IT Security Policy Framework
IT Security Policy Framework
Information or IT security policy is a critical component of business that focuses on three best practice aspects of data and information: confidentiality, integrity, and availability (CIA). Confidentiality entails preserving privacy so that only authorized personnel are able to view sensitive information. Integrity ensures authenticity and reliability of data is guaranteed, and that changes to data can be traced to specific users through audits. Finally, availability addresses accessibility of relevant data at the right time in the right form (British Standards Institution, 2001). Numerous standard frameworks are available to guide organizations in developing effective IT security policies. This security policy, developed for ABC Company, references the COBIT (Control Objective for Information and Related Technology) framework, which links business requirements to IT objectives.
The framework is build upon seven components or information criteria that ensure IT supports business strategy and value delivery, IT resources are utilized prudently, IT risks are managed effectively, and IT performance measurement is efficient enough to track and monitor progress. The first component is effectiveness, which ensures information is relevant to business needs. Efficiency regards availability of data using the most optimal and cost effective means possible. Confidentiality entails preservation of privacy from unauthorized disclosure. Integrity is concerned with validity and accuracy of information. Availability relates to accessibility of information in the right form at the right time. Compliance is another component and is primarily concerned with ensuring laws, rules, and regulations are observed in handling of business information. Contractual agreements on handling of data fall within this component of the COBIT framework. Lastly, reliability of data is addressed in the COBIT framework. This is concerned with provision of the right information for management decisions (IT Governance Institute, 2006).
ABC’s IT Security Policy
|Policy Title:||Information Technology Security Policy|
|Responsible Office:||Information Technology, Information Security Office|
|Endorsed by:||Information Security Policy Committee|
I. Policy Statement
ABC Company possesses sensitive, valuable, and confidential information, some of which is protected by contractual agreement against unauthorized disclosure. Moreover, the information is critical to core business processes and unavailability or loss of integrity could harm the business. ABC Company, therefore, requires all staff to make deliberate efforts in protecting information according to its security level.
II. Summary of Responsibilities
All staff and contractors
Supervisors and Managers
- You are required to understand the sensitivity level of company information;
- You are only allowed to access information that directly pertains to your line of work;
- You must uphold the confidentiality, availability, and integrity of company information;
- You must not copy, alter, or delete information unless under the direction of the data custodian;
- You must read and acknowledge terms and conditions pertaining to information products; and
- Applicable laws must be adhered to regarding handling of company information.
In addition to the above responsibilities, all managers and supervisors must ensure that:
- Departmental standards, processes, and procedures enhance confidentiality, integrity and availability of company information; and
- Each staff under them fully understands the sensitivity of information and their role in the overall policy.
In addition to the above responsibilities, all information custodians must ensure that:
III. Information Sensitivity levels
- Information held by the company complies to state laws and contractual agreement;
- Information sensitivity level is defined and communicated through departmental heads; and
- Information classification and nomenclature is well documented.
All employees should rely on this scale to identify and determine the confidentiality level of company information.
Public information can be shared within and without the company without any sort of authorization.
IV. Computer and Infrastructure Security
- Internal information can be shared freely within the company, but requires authorization by the information guardian before it can be shared externally.
- Departmental information can only be shared within a department without authorization.
- Confidential information can only be shared if directly related to job description.
- Highly confidential information can only be shared with individuals identified by the information custodians.
V. Network Security
- All computers must have password protected user accounts;
- All computers must be configured according to the IT standards, policies, and procedures;
- User accounts must be assigned rights and privileges according to job description;
- All computers must have an idle timeout and be protected by a sustainable UPS;
- Users are expected to log off from their computers during breaks and turn them off at close of business;
- All business applications must be configured with automatic update and patching;
- All business computers must be installed with an effective anti-virus that updates in real-time;
- All company computers must be connected to a centralized audit system; and
- Services running on company computers must be limited to those only required.
VI. Physical Security
- All data from networked devices must be encrypted before transit on private and public networks;
- The company network infrastructure must be protected using a firewall that filters out undesired traffic;
- All infrastructure must be protected by a UPS;
- All network devices must be configured with audit trail and privilege specific user accounts; and
- Internet must be managed centrally and allocated depending on business critical impact.
vii. Contractual and Legal Compliance
- IT resources must be protected behind access-controlled rooms;
- The security office should monitor safety of all physical premises; and
- Mission critical facilities, such as the server room should be monitored via real-time video surveillance links.
ABC Company commits to abide by legislature, rules, and regulations regarding confidentiality and privacy of information. These include:
Federal and state laws, such as The Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA).
- Intellectual property and end-user software licensing;
- Non-disclosure of confidential contractual issues; and
Data and information continues to grow exponentially in all aspects of business. This ubiquity has warranted the need for governance and control to ensure ethics, the rule of law, and privacy are observed. Non-compliance can lead to hefty fines or brand injury. ABC Company needs to analyze applicable laws in its line of business and integrate compliance into the overall long-term strategy, which is cascaded in departmental policy documents like the security policy. Managers must then interpret compliance standards, policies, and procedure and integrate them with tactical or operational objectives. In this way, compliance trickles down from strategy to operations and therefore, enhances institutionalization (Smedinghoff, 2008).
Business Challenges and Implementation Issues
Challenges are bound to arise within the seven components of information security addressed by the policy. Effectiveness may be hampered by weak organizational structures that limit exchange of data in business processes. Data handlers may also compromise movement and transformation of data between processes, affecting accuracy and relevancy of data. A good policy will streamline these loopholes and facilitate data processing (Smedinghoff, 2008).
Efficiency of data processes may be affected by lack of strong accountability policies that allow mismanagement of data resources and infrastructure. Clarity of business information needs is also critical to keep resource utilization in check. Confidentiality and integrity will mostly be hampered by staff. Research indicates that the biggest risk in information security is internal stakeholders who collaborate for selfish gains at the expense of the company. Care must be given to ensure staff are fully aware of security sensitivity level and associated repercussions.
By contrast, challenges to the availability and reliability of business data will mostly be affected by infrastructure downtime. Each time a critical business application goes down, users are unable to fetch data and deliver their mandate. The security policy will address this aspect. Compliance with existing legislature is a setback that arises when the legal framework of business environment is not clearly understood. Due diligence must be taken by the leadership of ABC Company to audit business processes and strategy to ensure compliance right from the strategy (Scovel, 2008).
Finally, implementation challenges will arise regarding this policy. Resistance to change is real; aggressive awareness must be put in place to bring all stakeholders on board and promote adoption. Goodwill on the part of management will be of prime importance to engrave institutionalization of the policy. Training sessions are important to ensure staff appreciate the ideals of information security, as well as clarify queries. A strong organizational structure is also a critical implementation parameter. It supports accountability, clarifies responsibility, and acts as a medium through which management objectives trickle down to actual implementers. A security policy is a living document that needs regular review in light of emerging threats, business needs, and changing business environment. The policy needs regular review with input from all stakeholders (Fulford & Doherty, 2003).
British Standards Institution. (2001). Information technology: Code of practice for information security management. London: Author.
Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations: An exploratory investigation. Information Management & Computer Security, 11 (3), 106-114. doi: 10.1108/09685220310480381.
IT Governance Institute. (2006). COBIT mapping of ISO/IEC 17799: 2005 with COBIT 4.0. Rolling Meadows, IL: Author.
Scovel, C. L. (2008). Audit of information security program: Department of Transportation. Washington, D.C.: U.S. Dept. of Transportation, Office of the Secretary of Transportation, Office of Inspector General.
Smedinghoff, T. J. (2008). Information security law: The emerging standard for corporate compliance. Ely: IT Governance Pub.