StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Developing Security Policy - Essay Example

Cite this document
Summary
The paper "Developing Security Policy" discusses that generally, we define a security policy to protect the information assets, which may flow through the transaction management system of an organization, against unauthorized access and external threats. …
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER95.6% of users find it useful
Developing Security Policy
Read Text Preview

Extract of sample "Developing Security Policy"

Developing Security Policy By Affiliation Table of Contents Introduction A policy is a ment of intent and uses to describe the rules that govern the operation of an organization. It outlines an appropriate course of actions that must be followed in order to comply with business rules and achieve the business goals. Additionally, a policy is a shortest link between an organizations "vision" and their daily operations. In addition, Policies classify the main activities and provide clues for decision makers to handle issues as they arise. Moreover, this is accomplished by listing a variety of alternatives that can be used to make proper decision in order to solve a problem (Olzak, 2010; Shelly et al., 2005; Laudon & Laudon, 1999). A security policy specifically is the imperative foundation on which a valuable and complete security program can be developed. This significant constituent of the overall security architecture is usually ignored. A security policy is the most important way in which management’s decision for security is converted into specific, measurable, and testable goals and objectives. It is essential to take a top down approach (defining the policy and then roles and responsibilities to enact it properly) based on a well-stated policy in order to make an effective security architecture. On the other hand, if there is an absence of a security policy guiding the decision makers, then decisions will be made on ad-hoc bases, by the individuals developing, installing, and maintaining computer systems, and this will result in a disparate and less than optimal security architecture being used or implemented (Weise & Martin, 2001). The structure of this report is as follows: next section describes the components necessary for developing and defining the policy then a policy is developed to govern the transaction management system of an organization. Components of Security policy The elements of an issue specific policy consist of purpose, objectives, scope, roles and responsibilities, general policy, and compliance (Olzak, 2010; Patrick, 2001). Purpose  It characterizes the challenge or issue that management is dealing with. It might include regulatory restrictions, security of highly significant data, or the appropriate utilization of certain technologies. Sometimes, it may be needed to describe terms. It is also vital that everyone involved in the policy, must understands its content. Moreover, the conditions must also be stated under which policy is applicable (Olzak, 2010; Patrick, 2001). Objectives  Objectives are usually specified within the scope definition and may take in actions and configurations forbidden or restricted. In addition, these are also normally defined outside a policy, conditions and organizational practices may necessitate placing certain standards and guidelines in this section. However, in this part we classify the outcomes that we use to expect from enforcing the policy (Olzak, 2010; Patrick, 2001). Scope  Scope specifies where, when, how, and to whom the policy applies. This clause should explain who (employees, departments, etc.) must comply with this policy. And what is not included in the scope of corresponding policy that is the personnel and items related to another policy (Olzak, 2010; Patrick, 2001). General policy The general policy should enclose statements, explaining, in general, why this policy is necessary for instance to guard organization’s assets from demolition or leakage of information, to make certain the confidentiality, availability and integrity of information. It should explain terms used throughout the policy, if necessary (Olzak, 2010; Patrick, 2001). Roles and Responsibilities  This clause must categorize the business units (departments) or persons accountable for the range of areas of implementation and enforcement of the policy. Organizational responsibilities are for persons like; Vice President responsible of e.g. Information Systems Security, Chief Information Officer, Chief Information Security Officer, etc. Functional responsibilities typically involve Managers, Chief Technology Officer, and the Information Systems Security Officer etc. It must also include roles and responsibilities for all levels of management and employees who are affected by the corresponding policy (Olzak, 2010; Patrick, 2001). Policy enforcement This section includes the details about how to enforce the defined policy it may involve detail about the technology that will be used to enforce the policy (Olzak, 2010; Patrick, 2001). Compliance  This section must clearly state the possible penalties of not complying with the standards and guidelines listed in policy. Usually penalties may consist of lost of the privilege to use the organization’s resources, to termination for deliberate ignorance of policy (Olzak, 2010; Patrick, 2001). Security policy for the given scenario A transaction management system is fundamentally about tracking the transactions across the diverse environment. And the data it supplies not merely discloses the flow of transactions, however it also displays business details for instance the customer involved or the financial value of an individual transaction. Additionally, it provides business managers the information they need to prioritize transaction handling and problem resolution according to business impact. Since information, whether it is about customers or business is an important and crucial part of transaction management system. So a proper operation of a transaction management system is also concerned with crucial security issues like confidentiality, integrity and availability of information. There are basically three broad categories of risks that must be taken into account when dealing with information security (Turban et al., 