Have you ever looked into
information security policy of the company you worked for? It is a security
policy document that states in writing how a company plans to protect the
company's physical and information technology assets. Most of the organizations usually have these documents available for their employees to review in the company's internal websites or notice boards. The purpose is to have
employee read, understand and follow them. I was wondering how hard it can be to
write these policies, so I decided to do some research on things you need to
consider while developing Information Security Policy in the first place.
The policy maker should know that
the objectives of the policy are to reduce risk, compliance with laws and
regulations, assurance of operational continuity, information integrity and
confidentiality. The policy maker should realize that the success of an
information resources protection program depends on the policy generated and on
the attitude of management toward securing information on automated systems.
The policy can provide vital support
to security professionals as they strive to reduce the risk profile of a
business and fend off both internal and external threats. If an employee is
terminated for some wrong doing (example: stealing and sharing sensitive data with outsiders) and if the organization cannot verify that the
policy was not properly implemented about it; then the employee could sue the
organization accusing for wrongful termination. By having everything stated clearly on the
policy about what is right thing to do; the organization can have employees
follow the rules for acceptable behavior.
Knowing your audience is one of the
important steps while developing the information security policy. The policy maker should understand the purpose the
policy is meant to serve and align the policy with any subsequent information
governance training to be delivered. Policy needs to be aligned to the business
objectives of the organization and should be delivered in the best format to the audiences. By thinking
from user’s point of view, the policy maker can cull polices to fewer pages with
absolute minimum information which are needed and key message to retain.
As a user, I would like to see policy information in fewer pages but should
be brief and to the point about the user’s responsibilities towards the
information they collect, use and access. It is also my responsibility to read,
understand and follow the policy with all respect towards the organization I
work for.
References:
Computer Weekly (n.d.). How to create a good information
security policy. Retrieved April 9th, 2015 from http://www.computerweekly.com/feature/How-to-create-a-good-information-security-policy
Whitman, M., & Mattord, H. (2014). Management of
information security (4th ed.). Cengage Learning
No comments:
Post a Comment