The Role of Information Security Policy - Essay Example

The Role of Information Security Policy Information is the strategic asset in an organization since it contains all the crucial planning in their running. Information systems security policies are the central repository that protects the assets of an organization by addressing threats. This has made many organizations to prioritize in developing information security policies to avoid damages. Therefore, an Information Systems Security strategy ensures effective procedures as well as assists for information security across the whole organization. The size and nature of firm normally influences the sophistication and scope of a security policy. Regardless of all these, the essence for a security policy on information systems is unquestionable. Importance of Policies These security policies and standards are of use to inform employees of firm their duties for protecting and safeguarding information systems of their organization. The policies state the mechanisms under which organizations can carry out these responsibilities. They also give an organization the baseline to get, configure and appraisal information systems for compliance with the policy in operation. The tools of information security system without its policy, it limits its usefulness. Policies and standards are essential in distributed computing location as a means of putting up security discipline for a big and different population of users that is reachable through formal auditing and communications. This strategy is of great importance when dealing with temporal personnel or those under contracts. Policies must show the accepted ways of an organization but also take full advantage of all methods for effecting behavior and spreading of information within a distributed computing location (James et al, 2012). Policies are of more importance in distributed computing locations than a centralized one due to the increased problems of restraining activities coming from a remote location. These policies must therefore be complete and stated clearly to minimize the number of instructions and explanations that the organization requires to handle so that they can be sure there is understanding. Here, they should have identifiers and description generally for business functions and units so that they can surpass changes of the organization (James et al, 2012). Role of Employees Employees play a major role in maintaining information system security. Their main role here is to study and have a close relationship with the IT section so that they can indulge when there is security incident. It is the responsibility of every employee to benefit from workplace security seminars and training so that they can easily understand the firm’s policies through information, knowledge and insight (Vacca, 2013). Employees should also employ diverse communication channels meant to keep themselves updated on technology as well as managing their conducts concerning security. Attending security seminars is essential in acquiring of knowhow and other critical tips that could be of help in managing the security of information systems. With the required knowledge, employees can recognize the policies in place and they can be applicable in everyday life of the organization (Vacca, 2013). With this kind of awareness, they can execute Employees Information Security Management Model for sketching perceptions to enable every personnel attain a target. Employees also have the responsibility of knowledge sharing meant to equip themselves as well as bringing up new ideas of policies that other people did not understand. Knowledge sharing encourages different topics as well as new concerns into a conversation such they can brainstorm on a particular policy to allow understanding and modification where necessary. Sharing knowledge and new ideas enable integration and circulation of knowledge within the organization. Through processing of Information Security Management Model, there isdispensation of centralized knowledge by having a security culture that rises from knowledge sharing. Different Levels of Security Information system owners can institute own levels of system security whose bases embrace confidentiality, criticality to the firm’s mission as well as integrity. There are three levels of information security. They include low, moderate and high security levels whereby the first bears a perceptible effect especially on mission, firm’s trait and its roles (Metheney, 2013). In case there is breaching at this level, it would lead to a negative consequence or would result in damages that need repair to a resource. Moderate security level is very serious since it leads to severe impairment to the mission, reputation, and function of an organization. The impact of breaching would place the agency in a disadvantaged situation leading to massive damages that need comprehensive repair to its resources. High security level is catastrophic and leads to a total loss of mission capability for period. It can also result in major loss of assets and can be a threat to human life (Metheney, 2013). The security policy of an organization relates to the different levels of information systems security depending on the type of information handled. Security policy relies on the level of information securityan organization has. In the policy is where the organization has its plans of protecting its information technology assets. How to Administer Organization Policies and Standards For security policies and standards to be most effectual, issuing of policies must be at the highest level of the organization and applicable to every unit. It is necessary to publicize the policies, every employee must follow, and all policies must be under monitoring. A selected set of policies should be applicable to every staff and documentation of every staff’s expectation within the organization. Policy administration in an organization consists of identifying policy needs through evaluating policy suggestion, institutional experience, and monitoring technological and legislative progress. There is drafting of initial policy language then a small group of stakeholder reviews and input the policy before editing based on the input. A bigger group of stakeholders then reviews and input then edit based on the input. The administration of the organization posts and announces the policy the educational activities on the policy to employees follow. Maintenance of the policy involves reviewing occurs after every 3 to 5 years. How Organizations Manage Different Levels of Security for Different Levels of Personnel An organization may have different policies to cover different information security. Firm may also have high-level policies supposed to address issues at the enterprise level and lower level policies that involve particular tasks and methods of data protection. Formation of a logical tree can be in place to show the relationship of all these policy documents of the organization hence form a complete Information Management Policy for the organization (Barker & NIST, 2012). An employee’s accessibility to organization information largely depends upon one’s position in the organization and his or her role. Mostly, the power to access vital information regarding an organization is more to those in the top ranks compared to junior workers who have access to limited information. In situations when junior employee needs to access the crucial and top-secret information, he or she has to get permit from a relevant boss such that in case of any breaching, observation of security protocols can be much easy. References Barker, E., & National Institute of Standards and Technology – NIST (U.S.). (2012). A framework for designing cryptographic key management systems. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology. James, A., Stephen, M., Franklin, W., & Peters, A. (2012). Information Security Policy Trend as a Foundation to Protecting Information Resources. International Journal of Computer Science and Telecommunications, 3(4). Retrieved http://www.ijcst.org/Volume3/Issue4/p11_3_4.pdf Metheny, M. (2013). Federal cloud computing: The definitive guide for cloud service providers. Amsterdam ; Boston : Elsevier/Syngress Vacca, J. (2013). Computer and information security handbook. Amsterdam: Morgan Kaufmann Publishers is an imprint of Elsevier. Read More