2005; Hutchinson & Sawyer, 2000). Loss of Confidentiality When information is copied, accessed or used by someone not allowed to do so. This is particularly true for the corporations that use to store personal information for their clients such as credit card companies, bank and loan companies, medical and insurance records (Williams, 2007; Pesante, 2008). Loss of integrity Integrity of the information is about the assurance that information is not changed from the intended form. In addition, it is about the consistency of information’s format. However, the hacking attacks can modify information in some unexpected ways. It is very critical for the systems involving transactions such as air traffic control, funds transfer and financial accounting (Williams, 2007; Pesante, 2008). Loss of availability This kind of threat is also very serious since information may not be accessible or readable when one might desperately need that. This can be very damaging in context of corporation in which the task of department corporation depends upon the information coming from some other department for instance supply chain system in which delivery of a specific product (task of shipping department) to a customer depends upon the information coming from billing department (Williams, 2007; Pesante, 2008; She & Thuraisingham, 2007; Vaidyanathan & Mautone, 2009). Following is the policy which must be developed and enforced when aforementioned issues create threats for information consistency and may affect the operation of the organization. Purpose Purpose of this policy is to describe the course of action against threats to the information consistency like loss of availability, loss of confidentiality and loss of integrity. This policy will specify the principles underlying the security measures required to protect the organization’s information resources and promote appropriate use of the transaction management system. Scope and Objectives This policy applies to some organization’s entities and workers, and all involved systems or devices all over organization such as employees, information security officer, information owner, custodian and end users. It may include systems as computer systems (laptops or desk tops), information storage devices and sources such as databases or magnetic disks etc. The objective of this policy is to provide a guard against the following issues: Loss of confidentiality of information. Loss of availability of information. Loss of integrity of information. General Policy Since the information concerned with organization’s transaction management system is highly crucial so policy statement about maintaining the confidentiality, integrity and availability of information must include the following: Information is easily reached and usable upon demand by an authorized person. Information is not made available to unauthorized persons or processes. Some mechanism such as antivirus and firewalls is employed for information protection so information has not been modified or damaged by unauthorized entity such as hackers. Internal information is planned for unrestricted use within organization, as it is related to internal operations of the organization, it must be available to the concerned departments and in case of partnership, this type of information can be distributed within the organization without advance permission from the information owner but it must follow the partnership contract clauses. Internal Information may include: personnel information bank, internal rules and regulations etc. Unauthorized leakage of restricted internal information to partners may be illegal due to legal or contractual provisions. Public Information can be released publicly by a designated authority within each entity of organization. Public Information may include marketing brochures and information about organization on its web page. Public information may be disclosed outside of organization because of no contractual obligations. Roles and Responsibilities Information Security Officer: This person will be in charge for dealing with information owners, custodians, and users to define, specify and implement the policies, procedures, and controls. It includes Making sure that security policy, procedures, and standards have been developed and are followed by concerned entities. Providing essential security measures for all systems and users (such as antivirus for computer security etc) as well as providing all users with planned privilege to access the information. Guiding system’s developers in the implementation of security controls for information on systems. Guiding custodian and user management with complete information about security controls affecting system users and system. Conducting training sessions for on-going employee security education. Information Owner: This person will responsible for the creation of that information. The owner of information has the responsibility for: Knowing about which information is under his responsibility. Making sure that suitable procedures are applied to care for the integrity, confidentiality, and availability of the information used or created within the corresponding department. Allowing access and handing over custodianship. Reporting without delay to the information security officer about the loss or misuse of organization’s information. Applying the remedial actions when problems are recognized. Following approval processes within the respective organizational unit for the acquisition, and implementation of any computer system or software to protect the information. Custodian: this person will be responsible for the processing and storage of the information it also includes the administration of controls as specified by the owner. Custodian is responsible for: Providing and suggesting all the safeguards for information protection. Controlling access to the information. Disclosing information that is authorized by the Information Owner or the Information Security Officer for using mechanisms that protect the privacy of the information. Maintaining suitable information security policies, measures, actions, procedures and standards in consultation with the information security officer. Carrying out employees educational activities approved by the ISO, where appropriate. Telling information owners about the loss or misuse