The Role of Information Security Policy Essay
The Role of Information Security Policy
The failure of organizations to implement a comprehensive and robust information security program can mean the untimely demise for some and costly setbacks for others. At the heart of information security is security policy. Without security policy there can be no security program. Without people, security policies would not exist. They would not be written, implemented, and enforced. Security policies and the adoption of standards provide many benefits as shall be discussed in this paper. Further is discussed how information in systems often falls under different classifications to reflect a degree of sensitivity and how this relates to an organization’s security policy. 1.0 Security Policy and Standards. See more: My parents my role model.
1.1 Defining Information Security Policy
Conklin et al (2012, “Information Security Policy”) states, “policy is the essential foundation of an effective security program,” and “the centrality of information security policies to virtually everything that happens in the information security field is increasingly evident.” Webopedia.com defines security policy as “a document that outlines the rules, laws, and practices for computer network access” (2013, “Security Policy”). The document regulates how an organization will manage, protect, and distribute its sensitive information. Information security policy addresses many issues such as the following: disclosure, integrity, and availability concerns; who may access what information in what manner; maximized sharing versus least privilege; separation of duties; and who controls and who owns the information.
1.2 Defining Information Security Standards
Standards are recommended or imposed practices that should or must be followed. The businessdictionary.com website (2013, “Standards”) defines standards as “written definition, limit, or rule, approved and monitored for compliance by an authoritative agency or professional or recognized body as a minimum acceptable benchmark.” Government agencies and organizations publish standards as guidelines and best practices so that other organizations can follow suit and ensure they are implementing and maintaining an adequate level of security and controls. Some standards are mandatory. Federal regulations require compliance with these types of standards under penalty of law. Examples include: Payment Card Industry (PCI) standards, Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA.
1.3 The Importance of Information Security Policy and Standards
In essence, information security policies govern the protection of information. The benefits of information security policy include: * Minimization of data leak or loss.
* Protecting the organization from malicious internal and external users. * Setting of guidelines, best practices of use, and ensuring proper compliance. * Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction. * Promoting a proactive as opposed to a reactive stance for the organization. Policies define allowed and disallowed behavior. More importantly, policies are explanatory when written so as to be understood by everyone in the organization and properly disseminated. To be effective, security policy needs to be visibly and uniformly practiced. Organizations should not need to be prodded to provide an adequate level of security to protect sensitive information.
Information is one of an organization’s most valuable assets. Unfortunately, many companies still do not understand the importance of allocating enough resources toward developing an information security blueprint. Time and time again these companies are punished for mishandling information. The importance of information security standards is to help organizations provide adequate security programs to protect their systems and sensitive information. It is important to protect information systems from threat and it is especially important to protect the private information of customers. In the eyes of customers, failure to protect their information is a violation of trust.
Responsible parties will have their reputations diminished and be held accountable for damages or loss. A kind of benchmarking is following the recommended practices of other organizations or industry standards (Conklin et al, 2012” Security Management Models”). In this way organizations can adopt practices that are already proven to work. Federal regulations give the push some organizations need to implement and maintain adequate information security control levels. Mandatory audits help keep these organizations “honest” and in compliance.
2.0 The Role of Employees in Policy
Security policy comes down from the top. The enterprise information security policy (EISP) is a high-level document “drafted by the chief information security officer (CISO) in consultation with the chief information officer (CIO) and other executives” (Conklin et al, 2012, “Information Security Policy”). Security information policy, however, has an effect on everyone in the organization. Policies have to be uniformly applied to be effective. If management fails to support policy, the policy is typically ignored.
Employees often try to circumvent policy. People are generally resistant to rules and regulations that tell them what to do. The role of security education, training and awareness (SETA) is important in helping end users or employees understand security policy. When taken the time to educate and include employees in business decisions and processes, they are often more willing to abide by rules and even be proactive in defending them.
Security breaches often occur because of employee accident or inattentiveness. SETA helps mitigate this type of risk through education and training. Employees become more actively aware of situations that result in security breaches, such as tailgating and other tactics like social engineering attacks.
3.0 Security Levels and Policy
“An information security classification system is one of the critical components of good information security” (Office of the Chief Information Officer Province of British Columbia, 2010). Security levels pertain to access restrictions. Information can have various degrees of sensitivity. In other words some information must be better protected than other types of information.
Different levels of security are assigned for different data sensitivity levels or information classifications. The Bell-LaPadula security model reflects a multilevel security system based on data classification and security clearances. Such levels may include data classifications such as top secret, secret, confidential, sensitive but unclassified, and unclassified. Security policies such as a data classification and handling policy establish a framework for classifying and handling data based on its level of sensitivity. The classification of data aids in determining baseline security controls for the protection of the data.
Conklin, W. A., White, G., Williams, D., Davis, R., & Cothren, C. (2012). Principles of computer security: CompTIA Security+™ and beyond (3rd ed.). New York, NY: McGraw Hill. Office of the Chief Information Officer Province of British Columbia. (2010). Information Security Classification Framework. Retrieved from http://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/ISCFramework.pdf Security Policy. (2013). Retrieved from http://www.webopedia.com/TERM/S/security_policy.html Standards. (2013). Retrieved from
University/College: University of Arkansas System
Type of paper: Thesis/Dissertation Chapter
Date: 18 December 2016
We will write a custom essay sample on The Role of Information Security Policy
for only $16.38 $12.9/page