Implementation of Security Policies in Organization
With the ever changing technology in the world, organizations have been experiencing threats that compromise their information systems. Most of the information gets stored in computing devices; therefore, attackers use the devices to gain what they want. Due to the stated fact, there is the need for implementation of security policies that govern the way organization protects their data, information and communication resources. A security policy defines the structure by which an organization’s computing systems, resources, and environment get protected against threats that occur either deliberately, accidentally, internally or externally. A security policy is a document that never gets completed, but it continuously gets updated depending on the changes in technology and personnel in a company. The policy may include acceptable use policy, the company’s plan on training personnel for protecting company assets, the guideline of security measures to get carried out and enforced and finally, a method for assessment of the effectiveness of security policy the facilitate making of changes. There are several types of security policies including antivirus policies, backup policies campus security policies, acceptable use policies, disaster recovery policy, and electronic communication policies. All the policies are created to ensure that the company’s Information Technology resources get safeguarded from threats and vulnerabilities that may compromise the normal business functioning.By developing security policies, the organizations do not only base their arguments on the current state, but the policy covers many more years ahead; therefore, it should get noted that these policies benefit the organizations more than they may expect. This document outlines the major strategies that apply both in IT department and the company in general as well as the benefits associated with the strategies.
Computing Security Policies and Strategies
Policies get characterized by two key features; firstly, they require a high degree of compliance and if they sometimes get associated with consequences if not followed. Secondly, the policies define the desired results as derived from company’s standards and guidelines and how they will get implemented. While creating a security policy, some of the considerations that I propose are: what kinds of data can a user handle? How secure is the data when in a network transmission, possibly internet? And what structures are supposed to be put up to protect data, depending on importance and cost of protection? The following are some of the policies and measures to use as defensive and recovery procedures against security issues. The strategies get defined regarding policies and guidelines, which fall into two categories: user policies and Information Technology (IT) policies (Zaitseva, 2014).
The most important policy is the user policy that defines user privileges and tasks regarding the use of the organization’s network and computing devices. The policy defines user limitations to ensure that the network is secure. For example, the privilege to install programs/ software on their workstations, what software they may use and the way they can access data. Strategies used in user policies include password policies, system use, VPN and remote access, acceptable use of devices such as a modem. Password policies are there to enhance the security of user accounts. These policies define how users should change passwords, the characters complexities (such as a combination of upper-case, lower-case letters, special characters, and numbers) and length of passwords. Virtual Private Networks and remote access should get monitored for viruses/ backdoors and Trojan horse by use of firewalls and antivirus software (Sinjilawi, AL-Nabhan & Abu-Shanab, 2014). The policy should ensure that users do not use modems that do not get installed with the personal firewall.
The second category of security policies is the Information Technology policies, which define the general IT policies that intend to ensure that the network is stable and secure.
The policy defines backup policy, which defines what, who, where, how long, how to test and what program/software is involved in backing up. The policy also provides guidelines for the period that the clients will use certain programs, and when to install genuine patches. Updates are very crucial, and software vendors should always get informed of the need to release new patches (Unsworth, 2009). The organizations should ensure that the patches delivered online are certified and are from genuine vendors and rather not from attackers by thoroughly scanning the patches using firewalls. Besides, proper procedures should get set up in case virus/security incidents occur. For example, for virus intrusion we detect, contain, and remove. In this, you should create guidelines for identification of intrusion incidence, restrain the virus from performing damages to the system, eradicate by fixing the damages and improving defense system and finally monitor the systems to ensure that the virus does not bounce back again (Sarrab et al., 2015). The policy should define the types of websites, port to accept and encryption algorithms so that the users do not send sensitive data over the internet, which may land to the wrong persons.
The other general policies define the high-level policies (which defines the owner of the other policies, the policy scope and purpose and policy exceptions, if available) and business continuity plan. The continuity plan includes crisis management methods and disaster recovery consisting of server, data, end-user, communication system and workplace recovery plans. Disasters may arise as a result of factors such as fire outbreak that burns the entire building, leaving no leftover or possibly criminals may break into the building and steals the storage disks and backup devices (Thompson, 2004). The best solution is to replicate data to as many servers so that if such crisis happens the data remains accessible.
