Need For Security Policy
A security policy is defined as “The framework within which an organization establishes needed levels of information security to achieve the desired confidentially goals”
The main aim of a security policy is to update users, staff and managers of their mandatory requirements for protecting technology and information assets of their company. The policy must clearly specify the ways through which these requirements can be met. Another purpose of security policy is to provide a standard from which they should acquire, configure and audit computer systems and networks for compliance with the policy. Hence an attempt to use a set of security tools in the absence of at least an implied security policy is meaningless.
It also defines what should be done when the user misuses the network, if there is any attack on the network or if there are any natural outage to the network.
How Security Policy is formed?
The above diagrams gives a detailed explanation of how an effective security policy can be formed.
People responsible for forming a security policy.
For a security policy to be applicable and operational, it requires the acceptance and support of all levels of employees within the organization. The support of corporate management is crucial for the security policy process, or else there is little chance that they will have the wished-for impact. Below is the list of the people who must be involved in creation of security policy documents.
1. Site security administrator.
2. Information technology technical staff (e.g., staff from computing center)
3. Administrators of large user groups within the organization (e.g., business divisions, computer science department within a university, etc.)
4. Security inc...
... middle of paper ...
...to be viable for the long term, it requires a lot of flexibility based upon an architectural security concept. A security policy should be (largely) independent from specific hardware and software situations (as specific systems tend to be replaced or moved overnight). The mechanisms for updating the policy should be clearly spelled out. This includes the process, the people involved, and the people who must sign-off on the changes.
References: http://www.zdnet.com/news/seven-elements-of-highly-effective-security-policies/297286 Seven Elements of an Effective Information Security Policy Management Program
By David J. Lineman http://www.networkworld.com/community/node/38842 http://en.wikipedia.org/wiki/Security_policy http://docs.oracle.com/cd/B19306_01/network.102/b14266/politips.htm http://searchsecurity.techtarget.com/tip/Whos-responsible-for-security-Everyone
The use of cybersecurity policies within CSN is to provide security of the divisions assets. The written policies provide guidance on implementation, through references to applicable standards and statements of best practices (Booz Allen Hamilton, 2012). As stated by Control Data Corporation, there is no asset which can be 100% secure; network security is often times focused on strategic prevention or reactive procedures, rather than examination of the security policy and maintaining the operation of it (1999). Therefore analysis indicates that numerous breaches are often due to reoccurring weaknesses in the policy. “Even the most reliable, state-of-the-art technologies can be undermined or rendered ineffective by poor decisions, or by weak operational practices” (Control Data Corporation, 1999, p. 3).
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Security architecture is a major component and part of a system’s architecture and is usually designed to provide important guidance during the development of the system. It usually outlines the assurance level required and in the process outlines the possible impacts that this level of security might have on the development process of the actual system. Since security is a major component for the success of any given business unit, it is necessary to have a fully functional and operative security system that meets all the necessary requirements for any organization. Some leading business firms are usually faced with the task of achieving and maintaining high security measures and methods. SecureTek one of the leading provider of security solutions is faced with the challenge of redesigning their security architecture to assure security to the data and the other firm’s valuable assets as well as ensuring security to their customers and employees who encounter risky situations when visiting this business unit.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
For effective internal network security, policy and procedure needs to be in place, and it needs to be enforced from the top down. It is also a good idea to periodically review these policies and procedures to ensure that they still meet the necessary requirements that the business requires. If IT can work together with the rest of a business we can help to lesson that accidental and malicious threat that internal authorized users present.
The article “Security at Center Stage” depicts five secrets to a CSO’s success; it outlines the attributes needed to obtain success in the evolving field of security management. With the evolving role of a CSO there is a great necessity to satisfy all levels of need in the security and business setting. According to the article “Security at Center Stage” a CSO’s success is contingent on being “more that the average techie”, having a “focus on business”, being a “relationship builder”, requiring “an eye toward pervasive security”, and implementing a “dual reporting structure.”
Implementation of policies and standards within an organization are important to maintain information systems security. Employees within an organization play a huge role in the effort to create, execute, and enforce a security policy. Every business requires a different strategy and approach to it's security policy, depending on their size and nature of business.
ISO 27001: Information Security Management System: This standard helps organizations implement security as a system versus numerous controls put in place to solve seemingly isolated issues. The standard includes handling of electronic information as well as paper-based information. From the management perspective, this standard, main contribution is to formalize the concept of risk assessments and organize information security as a quality improvement activity. The standard includes the plan-do-check-act (PDCA) concept as well as the principle of continually assessing the organization, not just episodically (Murphy, 2015).
Security policies are a series of rules that define what traffic is permissible and what traffic is to be blocked or denied. These are not universal rules, and there are many different sets of rules for a single company with multiple connections. A web server connected to the Internet may be configured only to allow traffic on port 80 for HTTP, and have all other ports blocked. An e-mail server may have only necessary ports for e-mail open, with others blocked. A key to security policies for firewalls is the same as has been seen for other security policies, the principle of least access. Only allow the necessary access for a function, block or deny all unneeded functionality. How an organization deploys its firewalls determines what is needed for security policies for each firewall.
Glaser , C. L. (1997). The Security Dilemma Revisited. Cambridge University press, 50(1), 171-201. Retrieved from http://www.gwu.edu/~iscs/assets/docs/cg-docs/SecurityDilemma-WP-1997.pdf
Principle of Security Management by Brian R. Johnson, Published by Prentice-Hall copyright 2005 by Pearson Education, Inc.
...This management’s main purpose is to control the access to the network. Its security can be attained by authentication, authorization, and encryption. This management also gathers security information and analyzes it frequently. With Security management in place, all users, external and internal, only have access to the appropriate resources on the network. Not only does this management manage all users but also non users. It watches and protects from malicious attacks such as hackers, DoS attack, malware, and viruses. It does this by monitoring the traffic goes in and out of the network looking for any suspicious packets.
According to the information security governance, success is often less, due to inability to value the the organisation 's information and data. This creates the discussion on the needs for security and the resources to be assigned to this.
The purposes of these security policies include protecting employees, clients and data; setting guidelines and rules for users; roles and limitations of human re; administrators and security personnel responsibilities and defining the consequences for breaking the policies set. According to Canavan and Diver (2007), organizational policies can also define the company consensus baseline stance on security to minimize risk and track the compliance level with regulations and
Developing a security culture within an organisation is about encouraging staff to respect common values and standards towards security whether they are inside or outside the workplace.