of corporation’s information. Identifying and reacting to security threats, risks and carrying out suitable actions in consultation with information owner and information security officer. User: Any person authorized to retrieve, create, or update information. A user of information can: Access or use information only in with respect to their authorized job responsibilities. Adhere to information security policies and standards established by the information owner and custodian. User must keep their authentication details, passwords and tokens, confidential Notify immediately to the concerning party about the loss or misuse of corporation’s information. Policy enforcement Certain technologies and devices are used in order to keep the information in consistent format and managing the risk for loss of integrity, confidentiality and availability of information. Virus scanning software is permitted by the Information Security Officer that ensures all electronic files are correctly scanned for viruses. Moreover, users are not allowed to disable anti-virus software. Some authentication method needed to be implemented for instance, username and passwords, biometric identification, authentication tokens etc. To protect information and authorize access to information, encryption algorithms and digital signature must be employed. To avoid the misuse of technology user must keep their authentication details, passwords and tokens, confidential. All computer software employed by corporation’s employees is the property of corporation and must not be copied or hired for use at home (personal use) or any other location, unless it stated by the license agreement. The user must log off the system when leaving it so his account may not be used by another person. Compliance This policy applies to all users of the organization including: employees, information security officer, information owner, custodian and users. Failure to comply with the Policy may result in serious action including termination of job according to organizational policies and laws. So, employees must avoid: Trying to get the password that belongs to another person. Using another persons password. Illegal use of an authorized password to attack privacy by investigating information that is secured. Installing unlicensed software on organization’s computers. Conclusion Policy in any organization is of crucial importance because it defines the rules that govern the successful operation of the organization. This report describes a framework for defining policy for an organization which includes defining components that constitutes a policy including, purpose of specifying the policy, scope and objectives, general policy statements, roles and responsibilities of the people affected by the policy, technologies use to enforce the policy and consequences after the violation of policies. Next, we define a security policy to protect the information assets, which may flow through the transaction management system of an organization, against unauthorized access and external threats. Usually an information security officer, information owner, custodian, and users are involved in the enforcement of such policy. Several technologies can be used according to the policy to provide protection against aforementioned issues threatening the information’s consistency. These may include encryption algorithms, digital signatures, anti-virus software, and authentication codes like passwords or PIN code to protect information from external attacks and ensure the authorized access of information. But it’s the responsibility of the information security officer, who is actually the policy owner and enforcer, to monitor that policy is being enforced properly and must track for any violations. Any violations of policy by the employees may result in several penalties, even the termination of their job. Bibliography Hutchinson, S.E. & Sawyer, S.C., 2000. Computers, Communications, Information A users introduction, 7th Edition. New York: Irwin/McGraw-Hill. Laudon, K.C. & Laudon, J.P., 1999. Management Information Systems, Sixth Edition. New Jersey: Prentice Hall. Olzak, T., 2010. Security Basics - Components of Security Policies. [Online] Available at: http://www.brighthub.com/computing/smb-security/articles/2259.aspx [Accessed 30 July 2010]. Patrick, W.F., 2001. Creating an Information Systems Security Policy. GSEC Practical Assignment. SANS Institute. Pesante, L., 2008. Introduction to Information Security. [Online] Available at: http://www.us-cert.gov/reading_room/infosecuritybasics.pdf [Accessed 31 July 2010]. Shelly, Cashman & Vermaat, 2005. Discovering Computers 2005. Boston: Thomson Course Technology. She, W. & Thuraisingham, B., 2007. Security for Enterprise Resource Planning Systems. Information Systems Security, 16(3), pp.152-63. Turban, E., Leidner, D., McLean, E. & Wetherbe, J., 2005. Information Technology for Management: Transforming Organizations in the Digital Economy. New York: Wiley. Vaidyanathan, G. & Mautone, S., 2009. Security in dynamic web content management systems applications. Communications of the ACM, 52(12), pp.121-25. Weise, J. & Martin, C.R., 2001. Developing a Security Policy. Sun BluePrints™OnLine. Palo Alto, CA: Sun Microsystems, Inc. Sun Microsystems, Inc. Williams, R.H., 2007. Introduction to Information Security Concepts. [Online] (1.7.12.7) Available at: http://www.rhwiii.info/pdfs/Introduction%20to%20Information%20Security%20Concepts.pdf [Accessed 30 July 2010]. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Developing security policy (Security, Ethics and Electronic Commerce Essay”, n.d.)
Developing security policy (Security, Ethics and Electronic Commerce Essay. Retrieved from https://studentshare.org/miscellaneous/1568877-developing-security-policy-security-ethics-and-electronic-commerce-systems
(Developing Security Policy (Security, Ethics and Electronic Commerce Essay)
Developing Security Policy (Security, Ethics and Electronic Commerce Essay. https://studentshare.org/miscellaneous/1568877-developing-security-policy-security-ethics-and-electronic-commerce-systems.
“Developing Security Policy (Security, Ethics and Electronic Commerce Essay”, n.d. https://studentshare.org/miscellaneous/1568877-developing-security-policy-security-ethics-and-electronic-commerce-systems.
  • Cited: 0 times

