Importance of policies and standards for maintaining information systems security
Policies and standards are various reasons and thus importance for keeping information systems very secure. Various aspects and considerations are taken into account when making and keeping a system secure. Many parties are involved for information to be very secure as desired and all these should always be trusted to keep the system secure. The employees that always use the information system and interact with it are the best people to teach on how to keep it secure so that they do not fall prone to information leakage and thus insecurity of data (Jenkins, 1997). Various levels of security should be implemented by the organization to always keep the system secure and never prone to any shortcomings in any way possible.
There are various reasons why policies and standards are maintained and include defining acceptable use. This provides how to use the information available for those in access to the information on how to, when to and under what circumstances. It also provides to access control standards. This is how users will be authenticated when logging in to the system, password management like changing or modifying to increase complexity thus security among other things. It also provides for anti-malware practices which includes when full system should be scanned, how to frequently check for updates and how to respond to a malware attack. These policies also provide for audit and policies also provide for Audit and vulnerability assessment procedures. This is not limited to how audit and vulnerability procedures should be accessed, how frequently they should be accessed and how problems that have been detected be handled. They also include client device security. This policy determines what program should run on clients’ devices and what restriction they have thus improving security. All this is according to (McLeod, 1983).
These policies are also very important in providing email use and retention policies. This provide acceptable use of this service thus dictate how they should be scanned to avoid malicious software that could affect the system. These policies also provide for encryption procedures. Encryption provides a way in which data can be securely sent over a system and accessed on the other end without someone on the intermediary accessing it. This renders data and information very secure. They also provide for data and information privacy. They provide the consideration on what and which information is considered private and what is public and can be accessed by everyone. Risk analysis policy and procedure provides for a company’s level of risk tolerance and how the information should be valued. Server security is also one important means and measure to be taken when choosing and deciding what OS it should run. This is commonly done when an OS of good reputation is chosen so that security level can be tightened to prevent infringement of information (Preston, 2001). All these are than be policies that can be implemented so that security can be achieved thus their importance of maintaining them.
According to (Jenkins, 1997), employees and other workers in an organization that the information system is being secured play a very important role in ensuring information and data security is at the top notch. From the people working as the security to the top managers of the organization should all be taught on how to know when something is not going on well. The security personnel will carefully determine and know intruders who are after implanting dangerous gadgets in the organization’s server perimeter. They will report it so that the necessary action might be taken. Other workers and employees should also be taught how to detect errors in the system so that they can communicate as soon as possible since they are the ones using it at all time. They should also be in a position of knowing when the system has been compromised.
There are normally eight levels of security that are involved in information systems. All these levels are used to ensure that security is the top priority and there is no chance for risk. The first being risk management framework. The second being a written document that informs every one of the company’s plans of ensuring the safety of IT assets. The third being the logging monitors and other documentation and other performance metrics. The fourth is the virtual parameters that ensure that data is physically protected and safe. As a system becomes sophisticated, authentication systems for personal computers and persons entering the section become necessary. The fifth being environmental and physical information. This is where processing resources like the mainframes and minicomputers must be housed in a secure environment that protects unauthorized personnel from accessing it. The sixth is the platform security. This is a security level that protects the entire platform ranging from software to devices that are used. The seventh being the next being security assurance or data assurance. This level manages the use, storage, processing and transmission of information and data. The last is accessing and identifying privilege management. This system requires that each subject be uniquely identified and given the lowest priority possible. This system ensures that there is limitation of damage in an event of an accident. It can be implemented through modulation of the system as asserted by (Turban, McLean & Wetherbe, 1999).