Importance of Information Security Policy - Coursework Example

Importance of Information Security Policy Affiliation Importance of Information Security Policy Information security policyensures the credibility of information by safeguarding it from unauthorized infiltration. In today’s high technological world, the importance of information security policy is essential to all business models. Information security policy offer essential support to security professionals who endeavor to minimize the risk profile of an organization and fend off threats, both internal and external. Today’s technological advancements have seen organizations and businesses invest heavily in on-site and off-site storage on data and information. This is a businesses’ intellectual property. This intellectual property, must, however, be accessed by the employees and be transmitted throughout the organization using different mediums. Therefore, safeguarding the access and transmittal of the intellectual property is of paramount importance, hence, the need for a comprehensive information security policy. Information security policy is a compilation of guidelines, procedures and processes, which ensure safety of information in a business or an organization. It aims at helping an organization safeguard its intellectual property from unauthorized access, inspection modification, perusal, use, disclosure, disruption, recording or destruction. It involves all collective activities that protect data, information and information systems. The policy should also include the security of the employees and all stakeholders involved in the organizations. An efficient security policy is an essential pillar of a proper security practice. The trouble, however, is that very few organizations invest ample time to create decent policies; instead they settle for sample policies from the web or borrow from a performing organization’s policy. The result is a security mess that often leaves the organization open to unpredicted security risks. A comprehensive policy, however, should cover all security concerns, from the user and the responsibilities thereof, to the actual information and all the standard security issues. Workman, Phelps, & Gathegi (2013), view the primary role of managers as far as security goes, as providing well-defined procedures of identifying and managing security risks. According to Workman et al.’s (2013) view, security is a behavioral issue. Therefore, a security manager’s aim is the mitigation of risk exposure by employing threat identification procedures, asset appraisal and control, as well as a reduction of losses associated with threats. A manager will, therefore, have to, “survey and classify assets, conduct security reviews perform risk analysis, evaluate and select information security technologies, perform cost/benefit analysis and test security effectiveness” (Workman, et al., 2013, p. 101). These are all factors that should be factored when developing an effective information security policy document. It not only ensures security of information, but also enhances its access and dissemination thereof. Information is useless if not disseminated to the right person at the right time. Therefore, an effective information security policy must bear guidelines on secure information dissemination channels within an organization. Effective dissemination and flow of information is vital to an organizations overall goal achievement. Layton (2007) poses the question whether the information security policy supports the business objectives of the organization. He supports the idea that the information security policy document should not be a restricted circulation document, but rather, be made available to all employees and users. According to him, the information security policy document should also be availed to external third parties of the organization’s security systems. Grama (2011), supporting this idea, argues that communicating the policy to all employees is fundamental in assisting them find resources and effectively follow the policy. This will ensure that all stakeholders are privy to the overall security objectives of the organization. The center of every organization is its intellectual property (Kim & Solomon, 2012). Every business enterprise takes pride in having robust R&D. This ensures enterprise, continuity and growth of the business. This, in turn, means the organization gathers and stores lots of research data and information. This huge amount of data may be comprised, damaged or even lost to any nature of security risk. The risks include acts of malicious sabotage, theft, terrorism and even natural disasters (Richardson & Charles, 2013). An effective information policy, therefore, outlines effective measures of data backup and recovery. If an organization is unable to curb the problem of data loss, then the critical role of research and development would then become futile while the massive research gains goes to absolute waste. This will harm the business in the long run. Many consumers and even employees would be deterred from engaging an organization with compromised security information practices. Therefore, in light of these challenges, developing and maintaining a water-tight and effective security policy ensures and organization of trust, effectiveness in operations, outstanding reputation and success. The security and efficiency of the data within any organization rests solely on the organization’s security policy. This security also affects the handling of third party personal information. In most cases, this information is non-public. Therefore, the trust issue, also reffered to as fiduciary duty, becomes a concern. The handling of this non-public personal information is to be executed in accordance to a strict set of federal, state and organizational regulations. The overall aim of the security policy is to help the management achieve its fiduciary duty, by providing a safe and secure atmosphere (Peltier, 2013). Adherence to these regulations is fundamental in ensuring better relationship between an organization and its clients. In many cases, inability to adhere to these regulations and rules have left many organizations grappling with massive costs arising from claims of breach of the fiduciary duty. Many of these claims arise from clients whose personal details have been unlawfully accessed by third parties. An effective information security policy should boost employee efficiency in an organization. Total security can lead to non-productivity. Therefore, the policy document should be flexible enough to ensure productivity while remaining effective to mitigate security (Vacca, 2013). An effective information security policy is a high-level document that intricately guides all stakeholders, from the top management, the information system custodians, the system administrators and finally the end users. It achieves this important role without, clearly stating the role of each party. An effective information security policy enhances the efficiency and productivity of an employee. The ensuing practices will eventually boost the efficiency of an organization. According to Johnson (2011), well-defined security policies, reflecting the overall reasonable organization’s expectation, are key to employee efficiency. In cases where reduced practicality characterises a security policy, then its upon the management to lower the security policy, but in the context of the business or organization in question (Garzia, 2013). However, the effectiveness of a security policy can be deterred or enhanced, by the way, it is development as well as its implementation. Therefore, an information security policy document should not be restrictive to creativity and innovation. A major hindrance in the effectiveness of a security policy is its medium of dissemination to the involved parties. If a security policy document employs management terminology and technical jargon, instead of a practical reading level, chances are the employee will not understand and will treat the whole policy with indifference. Complex security jargons in a policy document are major hindrances in its effective implementation. As later portrayed, many employees view security details as a waste of time, particularly when the language hinders