|
Why do we need IT Security Policies?
How do we get senior management involved?
How do we know staff are complying with Policies?
What happens if there is a breach of Policy?
How do we make staff aware of Policies?
Are our Security Policies secret?
How do we customise templated Security Policies?
Will regulators or auditors want to see our Security Policies?
Do all company’s have IT Security Policies?
Do security policies create any business benefits?
How easy are the policies to technically implement?
Why do we need IT Security Policies?
Security Policies are essential if a business is to achieve information Security. Policies help ensure that all staff – users, managers and technicians are aware of their own responsibilities. Without adequate security policies there can be no assurance that staff will not undermine security controls, and in doing so harm the business. Such actions may potentially result in a breach of regulatory requirements or legislation such as the Data Protection Act, and new Privacy Directive, or otherwise harm the company’s reputation. In the event that a company seeks to sack or prosecute staff for unacceptable activities, the company is likely to be required to demonstrate that it has appropriate policies, and that staff are aware of them and understand their requirements.
top of page
How do we get senior management involved?
A senior manager, director or partner has to sponsor IT Security for it to be effective. They can do this by endorsing a high level information security policy, spelling out the importance of IT Security to the organisation, the key objectives and the key responsibilities of staff. Senior management need to understand their role in protecting the organisation’s assets, and in the case of company’s shareholders interests. They can be held liable in the event of a breach of legislation, e.g. the Data Protection Act, caused by inadequate IT Security.
top of page
How do we know staff are complying with Policies?
There will need to be an IT security audit programme in place. At a basic level this could involve testing how aware users are of IT Security policies by using simple quizzes. It may involve auditing aspects of the system such as whether expired user accounts have been disabled, and whether all software is appropriately licensed.
top of page
What happens if there is a breach of Policy?
The action taken should depend upon factors such as the nature and degree of the security breach and whether this was a first breach or not. The procedures for disciplinary action need to be agreed with HR department and the possibility of this action should be have been spelled out to staff in their contract of employment. Also, the member of staff will need to have been aware of the policy in order for disciplinary action to be reasonable.
top of page
How do we make staff aware of Policies?
References to security policies should first be made within their contract of employment and staff procedures. Staff should be made aware of the most appropriate security policies at the earliest opportunity, e.g. when they join the organisation at an induction session, and before they start using systems. All staff should be given some security awareness training at regular intervals. Security policies can be provided in an easily available folder, or could be displayed on an intranet.
top of page
Are our Security Policies secret?
Security Policies should not be locked in a manager’s cupboard, but should be freely available to anyone within the organisation for easy reference. Policies should not contain any confidential information such as system security details that may be of use to an attacker. Whilst much material in a policy will be in the public domain, it will have been customised and should be treated as “company confidential” or similar.
top of page
How do we customise templated Security Policies?
Templated security policies such as available from PLAN-IT-CONTROL-IT, include principles that are best practice, and those that are gained from experience. Some of these may not be applicable in every organisation or environment due to the activities undertaken, the risks involved and the systems deployed. Policies should aim for high standards, but not include requirements that staff could not reasonably comply with due to operational constraints.
top of page
Will regulators or auditors want to see our Security Policies?
Many regulations, for example Corporate Governance require that companies have implemented security policies. Compliance with these and other regulations, and if organisations wish to aim for ISO17799 (international standard for Information Security Management) certification they will be required to demonstrate the existence of and adherence to IT Security Polices.
top of page
Do all company’s have IT Security Policies?
The DTIs Information Security Breaches Survey 2002 found that only 27% of UK businesses (59% of large businesses) have a documented security policy.
top of page
Do security policies create any business benefits?
Documented polices allow staff to work consistently with regard to IT Security, and reduce the overhead compared with trying to implement and police a policy that is not documented and with which staff are not aware. It creates an “level field” for staff and thereby should foster better staff morale. Good security practice raises the credibility of the organisation with its clients and partners The main benefit of security policies is the reduced risk of material harm coming to an organisation through misuse of systems, accidental or deliberate, internal or external.
top of page
How easy are the policies to technically implement?
Where appropriate, the policies include a section of principles specifically addressed to IT Support personnel. The principles cover those aspects of the policy that are the responsibility of IT Support personnel, and provide clear guidance to them on what is required to be implemented. It is intended that further system specific guidance to policy compliance will be added to the resources available.
top of page
|
