Question

Explain the importance of information security policies and the role they play in ensuring sound and secure business information. The answer to these questions is obvious. Security policies are essential in today’s world. However, the flip side to this is that at times these policies also cause problems. Discuss the following IT security policies and the level of protection each policy provides 1- Internet use policy, 2- External device use policy, 3- Employee identity (ID) policy, and 4- Computer use policy.

Answer 1

Answer:-

The purpose of security policies is not to adorn the empty spaces of your bookshelf. Just like bread left out on the counter goes stale after a period of time (those with kids know what I’m talking about), security policies can stale over time if they are not actively maintained. At a minimum, security policies should be reviewed yearly and updated as needed. It is good practice to have employees acknowledge receipt of and agree to abide by them on a yearly basis as well. In preparation for this event, review the policies through the lens of changes your organization has undergone over the past year. What new threat vectors have come into the picture over the past year? What have you learned from the security incidents you experienced over the past year? Take these lessons learned and incorporate them into your policy. Security policies are living documents and need to be relevant to your organization at all times.

One of the primary purposes of a security policy is to provide protection – protection for your organization and for its employees. Security policies protect your organization’s critical information/intellectual property by clearly outlining employee responsibilities with regard to what information needs to be safeguarded and why. When the what and why is clearly communicated to the who (employees) then people can act accordingly as well as be held accountable for their actions. Employees are protected and should not fear reprisal as long as they are acting in accordance with defined security policies.

Another critical role of security policies is to support the mission of the organization. Security professionals need to be sensitive to the needs of the business, so when writing security policies, the mission of the organization should be in the forefront of your thoughts. Ask yourself, how does this policy support the mission of my organization? Is it addressing the concerns of the senior leadership?

Of course, in order to answer these questions, you have to engage the senior leadership of your organization. What is their sensitivity toward security? If they are more sensitive in their approach to security, then the policies likely will reflect a more detailed definition of employee expectations. This approach will likely also require more resources to maintain and monitor the enforcement of the policies. A less sensitive approach to security will have less definition of employee expectations, require less resources to maintain and monitor policy enforcement, but will result in a greater risk to your organization’s intellectual assets/critical data.

Either way, do not write security policies in a vacuum. If you do, it will likely not align with the needs of your organization. Writing security policies is an iterative process and will require buy in from executive management before it can be published.

Role of Employees Another thing to note when developing a security program is the composition of the team that is in charge of determining said policy. Employees are a critical component to a successful security policy. Employees must fully understand the policy as well as have the motivation and accountability to adhere to it. Executive level employees are responsible for creating an awareness of why security policy is important. This leads to organizational buy-in, which is an essential tool for the organization to control the behavior of their employees. The Chief Information Security Officer (CISO) is responsible for technical strategy and policy creation and enforcement. Both technical and non-technical employees should be involved. Corporate level executives should have some say in the policy, but should rely heavily on the information security team. Legal teams should also be involved in the creation and changes of the policy in order to ensure that all policies and procedures could hold up in court if ever needed.

Implementation of policies and standards within an organization are important to maintain information systems security. Employees within an organization play a huge role in the effort to create, execute, and enforce a security policy. Every business requires a different strategy and approach to it's security policy, depending on their size and nature of business. Security Policies An organization's security policy describes the company's management intent to control the behavior of their employees in relation to information security. A security policy is necessary to protect proprietary information within a company. Because security policies apply to employees at all levels in a company

Discuss the following IT security policies and the level of protection each policy provides:-

1- Internet use policy:-

An internet usage policy provides employees with rules and guidelines about the appropriate use of company equipment, network and Internet access. Having such a policy in place helps to protect both the business and the employee; the employee will be aware that browsing certain sites or downloading files is prohibited and that the policy must be adhered to or there could be serious repercussions, thus leading to fewer security risks for the business as a result of employee negligence. The Internet Usage Policy is an important document that must be signed by all employees upon starting work. Below is a Sample Internet Usage Policy that covers the main points of contention dealing with Internet and computer usage. The policy can then be tailored to the requirements of the specific organization.