comprehension. Language, therefore, can be a huge barrier to a policy’s implementation. However, the standards and processes, which emanate from a policy framework, create room for more enterprise and innovation. This is essential in providing actual guidance in a precise manner. An information security policy will not be effective as we have seen earlier if it is not fully understood and implemented in an organization. The effectiveness of the policy, therefore, is dependent on the organization’s personnel participation in the information security activities. They should also be willing to comply with security procedures and policies (Herold, 2010). In a situation where an employee explicitly refuses to comply with policy, the organization should have, incorporated into the employment contract, a framework that calls for the termination of such. Refusing to adhere to policy should be treated as refusal to work. This should amount to grounds for termination, unless, the security policy document does not put the safety interest of the involved parties first. Several measures can, therefore, be viewed as essential to the effective implementation of an information security policy. These measures not only involve the employees, they include third parties such as contractors and consultants. Herold (2010) suggests employee motivation through appraisal and responsibilities. She suggests the inclusion of security assignments to the job description of an employee. This, she insists, not only avoids endangering assets, but also serves to protect the employee, while ensuring adherence to policy. This also creates room for employee accountability for the organization’s information assets. She further suggests that an initial commitment to the security and privacy policy of the organization during employment, and consequently on an annual basis, will ensure that third parties and personnel have exhaustively reviewed the policies and that take responsibility thereof. The incorporation of information security into the job descriptions of employees will enhance motivation and accountability. The personnel will also desire to learn and follow the security and privacy requirements as outlined in the information policy document. All employees and third parties such as consultants and contractors should be made accountable for compliance with security as well as adequate use of policies. This should be aimed at enhancing the protection of the organization’s information as well as its assets. Herold (2010), directs, “job descriptions for security personnel should detail the systems and processes they will protect and control processes for which they are responsible” (p. 41). Layton (2007) considers involvement of management as essential in all levels of a security policy control. Management is essential if the policy control is to be effective. In many instances, organizations often fail to recognize the need to senior management support. Management, however, should not be considered only for the funding support, but for the entire process. This serves as a challenge to the junior staff to take part in the policy implementation process. This should not be viewed as a one-time effort, but rather a continual process. This will ensure appropriate update and review of policies. The effectiveness and applicability of an information security policy should be tested against a matrix of qualifying events, arising from continual monitoring, evaluation and updating. The management should also establish, support and sustain a rewards and penalties program on security and privacy. Where such a measure applies at all levels, risk levels are addressed appropriately favouring business growth. Whereas one cannot eliminate all the risks involved in securing information, proper security and privacy policies are paramount in ensuring applicable regulatory and legal requirements are addressed fully. This not only ensures protection of security assets, but guarantees the privacy of confidential information. All these, however, should be implemented on a scale that ensures that the measures employed are not costly than the risks (Herold, 2010). Grama (2010), views security awareness training as essential, since employees play a major role in the attainment of the organization’s security objectives. She, however, also points out that many employees view security training as a waste of time. In light of this, therefore, using a simple program that appraises results through a consistent and general scale of performance, will challenge the employees to change their perception towards security policy (Herold, 2010). Since the policy is addressing risks facing information, it should also entail a structure for risk assessment and management (Layton, 2007). According to Layton (2007), the information security policy should also reference other policies and standards and control procedures as appropriate. The setting up and updating of security features should be catered for in the security policy. These security features consist of anti-virus application on local computers and servers, backup of crucial data and information and securing them offsite in secure virtual servers, ensuring data, information and business dealings as well as preparing the user fraternity on their responsibilities in the managing of information. These features can be high landmarks in ensuring the overall organizational effectiveness. Whereas no information system can be watertight in matters of security, appropriate policies are a proven strategy that ensures swiftness and efficiency in recovering from faults and improves the general productivity of an organization. In conclusion, information technology and network systems have influenced all aspects of life today. Each one is dependent on technology in one way or the other. People use technology and information stored by an organization, on a varied array of systems, for familiarization and educational purposes. Uses of information vary from communication through a simple phone call, to intricate transaction such as financial dealings in virtual online money markets. Access and delivery of services can not be left out of this group. Given all of the merits above, it becomes paramount to preserve the integrity of information. As stated earlier, information security policies ensure the credibility of information by safeguarding it from infiltration. Compromised information leaves an organization reeling from expensive liabilities and operational costs. Therefore, information security experts recognize the crucial role of ensuring mitigation of this risk. A comprehensive policy will also ensure proper outlining of information backup and recovery plans. This will guarantee business continuity in the occurrence of an unprecedented security breach. Information security policies also help an organization adhere to government laws and regulations, as well as internal security procedures in a bid to protect vital assets, as well as infrastructure. A comprehensive information security policy will help maintain a standard level of information confidentiality, reliability and accessibility. These, in turn, will ensure an organization remains competent in its processes. The organization will also achieve general success in its operations. References Garzia, F. (2013). Handbook of Communications Security. WIT Press. Grama, J. L. (2011). Legal issues in information security. Jones & Bartlett Learning. Herold, R. (2010). Managing Information Security and Privacy Awareness and Training Program (2nd ed.). CRC Press. Johnson, R. (2011). Security policies and implementation issues. Jones & Bartlett Learning. Kim, D., & Solomon, M. (2012). Fundamentals of information systems security. Jones & Bartlett Learning. Layton, T. P. (2007). Information security: design, implementation, measurement, and compliance. Auerbach Publications. Peltier, T. R. (2013). Information Security Fundamentals (2nd ed.). CRC Press. Richardson, T., & Charles, T. (2013). Secure software design. Jones & Bartlett Learning. Vacca, J. R. (2013). COMPUTER & INFORMATION SECURITY HANDBOOK (2nd ed.). Morgan Kaufmann Publishers. Workman, M., Phelps, D. C., & Gathegi, J. N. (2013). Information Security for Managers. Burlington, MA: Jones &Bartlett Learning. Read More