Tuesday, 30 July 2013

What is Information Security Policy?

What is Information Security Policy?

Information security policy is a set of suggestions (laws) which company has to write to make their information system safe and immune against a malicious attack! Usually this kind of policy is written to different level employees, but the common element in all these policies is – target!

Policy can include conjunct set of rules about all themes which related with information security and computer usage or separated rules about various theme, for example, e-mail, network or physical security.

Why a company needs information security policy?

Many information systems have not been designed to be secure, but without these systems business life is hard to imagine. Increasingly, companies and their information systems and networks are faced with security threats from a wide range of source, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated. And to do company's information system safe is not enough only with modern technologies and software, but also everyone in this company need to a part of security system.

Security policy modelling process point to system's weakest area and give advices how to prevent them.

How is a policy created?

There are different ways to create a security policy, but the main idea is the same. There are a set of questions employees have to answer, then special information security awareness companies process these answers and write the information security policy. Another way to create this policy is to use a special software which automatically processes the answers, evaluate the risks and outputs a policy. This way is more efficient and takes less time. The policy has to be written in a form that is relevant, accessible and understandable to the intended reader(s).

Company gets a policy. What next?! Now a company's manager has to nominate one person who will be responsible for policy written rules.  This person has to introduce all employees to these rules and make it readily available,  check and control how these rules are implemented in life.  The  person has to be very close to manager and regularly report problems.


Usually problems start with implementing policies in  real life. employees have to change their daily work routine to comply to the  new rules. This can be challenging, some managers  develop kind of bonuses scheme for employees whom suggest new rules, improve existing rules and report a breach in the current rule.

Author: infosecuritylab
Source: Link

1 comment: