A company''s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company''s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.
ISSN:2249-5789 Manjunath KV, International Journal of Computer Science & Communication Networks,Vol 5(4),224-227 Information Security Policy Manjunath KV Samvardhana Coaching Centre,Bangalore, India manjunathkvcs@gmail.com Abstract In business, a security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets A security policy is often considered to be a "living document", meaning that the document is never finished, but is continuously updated as technology and employee requirements change A company's security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company's assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made Information security policy is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions Confidentiality, integrity and availability requirement and in many cases also an ethical and legal requirement Hence a key concern for organizations today is to derive the optimal information security investment The renowned Gordon-Loeb Model actually provides a powerful mathematical economic approach for addressing this critical concern For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures Introduction 1.1 Threats Computer system threats come in many different forms Some of the most common threats today are software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion Governments, military, corporations, financial institutions, hospitals and private businesses amass a great deal of confidential information about their employees, customers, products, research and status Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor or a black hat hacker, a business and its customers could suffer widespread, irreparable loss, as well as damage to the company's reputation Protecting confidential information is a business 1.2 Information assurance The act of ensuring that data is not lost when critical issues arise These issues include but are not limited to: natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arise 224 ISSN:2249-5789 Manjunath KV, International Journal of Computer Science & Communication Networks,Vol 5(4),224-227 1.3 Information security Information security is the set of business processes that protects information assets regardless of how the information is formatted or whether it is being processed, is in transit or is being stored Information security is not a single technology; rather it a strategy comprised of the processes, tools and policies necessary to prevent, detect, document and counter threats to digital and nondigital information Processes and policies typically involve both physical and digital security measures to protect data from unauthorized access, use, replication or destruction Elements of Information Security Policy 2.1 Purpose Institutions create ISPs for a variety of reasons: Confidentiality ‐ information must be protected from unauthorised access and disclosure throughout its lifecycle, from creation to final disposal Integrity ‐ the accuracy and completeness of information must be safeguarded and unauthorised amendment or destruction prevented and associated Availability ‐ information services must be available to authorised users in line with business and funding body requirements 2.2 Scope 1.4 Information Security Policy Information Security Policy /ISP/ is a set or rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority An ISP is governing the protection of information, which is one of the many assets a corporation needs to protect The present writing will discuss some of the most important aspects a person should take into account when contemplates developing an ISP Putting to work the logical arguments of rationalization, one could say that a policy can be as broad as the creators want it to be: Basically, everything from A to Z in terms of IT security, and even more For that reason, the emphasis here is placed on a few key elements, but you should make a mental note of the liberty of thought organizations have when they forge their own guidelines ISP should address all data, programs, systems, facilities, other tech infrastructure, users of technology and third parties in a given organization, without exception This Policy applies to: All information created or received in the course of business which must be protected according to its sensitivity, criticality, and value, regardless of the media on which it is stored, the location of the data, the manual or automated systems that process it or the methods by which it is distributed All contractors, suppliers, business partners and external researchers and visitors who may be authorised access to information All locations from which information is accessed including home and off‐site/remote use 2.3 Objectives An Information Security Policy usually has the following objectives: To protect the organisation's business information and any client or customer information within its custody or safekeeping by safeguarding its confidentiality, integrity and availability To establish safeguards to protect the organisation's information resources from theft, abuse, misuse and any form of damage To establish responsibility and accountability for Information Security in the organisation 225 ISSN:2249-5789 Manjunath KV, International Journal of Computer Science & Communication Networks,Vol 5(4),224-227 To encourage management and staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimise the occurrence and severity of Information Security incidents To ensure that the organisation is able to continue its commercial activities in the event of significant Information Security incidents sensitivity For example, data might be classified as: public, internal and confidential Public – Information that may or must be open to the general public Internal – Information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use Confidential – Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know 2.6 Reclassification 2.4 Authority & Access Control Policy The organization develops formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance This control is intended to produce the policy and procedures that are required for the effective implementation of selected security controls and control enhancements in the access control family The policy and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary The access control policy can be included as part of the general information security policy for the organization Access control procedures can be developed for the security program in general and for a particular information system, when required The organizational risk management strategy is a key factor in the development of the access control policy 2.5 Data classification System Classifying data is the process of categorizing data assets based on nominal values according to its On a periodic basis, it is important to reevaluate the classification of Institutional Data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University This evaluation should be conducted by the appropriate Data Steward Conducting an evaluation on an annual basis is encouraged; however, the Data Steward should determine what frequency is most appropriate based on available resources 2.7 Security Awareness Sessions Sharing IT security policies with staff is a critical step Making them read and sign to acknowledge a document does not necessarily mean that they are familiar with and understand the new policies A training session would engage employees in positive attitude to information security, which will ensure that they get a notion of the procedures and mechanisms in place to protect the data, for instance, levels of confidentiality and data sensitivity issues Such an awareness training should touch on a broad scope of vital topics: how to collect/use/delete data, maintain data quality, records management, confidentiality, privacy, appropriate utilization of IT systems, correct usage social networking, etc A small test at the end is perhaps a good idea 2.8 Responsibilities, Rights and Duties of Personnel General considerations in this direction lean towards responsibility of persons appointed to carry out the implementation, education, incident response, user access reviews, and periodic updates of an ISP 226 ISSN:2249-5789 Manjunath KV, International Journal of Computer Science & Communication Networks,Vol 5(4),224-227 Prevention of theft, information know-how and industrial secrets that could benefit competitors are among the most cited reasons why a business may want to employ an ISP to defend its digital assets and intellectual rights Conclusion A high-grade ISP can make the difference between growing business and successful one Improved efficiency, increased productivity, clarity of the objectives each entity has, understanding what IT and data should be secured and why, identifying the type and levels of security required and defining the applicable information security best practices are enough reasons to back up this statement To put a period to this topic in simple terms, let’s say that if you want to lead a prosperous company in today’s digital era, you certainly need to have a good information security policy References [1] " Information Security Key Elements" http://www.irunway.com/images/pdf/iRunway%20Information%2 0Security.pdf [2] "Information Security Policies, Procedures and Guidelines"www.lse.ac.uk/intranet/LSEServices/IMT /about/policies/home.aspx [3] "Information security - Wikipedia, the free encyclopedia." https://en.wikipedia.org/wiki/Information_security [4] Infosecurity Magazine - Information Security & IT Security www.infosecurity-magazine.com [5] Olson, I & Abrams, M "Information Security Policy" http://www.acsac.org/secshelf/book001/07.pdf [6] Techopedia "Information Security Policy" http://www.techopedia.com/definition/24838/informa tion-security-policy 227 ... have a good information security policy References [1] " Information Security Key Elements" http://www.irunway.com/images/pdf/iRunway%2 0Information% 2 0Security. pdf [2] "Information Security Policies,... [3] "Information security - Wikipedia, the free encyclopedia." https://en.wikipedia.org/wiki /Information_ security [4] Infosecurity Magazine - Information Security & IT Security www.infosecurity-magazine.com... M "Information Security Policy" http://www.acsac.org/secshelf/book001/07.pdf [6] Techopedia "Information Security Policy" http://www.techopedia.com/definition/24838/informa tion -security- policy