Information Security Policy (ISP) is a set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority.
An ISP is governing the protection of information, which is one of the many assets a corporation needs to protect. The present writing will discuss some of the most important aspects a person should take into account when contemplates developing an ISP. Putting to work the logical arguments of rationalization, one could say that a policy can be as broad as the creators want it to be: Basically, everything from A to Z in terms of IT security, and even more. For that reason, the emphasis here is placed on a few key elements, but you should make a mental note of the liberty of thought organizations have when they forge their own guidelines.
2 Elements of Information Security Policy 2.1 Purpose
Institutions create ISPs for a variety of reasons:To establish a general approach to information security To detect and forestall the compromise of information security such as misuse of data, networks, computer systems and applications. To protect the reputation of the company with respect to its ethical and legal responsibilities. To observe the rights of the customers; providing effective mechanisms for responding to complaints and queries concerning real or perceived non-compliances with the policy is one way to achieve this objective.
ISP should address all data, programs, systems, facilities, other tech infrastructure, users of technology and third parties in a given organization, without exception.
2.3 Information security objectives
An organization that strive to compose a working ISP needs to have well-defined objectives concerning security and strategy on which management have reached an agreement. Any existing dissonances in this context may render the information security policy project dysfunctional. The most important thing that a security professional should remember is that his knowing the security management practices would allow him to incorporate them into the documents he is entrusted to draft, and that is a guarantee for completeness, quality and workability.
Simplification of policy language is one thing that may smooth away the differences and guarantee consensus among management staff. Consequently, ambiguous expressions are to be avoided. Beware also of the correct meaning of terms or common words. For instance, “musts” express negotiability, whereas “shoulds” denote certain level of discretion. Ideally, the policy should be briefly formulated to the point. Redundancy of the policy’s wording (e.g., pointless repetition in writing) should be avoided as well as it would make documents long-winded and out of sync, with illegibility that encumbers evolution. In the end, tons of details may impede the complete compliance at the policy level.
So how management views IT security seems to be one of the first steps when a person intends to enforce new rules in this department. Furthermore, a security professional should make sure that the ISP has an equal institutional gravity as other policies enacted within the corporation. In cases where an organization has sizeable structure, policies may differ and therefore be segregated in order to define the dealings in the intended subset of this organization.
Information security is deemed to safeguard three main objectives:Confidentiality data and information assets must be confined to people authorized to access and not be disclosed to others; Integrity keeping the data intact, complete and accurate, and IT systems operational;
Availability an objective indicating that information or system is at disposal of authorized users when needed.
Donn Parker, one of the pioneers in the field of IT security, expanded this threefold paradigm by suggesting also “authenticity” and “utility”.
2.4 Authority & Access Control Policy
Typically, a security policy has a hierarchical pattern. It means that inferior staff is usually bound not to share the little amount of information they have unless explicitly authorized. Conversely, a senior manager may have enough authority to make a decision what data can be shared and with whom, which means that they are not tied down by the same information security policy terms. So the logic demands that ISP should address every basic position in the organization with specifications that will clarify their authoritative status.
Policy refinement takes place simultaneously with defining the administrative control, or authority in other words, people in the organization have. In essence, it is hierarchy-based delegation of control in which one may have authority over his own work, project manager has authority over project files belonging to a group he is appointed to, and the system administrator has authority solely over system files a structure reminiscent of the separation of powers doctrine. Obviously, a user may have the “need-to-know” for a particular type of information. Therefore, data must have enough granularity attribute in order to allow the appropriate authorized access. This is the thin line of finding the delicate balance between permitting access to those who need to use the data as part of their job and denying such to unauthorized entities.
Access to company’s network and servers, whether or not in the physical sense of the word, should be via unique logins that require authentication in the form of either passwords, biometrics, ID cards, or tokens etc. Monitoring on all systems must be implemented to record logon attempts (both successful ones and failures) and exact date and time of logon and logoff.
Speaking of evolution in the previous point as the IT security program matures, the policy may need updating. While doing so will not necessarily be tantamount to improvement in security, it is nevertheless a sensible recommendation.2.5 Classification of Data
Data can have different value. Gradations in the value index may impose separation and specific handling regimes/procedures for each kind. An information classification system therefore may succeed to pay attention to protection of data that has significant importance for the organization, and leave out insignificant information that would otherwise overburden organization’s resources. Data classification policy may arrange the entire set of information as follows:High Risk Class data protected by state and federal legislation (the Data Protection Act, HIPAA, FERPA) as well as financial, payroll, and personnel (privacy requirements) are included here. Confidential Class the data in this class does not enjoy the privilege of being under the wing of law, but the data owner judges that it should be protected against unauthorized disclosure. Class Public This information can be freely distributed. Da