CHECK THESE SAMPLES OF Developing Security Policy

Developing Cybersecurity Law and Policy

Developing Cyber Security Laws and policy Name: Institutional affiliation: Instructor: Developing Cyber Security Laws and policy Topic 1: Federal Register The Federal Register is an official document used by the federal government to notify its agencies on daily notices in regard legal notices.... The Federal Register is used by the relevant agencies to call for public participation in policy creation (Mead, 2004), as the majority of civil users bring in ideas that may not be available within federal workforce....
3 Pages (750 words) Assignment

Articles in Human Security Analysis

Chandler started his argument through citing the idea that global policy making overbearingly suggests two different views.... Since Chandler declined to elaborate the result of these actions, it is safe to assume that he falls short of accusing Tadjbakhsh and Chenoy for not considering the connection between normative theory and policy procedures.... Human security: The Dog That Didn't Bark Introduction Considering the gamut of human rights violations, murders, health and safety threats, and unresolved political and geopolitical conflicts, it is unquestionable why human security has become one of the global concerns since the past decades....
4 Pages (1000 words) Essay

The Language and Use of Acceptable Usage Policy

The paper "The Language and Use of Acceptable Usage policy " describes that despite having positive usage purposes, it has been observed that detection of abuse has remained a daunting task for investigators as the Internet has no international boundary separating one country from another.... cceptable Usage policy (AUP) refers to a set of policies that control and restrict access and usage of networks, systems, websites, and information as well (Johnson, 2014)....
7 Pages (1750 words) Essay

Food Security in Brazil

The paper "Food security in Brazil" states that the fact that food insecurity remains an unending issue, it is advisable to take note of the Brazilian Economy, understanding better how trade and better business helps boost the current level of food production.... The final part gives the recommendations that, if adopted, will significantly increase food security in Brazil.... The reforms that have been taken by the government of Brazil are clearly analyzed and the recommendations given will help increase the management of food and thus will help to boost food security....
7 Pages (1750 words) Essay

Developing the Corporate Strategy for Information Security

In this similar context, the CISO needs to preserve various security policies, processes along with guidelines, and monitoring the policy conformity with the established standards (the State of California, 2008).... This report "Developing the Corporate Strategy for Information security" discusses a chief information security officer that is often assigned to perform vital functions within an organization.... Moreover, the personnel also perform the operational duty in terms of securing the collected information relating to information security for a longer time period....
5 Pages (1250 words) Report

Food Security in Brazil

This work "Food security in Brazil" describes the management of food and food security in Brazil.... In general, the report will help to come up with better methods of food management and thus increase food security.... Since food security remains a chronic issue, it is also better to understand the economy of Brazil and how trade enhances food production in the country.... According to World Food Summit of 1996, food security was defined as a situation when all people at all times have access to sufficient, safe, nutritious food to maintain a healthy and active life'....
6 Pages (1500 words) Coursework

Human Security and the Face of War in United Kingdom

This paper ''Human security and the Face of War in United Kingdom'' tells us that human security refers to an emerging paradigm for comprehending worldwide vulnerabilities.... The proponents of security dispute the relevance of the concept of national security by asserting that the proper focus for security should be the individual.... Human security aims at protecting the 'vital core' of all persons such that the long-term needs are fulfilled (Alike, 2002)....
6 Pages (1500 words) Essay

Australia Defense Policy

This case study "Australia Defense policy" presents Australia's defense policy that has for more than two decades remained basically unchanged.... The Australian Defence policy, in my opinion, can be argued to be potentially beneficial in enhancing the security of Australia in several ways.... One of the major factors is based on the fact that the government policy of self-reliance offers priority to the capability of Australia to defend itself using its own resources....
6 Pages (1500 words) Case Study
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us