Policy and Procedure Development in IT - Admission/Application Essay Example

of the of the 8th November Information Security Sift Skills Information security is a misunderstood concept, as some organizations relate it to the technical excellence. Likewise, they often miss the concept of addressing information security holistically. Information security has three pillars i.e. Confidentiality, Integrity and Availability. Confidentiality related with any information that is personal, need to be protected and information that is uniquely identifying meaningful data. Integrity is associated with any data that loses its originality and the recipient receives amended data. Availability simply related to non-availability of data when it is required. Examples for these three pillars are: Confidentiality: personal information, mission critical information exposed Integrity: Original email is amended and the recipient do not know Availability: Email is required to fulfill a task and it is not available. For minimizing the threats to information security, a continuous cycle comprising of process, people and technology is required. Likewise, the processes will be made for effecting handling information security practices both for technical and management domain. People need to be aware of threats associated with information security. For establishing awareness, a continuous information security awareness program is required that will aware all employees of the organization for associated risks and current threats. Furthermore, the technology part will also play a critical role as technical controls can be implemented via technology. These practices will help us achieve risk mitigation on critical assets at an acceptable level and they can be transferred, mitigated and avoided. A security manager must establish policies, standards, procedures and guidelines to make a repeatable and documented security practices within the organization. Security breaches are constantly happening and there is a requirement of periodic security risk assessment to address potential vulnerabilities and mitigate threat by implementing controls. Moreover, security governance is considered as a pre-requisite before establishing a security management program within the organization. Security governance facilitates in creating awareness at the senior management and board of the organization. Once the advantages are understood, the security management program will be successful to some extent and management will actively participate in every day security functions, as security is a responsibility of all personnel. Communication Skills Communication is a vital soft skill of information security personnel, as he or she needs to organize and manage people and establish communication with the senior management in a business language, while excluding the technical details. Likewise, the personnel must have adequate technical knowledge to understand the system and take decisions. Moreover, for enhancing communication, information security personnel need a soft skill for translating technical requirements in business terms and communicate the same to the senior management. For instance, in a steering committee chaired by the president and chief executive officer, the information security personnel needs present and map information security objectives with the business objectives. Moreover, a dollar value also needs to be incorporated with the investment on the information security function. Policy and Procedure Development For providing improved functionality for the organization, policies and procedures must be defined. They play a vital role for an organization’s smooth functioning. In order to implement policies and procedures, group discussions are required for constructing and implementing them in a real world scenario. The first requirement is to differentiate both of them. A security policy comprises in the form of a document or rules that specify the statement ‘What must be done’ in order to assure security measures in the system or the network. Whereas, procedures are associated with the rules and practices that are implemented in order to impose the rule. For instance, in a network security scenario, where there is a requirement for preventing the wireless network, anonymous access must be blocked. Likewise, the security policy document will define ‘What needs to be done’ to block anonymous access for a wireless network. Whereas, the procedures will define the practices and rules that needs to be followed in order to block the anonymous access. After differentiating both the security policies and procedures, these two are associated with development and administration in an organization. The term security in terms of development and administration is more like a management issue rather than a technical issue in an organization. The justification is to utilize and classify employees of an organization efficiently. Moreover, from the management perspective, discussions take place for describing various vulnerabilities and threats along with the creation of policies and procedures that may contribute for the achievement of organization goals. After the discussions and alignment of policies and procedures to contribute for organization’s success, the development process is initiated at a high level, and afterwards implemented at lower levels within an organization. The conclusion reflects the development of policies and procedures, requirement of an approval from concerned personnel and then implementing them smoothly for the employees. On the other hand, initiation of these security policies is easy and not expensive, but the implementation is the most difficult aspect. If the development and administration do not comply effectively, or fails to establish awareness between employees related to the policies and procedures, the disadvantages may affect inadequately for the organization. For instance, an attack from a social engineering website such as ‘Facebook’, ‘twitter’, or ‘MySpace’ may extract sensitive information from senior or trusted employees of an organization. If the policies and procedures were understood or implemented properly, employees will be well aware of not providing any credentials or they will verify authorization before providing information on the sites Awareness Skills Information security personnel must raise the awareness level of information security within the organization. There are many ways to achieve this goal, as he or she must be updates about the recent security breaches, threats, spyware, adware, and malwares reported. A security bulletin or a security flyer can be circulated to all staff containing a small video or power point presentation or a graphical image identifying risks associated with the recent security vulnerability discovered. Moreover, awareness level can also be achieved by face to face communication, as training plans needs to be conducted to all staff and segregations needs to be established between the technical and non-technical staff. Human Resource Checklist The credentials of the candidate needs to be evaluated specially in the context of organization’s trade secrets specifically the one that can be tracked on the Internet. Likewise, the trade secrets may incorporate access codes, credentials, top secret research that contributes to the strategic objectives and continuing existence of an organization. An extensive pre-employment security checks on (Evans and Reeder): Academic Achievements Elementary Grades Experience Letters Any involvement in a crime/cyber-crime/ embezzlement/fraud etc. Communication skills checks on (Evans and Reeder): Excellent Communication skills both written and verbal along with persuasion, narration and imparting Translation of Jargons in a generic message Work Experience checks on (Evans and Reeder ): Any previous anti-espionage incident incorporating people, process, technology, documentation, monitoring capabilities along with regulatory compliance Any incident response process successfully accomplished Business Continuity and Disaster Recovery Planning drill previously accomplished Leadership abilities checks on: Officially an information security representative of the organization if required Capability of establishing communication with different senior management employees Lead the information security team to its full potential Apart from the above mentioned checklist, there are numerous cultural factors that may include candidates coming from top educational universities or one of the most successful employers in the market. Moreover, if an information security personnel candidate is coming from an International Standard Organization certified organization, it will be an added advantage. Work Cited Evans, K., and F. Reeder. A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters. Center for Strategic & International Studies, 2010. Print. Read More