IT Security Policy Framework
Information or IT security policy is a critical component of business that focuses on three best practice aspects of data and information: confidentiality, integrity, and availability (CIA). Confidentiality entails preserving privacy so that only authorized personnel are able to view sensitive information. Integrity ensures authenticity and reliability of data is guaranteed, and that changes to data can be traced to specific users through audits. Finally, availability addresses accessibility of relevant data at the right time in the right form (British Standards Institution, 2001). Numerous standard frameworks are available to guide organizations in developing effective IT security policies. This security policy, developed for ABC Company, references the COBIT (Control Objective for Information and Related Technology) framework, which links business requirements to IT objectives.
COBIT Framework
The framework is build upon seven components or information criteria that ensure IT supports business strategy and value delivery, IT resources are utilized prudently, IT risks are managed effectively, and IT performance measurement is efficient enough to track and monitor progress. The first component is effectiveness, which ensures information is relevant to business needs. Efficiency regards availability of data using the most optimal and cost effective means possible. Confidentiality entails preservation of privacy from unauthorized disclosure. Integrity is concerned with validity and accuracy of information. Availability relates to accessibility of information in the right form at the right time. Compliance is another component and is primarily concerned with ensuring laws, rules, and regulations are observed in handling of business information. Contractual agreements on handling of data fall within this component of the COBIT framework. Lastly, reliability of data is addressed in the COBIT framework. This is concerned with provision of the right information for management decisions (IT Governance Institute, 2006).
ABC’s IT Security Policy
Policy Title: |
Information Technology Security Policy |
Responsible Office: |
Information Technology, Information Security Office |
Endorsed by: |
Information Security Policy Committee |
Contact: |
ABC |
Effective Date: |
2014 |
Last Update: |
2014 |
Policy Statement
ABC Company possesses sensitive, valuable, and confidential information, some of which is protected by contractual agreement against unauthorized disclosure. Moreover, the information is critical to core business processes and unavailability or loss of integrity could harm the business. ABC Company, therefore, requires all staff to make deliberate efforts in protecting information according to its security level.
All staff and contractors
Supervisors and Managers
In addition to the above responsibilities, all managers and supervisors must ensure that:
Information Guardians
In addition to the above responsibilities, all information custodians must ensure that:
III. Information Sensitivity levels
All employees should rely on this scale to identify and determine the confidentiality level of company information.
vii. Contractual and Legal Compliance
ABC Company commits to abide by legislature, rules, and regulations regarding confidentiality and privacy of information. These include:
Compliance
Business Challenges and Implementation Issues
Challenges are bound to arise within the seven components of information security addressed by the policy. Effectiveness may be hampered by weak organizational structures that limit exchange of data in business processes. Data handlers may also compromise movement and transformation of data between processes, affecting accuracy and relevancy of data. A good policy will streamline these loopholes and facilitate data processing (Smedinghoff, 2008).
Efficiency of data processes may be affected by lack of strong accountability policies that allow mismanagement of data resources and infrastructure. Clarity of business information needs is also critical to keep resource utilization in check. Confidentiality and integrity will mostly be hampered by staff. Research indicates that the biggest risk in information security is internal stakeholders who collaborate for selfish gains at the expense of the company. Care must be given to ensure staff are fully aware of security sensitivity level and associated repercussions.
By contrast, challenges to the availability and reliability of business data will mostly be affected by infrastructure downtime. Each time a critical business application goes down, users are unable to fetch data and deliver their mandate. The security policy will address this aspect. Compliance with existing legislature is a setback that arises when the legal framework of business environment is not clearly understood. Due diligence must be taken by the leadership of ABC Company to audit business processes and strategy to ensure compliance right from the strategy (Scovel, 2008).
Finally, implementation challenges will arise regarding this policy. Resistance to change is real; aggressive awareness must be put in place to bring all stakeholders on board and promote adoption. Goodwill on the part of management will be of prime importance to engrave institutionalization of the policy. Training sessions are important to ensure staff appreciate the ideals of information security, as well as clarify queries. A strong organizational structure is also a critical implementation parameter. It supports accountability, clarifies responsibility, and acts as a medium through which management objectives trickle down to actual implementers. A security policy is a living document that needs regular review in light of emerging threats, business needs, and changing business environment. The policy needs regular review with input from all stakeholders (Fulford & Doherty, 2003).
References
British Standards Institution. (2001). Information technology: Code of practice for information security management. London: Author.
Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations: An exploratory investigation. Information Management & Computer Security, 11 (3), 106-114. doi: 10.1108/09685220310480381.
IT Governance Institute. (2006). COBIT mapping of ISO/IEC 17799: 2005 with COBIT 4.0. Rolling Meadows, IL: Author.
Scovel, C. L. (2008). Audit of information security program: Department of Transportation. Washington, D.C.: U.S. Dept. of Transportation, Office of the Secretary of Transportation, Office of Inspector General.
Smedinghoff, T. J. (2008). Information security law: The emerging standard for corporate compliance. Ely: IT Governance Pub.
Follow Us