The essence of an IT security policy is to establish guidelines and standards for accessing the organisations information and application systems. As IT infrastructures have become more complex and organisations resources have become more distributed, the need for improved information security has increased.
An IT security policy facilitates the communication of security procedures to users and makes them more aware of potential security threats and associated business risks. A written IT security policy helps to enhance the performance of the organisations IT security systems and the e-business systems that they support.
Surveys regarding IT security all tend to show similar trends:
If an organistion suffers an IT security breach it is likely to suffer negative impact. There are many costs associated with a security breach:
An IT security policy mitigates the organisations legal exposure. The security policy guides the behaviour of employees. Having a written IT security policy is essential if the organisation wants to be able to hold employees accountable for their actions.
An IT security policy forces an organisation to make return on investment decisions. Whilst, developing an IT security policy the organisation will have to make intelligent business decisions about the cost-effectiveness of reducing or eliminating business risks.
To develop and IT security policy a task force needs to be established and the task force will need to work through the following steps:
The IT security policy should deal with security threats to the organisations information assets with respect to the following fundamental areas:
In some countries today simple password only user identification schemes are considered to be inadequate. Two-factor authentication consisiting of something you know (a password or pin) plus something you possess (smartcard with digital certificate) is now considered to be the norm.
The IT security policy should have sections dealing with the following issues:
Once the IT security policy has be written it needs to be put in place within the organisation. It needs to be communicated to employees, contractors and other personnel to ensure that they undestand the security policy and what is required.
The IT security policy will then need to be enforced. IT and security staff will need to implement its contents. They will need to manage user accounts, passwords, group membership, two-factor authentication devices such as smartcards and digital certificates.
The rapid pace of technological change and use of the Internet mean that new security threats appear all the time. The IT security policy will therefore need updating on a periodic basis.
An IT security policy is a formal statement of the rules that employees and others must follow when using an organisations IT infrastructure. Its purpose is to set down procedures for protecting the organisations information assets.
An IT security policy which details a number of security procedures to minimise business risk is available below.
Coptright © C.Stone 1996 - 2016