Sunday, January 29, 2012

Weekly Task II: Information Security Policies

What are information security policies?
Information security policies provide a framework for best practice that can be followed by all employees. Information security policy defines the organization’s attitude to information, and announces internally and externally that information is an asset, the property of the
organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.

Why do we have them?
As we all know, that installing antivirus software or even a firewall is not enough for the full security. Not every attacker is external to the organisation. That doesn’t mean that to secure the company, CEO should be suspicious to every employee but don’t rule out the possibility. Employees can compromise colleagues’ computers using tools readily available from the Internet when there is poor network security. These hackers have tools to spy on others’ actions, view information outside of their job function, stalk and harass others, and plant inappropriate content on others’ machines. Sometimes exists situations when an employees, without knowing, by their actions create "holes" in the network protection system, this is called "Insider jobs" in the context of eBusiness Security.
 – So why to use security policies?
Implementation of the information security policies can prevent this and over threats. Making this rules or policies is not very hard for the IT specialists, but is very important. They help to ensure risk is minimized and that any security incidents are effectively responded to. Information security policies will also help turn staff into participants in the company’s efforts to secure its information assets, and the process of developing these policies will help to define a company’s information assets. All in all, it is important also to make not very long and clear list of this security rules. Sometimes employees are not read this rules or throw paper with them into the rubbish-bin =), because they are soo long.

What kind of things we should have in them?
We should have in information security policies such things, as:
1) Strong firewall protection - in order to protect from various harmful websites with unappropriate content or malware.
2) Personal authorisation (each employee isn't allowed to tell his password to anyone else.
3) Logging out and shutting down the computers after every use.
4) Keeping laptops in a secured place.
5) Updating anti-virus software.
6) Installing software is possible only for company's administrators which are responsible for this.
7) Checking for viruses all external hard drives and memory cards automatically by the anti-virus software.

How can we guarantee that things included in security policies are really used?
1) Web cameras behind the employees.
2) Special instructions and lectures for employees.
3) Strong administration's passwords.
4) Regular checking for viruses and problems.
5) Serious penalties for actions not according to the instructions/rules.

References:                                                                                                                                                                                    
Peltier, Thomas R. (2002). Information Security Policies, Procedures, and Standards: guidelines for effective information security management.Auerbach publications

No comments:

Post a Comment