is required.

The IT security policy, will then need to be enforced. IT and security staff will need to implement its contents. They will need to manage user accounts, passwords, group membership, two-factor authentication devices such as smartcards and digital certificates.

The rapid pace of technological change and use of the Internet mean that new security threats appear all the time. The IT security policy, will therefore need updating on a periodic basis.

IT Security Policy Summary

An IT security policy, is a formal statement of the rules that employees and others must follow when using an organisations IT infrastructure. Its purpose is to set down procedures for protecting the organisations information assets.

An IT security policy, which details a number of security procedures to minimise business risk is available below.

https://www.iso.org/isoiec-27001-information-security.html

More ISO Blog posts

https://www.erdalozkaya.com/category/iso-20000-2700x/

Share this post

Author

Named among Top 50 Technology Leaders 2021 by CIO Online & IDC, working with an ardent passion for raising cyber awareness and leveraging new & innovative approaches. He is committed to the delivery of accurate, accessible resources to inform individuals and organizations of cybersecurity and privacy matters in the internet age. Dr Erdal is a collaborative team leader with the key areas of his expertise spanning end-to-end IT solutions, management, communications, and innovation. In addition, he is a well-known public speaker, an award-winning technical expert, a book author, and writer of certifications (courseware and exams) for prestigious organizations such as Microsoft, EC Council, and other expert-level vendors. Some of his recent awards are: 2021: Best CISO for Banking and Financial Sector CIO Online & IDC : Top 50 Technology Leaders, Security Magazine Top CISO, Tycoon Success Magazine, Most Powerful 10 Middle East Businessman EC Council CEH Hall of Fame 2020: Khaleej Times "CISO Power List" , Cybersecurity Legend by GEC Media Group, "Super Hero CISO", by Enterprise IT Top CISO by Security ME Magazine 2019: CISO Mag " Hall of Fame" and Cybersecurity Influencer of the year , Microsoft Regional Director 2018 : NATO Center of Excellence Award 2017: Microsoft Platinum Club (employee of the year ), Security Professional of the year and more...

Leave a Reply

Your email address will not be published.

Related Posts

Cybersecurity The Beginner's Guide Dr Erdal ozkaya
11Mar

Learn Cybersecurity

Learn Cybersecurity Learn Cybersecurity in 2021: What it Is, Job Outlook & Where to Learn it A great blog post by Learn... read more

What is OpSec?
03Jun

Importance of Operational Security?

Operational security is often regarded as the convergence point of operational risks and cybersecurity. It is the middle ground between... read more

14Nov

MVP Meetup Dubai 2017- Great Community

MVP Meetup Dubai It was a great community day @ Microsoft Gulf where we come together with our Microsoft Most Valuable... read more

๐ƒ๐ข๐ ๐ข๐ญ๐š๐ฅ ๐“๐ซ๐š๐ง๐ฌ๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐’๐ฎ๐ฆ๐ฆ๐ข๐ญ ๐’๐จ๐ฎ๐ญ๐ก๐ž๐š๐ฌ๐ญ ๐€๐ฌ๐ข๐š
22Aug

Digital Transformation Summit Southeast Asia , 2021 join us for Free

๐ƒ๐ข๐ ๐ข๐ญ๐š๐ฅ ๐“๐ซ๐š๐ง๐ฌ๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐’๐ฎ๐ฆ๐ฆ๐ข๐ญ ๐’๐จ๐ฎ๐ญ๐ก๐ž๐š๐ฌ๐ญ Asia Business leaders must be prepared to handle complexity and scale for the future now more than... read more

Dr Erdal Ozkaya
02Jan

Windows Authentication Attacks and Forensics – Learn 4 Free

Windows Authentication Attacks and Forensics See demonstrations of how attackers use credential dependencies to gain elevated access to systems and... read more

18Jul

Microsoft Turkey – Cybersecurity Webinar Recording : Watch 4 Free

This post has the links for my "Turkish Webinar which was recorded for Microsoft Turkey, therefore the post will... read more

Masterclass Webinar by Dr erdal Ozkaya
08Nov

Masterclass Webinar โ€œDeveloping & Maintaining Secure Products” – FREE 20

Masterclass Webinar โ€œDeveloping & Maintaining Secure Products" I am excited to announce that I will be speaking on the EC Councils... read more

17 Best Cybersecurity Books
09Apr

17 Best Cybersecurity Books

17 Best Cybersecurity Books: Ethical Hacking, Malware, and More (2021 List) I am proud to have 2 of my books on the... read more

12Mar

Pen Test Magazine – inspiring Interview with Erdal Ozkaya 2012

Pen Test Magazine - inspiring Interview with Erdal Ozkaya 2012 Erdal Ozkaya is the founder and Senior Microsoft Instructor of CEO... read more

CISO Dr Ozkaya
14Jun

7 Tips to impactfully start your CISO job

As CISO โ€“ especially in a new organization โ€“ you need to balance being a Cybersecurity guru and business acumen.... read more