Role of Information Security Policy Essay
Role of Information Security Policy
The process and methods of keeping information confidential, available, and assuring its integrity is referred to as information security systems or INFOSEC. Information security systems include access controls that prevent the entrance or access of a system by unauthorized personnel, information protection regardless of the format or location (email or in a storage capacity), detection and documentation as well as remediation of security breaches. Information security systems covers more than computer information, data protection and information including telephone conversations are included with that security.
Information Security Policy
Maintaining information systems security involves policies and standards of which are great importance. The policy definition according to Rouse (2014), reads “In business, a security policy is a document that states in writing how a company plans to protect the company’s physical and information technology (IT) assets.” Technology and employee requirements change throughout time, therefore the security policy is often considered a living document, requiring updates and is never quite finished. The company may include an acceptable use policy within the policy which is a description of the company’s plans for employee education. The education includes protecting the company’s assets, how to carry out and enforce security measures, and tracking how effective the current security policy is so corrections can be made in the future. Information or data is a vital component of any business. The potential of company collapse is high once the data they have becomes compromised, meaning untrustworthy or invaded by an unwanted third party.
Businesses depend on the availability and secrecy of their data, which are both important to the company’s performance. Protection of the data which could include confidential information such as credit cards, addresses and private documents along with the fiscal data of the company are all important. In the event of a breach, the company would face fees, penalties, and legal ramifications. Having a data security system in place safeguarded by security plans greatly decreases the possibilities of breaches and compromise during data integration. Technology has become very important in many industries to the control and keeping of systems and documents which in turn is creating more concern with the control and protection of information. The information protection plans have to account for the increasing security difficulties regarding the workers. The inadvertent or deliberate acts and activities that the employees indulge in can be dangerous to the security of the company.
To assist with the education when a violation occurs, it’s not uncommon for a company to publically address the situation. By publically informing the workers of the non-conformance or violation, the company highlights the importance of following the policies in turn is to help drive home the importance of the policies in place. As an example of violations, Cisco, which is an American multinational corporation that designs, manufactures, and sells networking equipment, commissioned a third party market research firm, InsightExpress. The third party conducted a worldwide study of employees and IT professionals totaling 2000 respondents. Research discovered that employees around the world are engaging in risky behavior that places corporate and personal data at risk, in spite of the security policies, procedures, and tools the corporations have in place. (“Data Leakage Worldwide: Common Risks And Mistakes Employees Make”, n.d.).
The list includes:
• Unauthorized application use: 70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies’ data loss incidents. • Misuse of corporate computers: 44 percent of employees share work devices with others without supervision. • Unauthorized physical and network access: 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
• Remote worker security: 46 percent of employees admitted to transferring files between work and personal computers when working from home. • Misuse of passwords: 18 percent of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy. An essential addition to the systems information security policy to place a highly effective information policy and educate the employees of the significance of the policies to help avoid breaches due to ignorance. To counter ignorance, the employers provide education in the form of training so the information is clearly defined.
Information protection training for all workers has become a highlighted significance for employers and other stake holders in the company. Regardless of the workers status, full time, part time and temporary staff, the education of the safeguard of data integrity and their part of the control over the security system must be completed. Workers need to have part based training due to the different areas in which they work as opposed to a training that’s one size fits all. The training must involve the workers critical thinking skills, giving them real world scenarios as examples so they can see how the situations present themselves. The process enables the workers to think about and understand the risks and how to avoid allowing vulnerabilities within their control from happening. The process also highlights the consequences faced by the workers when a violation occurs.
Setting the access control to specific roles is another form of data protection. Role based access control or privileges are” a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. In this context, access is the ability of an individual user to perform a specific task, such as view, create, or modify a file. Roles are defined according to job competency, authority, and responsibility within the enterprise.” Rouse (2014). Access to specific areas of the system are defined by roles. An example of role specific protection at the university would be instructor compared to student. The instructor has the access to the student’s grades for the specific class, adding points per week as the work is done and graded. The student can access the grades yet has no access to the area where the points are awarded for the work done.
Each company has specific information safety requirements and concerns. The safety levels and access control or privileges depend on the industry and the person. Microsoft Dynamics CRM, for example, determines the requirements or access control by security level and issues one of five levels, listed from highest to least. Those levels are Global, Deep, Local, Basic, and None. Each level includes the levels below it, such as Global having access to Deep, Local, and Basic. Deep having access to Local and Basic and so on. (“How Role-Based Security Can Be Used To Control Access To Entities In Microsoft Dynamics Crm”, 2013).
The individual status in the company determines the employee’s accessibility level and privileges within the organization through the system access level. The system administrator, which has unlimited access, uses the access control procedure of the system to set up a hierarchy for the users. High level users have more access than low level users, enabling the high level user’s access to more sensitive data on the system.
Accessibility and accessibility levels break down into more specific roles based on the industry. High access generally means the individual has access to much more than someone with low access. In the medical field, access would break down as such. Doctor would have full read and write access, the nurse would have limited read and write access, and the patient would be limited to read access only. In many school settings, the access levels determine what can and can’t be done on the local school computers.
The administrator may give access to the instructor computer system administrator privileges via specific ID that tells the system the instructor has the clearance to download and install programs, which is medium access, where the student login only allows the student access to specific areas and absolutely no access to installation or the removal of programs on the system. As the systems in the schools are typically networked, the restricted access prevents the students from accidently or malevolently downloading and installing malicious software. This is not unlike access levels associated in the workplace, though the workplace tends to need specific employees access to different levels of data and information within the system.
Access levels can be awarded through the IT administrator and are based on the specific areas of which the person needs access. Through training and education along with access restrictions, the workers can avoid inadvertently compromising a systems security through preventable actions. The safety of data is handled through different security systems yet is set up to accomplish the same goal, preventing the loss or corruption of vital data within the organization or business. By making the workers understand the sensitivity of the requirements needed to keep the information protected, the security plans become part of the infrastructure of the industry. As the technology grows and the security needs evolve and change, the training and habits will evolve and change to along with it. Those best security practices involving the information and data ensure the vitality of that component within the company.
Rouse, M. (2014). Security Policy. Retrieved from http://searchsecurity.techtarget.com/definition/security-policy Data Leakage Worldwide: Common Risks and Mistakes Employees Make. (n.d.). Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11-499060.html ((Paraphrased material and the block citation)) Rouse, M. (2014). role-based access control (RBAC). Retrieved from http://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC How role-based security can be used to control access to entities in Microsoft Dynamics CRM. (2013). Retrieved from http://msdn.microsoft.com/en-us/library/gg334717.aspx#bkmk_access ((Paraphrased material))