This Sample Internet Usage Policy applies to all employees of <company> who have access to computers and the Internet to be used in the performance of their work. Use of the Internet by employees of <company> is permitted and encouraged where such use supports the goals and objectives of the business. However, access to the Internet through <company> is a privilege and all employees must adhere to the policies concerning Computer, Email and Internet usage. Violation of these policies could result in disciplinary and/or legal action leading up to and including termination of employment. Employees may also be held personally liable for damages caused by any violations of this policy. All employees are required to acknowledge receipt and confirm that they have understood and agree to abide by the rules hereunder.

2- External device use policy:-

The purpose of this policy is to define standards, procedures, and restrictions for end users who are connecting a personally-owned device to [company name]’s organization network for business purposes. This device policy applies, but is not limited to all devices and accompanying media (e.g. USB thumb and external hard drives) that fit the following classifications:

● Smartphones

● Other mobile/cellular phones

● Tablet computers ● Portable media devices

● PDAs ● Ultra-mobile PCs (UMPCs)

● Laptop/notebook computers, including home desktops

● Any personally-owned device capable of storing organizational data and connecting to a network The policy applies to any hardware and related software that is not organizationally owned or supplied, but could be used to access organizational resources. That is, devices that employees have acquired for personal use but also wish to use in the business environment. The overriding goal of this policy is to protect the integrity of the confidential client and business data that resides within [company name]’s technology infrastructure. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a device or carried over an insecure network where it could potentially be accessed by unsanctioned resources. A breach of this type could result in loss of information, damage to critical applications, loss of revenue, and damage to the company’s public image. Therefore, all users employing a personally-owned device connected to [company name]’s organizational network, and/or capable of backing up, storing, or otherwise accessing organizational data of any type, must adhere to company-defined processes for doing so.

3- Employee identity (ID) policy:-

importance of an employee identity policy is to indicate that you are an employee ofthe company. Usually ID cards are issued to employees upon employment indoctrination. It also helps in differentiation people as employees and visitors, so that all unauthorized persons are kept away from certain places/sections in the company.It is also an important aspect of security and integrity of the company.

An employee identity policy is very important to the safe and secure operation of any business. They are put in place as ways to differentiate between employees, service technicians, vendors, and visitors. In many cases, employees are issued ID cards for building access and specific area clearance, and personal log-in information to verify that they are an authorized user. The badge could also contain a photo of the employee to further strengthen security. In order to monitor employee movement and location, whenever they use their badge to access somewhere, it should be kept in a log and time stamped. The ID access can also be changed from security management if the employee needs access somewhere else. For example, an employee at one branch can be given a temporary or updated ID badge to allow him entry at a branch a few towns away. This Employee ID policy ensures that only those who need to know certain information can access it, and is an important aspect of a company’s security policy. At XYZ, the bank tellers need access to customer bank accounts and credit information without the use of a password.

4- Computer use policy:-

Employee Computer Use Policy outlines a policy for an employer to adoptregarding the use of computers in the office by employees and the use of companysupplied computers and software services. The policy restricts certain computer andsoftware uses in order to minimize personal use of computers and to reduce officedistractions. It also provides the proper procedure for an employee to request acompany computer. Employers should use this policy to clearly lay out employeeexpectations, protect company property, and shield itself from liability arising fromimproper computer usage

Computers and networks can provide access to resources on and off campus, as well as the ability to communicate with other users worldwide. Such open access is a privilege, and requires that individual users act responsibly. Users must respect the rights of other users, respect the integrity of the systems and related physical resources, and observe all relevant laws, regulations, and contractual obligations.

Students and employees may have rights of access to information about themselves contained in computer files, as specified in federal and state laws. Files may be subject to search under court order. In addition, system administrators may access user files as required to protect the integrity of computer systems. For example, following organizational guidelines, system administrators may access or examine files or accounts that are suspected of unauthorized use or misuse, or that have been corrupted or damaged.