The organization should decide on categorizing security policies depending on levels of departments, groups, or globalization. Usually, the effectiveness of security policies may vary greatly depending on where they get implemented. For example, the security measures at a local level may not work well in an enterprise level of an organization. A larger network gets characterized by high capacity of data movement and communications as compared to a small geographic location and consequently, larger networks are prone to so many threats and vulnerabilities; therefore, strict measures should get imposed on such an infrastructure (Aurigemma, 2013). Strategies such as the use of high-quality routing devices, antivirus software, data replications and authorization mechanisms will greatly improve the security of large enterprises. For small networks, minimal activities are carried out, and therefore simple strategies such as strong encryption and backup are applicable.
By putting up security measures, there are several advantages that the company gains. The advantages are categorized based on the impact on infrastructure and data. Security of infrastructure will ensure that the company assets will not get damaged destroyed or stolen. As for data security, the Confidentiality, Integrity, and Availability (CIA) triad is used. The triad ensures that private and information remains private and unintended party will not access it; data gets altered by an unauthorized person, and that data is available at all times (Desai et al., 2012).
Policies are there to ensure that all areas of security get checked. Data is very important in an organization. Sensitive data may include bank details for an employee or even sensitive information like family background which should not get disclosed to some people. When such data gets protected, the employees and users will leave without fear or compromise. Security measures to ensure data integrity will also enable the company to protect data from unauthorized alteration, which may, of course, lead to conflicts and errors in their systems (Johnston et al., 2013).
Safety measures are also important in ensuring that the business or employees do not get compromised when a disaster occurs. For example, a company that replicates its data to several server locations is in a better position since it will not suffer when one of its servers fails, or even when their system is down, as users will use the alternative (Knapp et al., 2014). Organizations which do not replicate data are liable to post-disaster events and some of their customers may run away.
The infrastructure of the company lies in the hands of the company, and it should get safeguarded. By providing a secure working environment, the users will actively get involved in activities that influence better results and outcomes (Wang & Li, 2004). It gets easy to detect and eliminate attempts of insecurities when we have a secure environment, and so I would highly recommend that organizations should set up policies that govern them.
Development of security policies is a broad issue and rather not an afternoon task. It requires the active involvement of all parties in the organization so that they can gain a broad understanding of the company and understand the sources of threats and vulnerabilities. The security policy may take years and even a lifetime for it to be complete because with this rapid trend in technology everything associated with technology changes every day.
Aurigemma, S. (2013). A Composite Framework for Behavioral Compliance with Information Security Policies.Journal of Organizational & End User Computing, 25(3), 32-51. doi:10.4018/joeuc.2013070103
Desai, M. S., Desai, K. J., & Phelps, L. D. (2012). E-commerce policies and customer privacy: a longitudinal study (2000-2010). Information Management & Computer Security, 20(3), 222-244. Doi: 10.1108/09685221211247325
Johnston, A. C., Wech, B., & Jack, E. (2013). Engaging Remote Employees: The Moderating Role of “Remote” Status in Determining Employee Information Security Policy Awareness. Journal of Organizational & End User Computing, 25(1), 1-23. doi:10.4018/joeuc.20 13010101
Knapp, K. J., & Ferrante, C. J. (2014). Information Security Program Effectiveness in Organizations: The Moderating Role of Task Interdependence. Journal of Organizational & End User Computing, 26(1), 27-46. doi:10.4018/joeuc.2014010102
Sarrab, M., & Bourdoucen, H. (2015). Mobile Cloud Computing: Security Issues and Considerations. Journal of Advances in Information Technology, 6(4), 248-251. doi:10.12720/jait.6.4.248-251
Sinjilawi, Y. K., AL-Nabhan, M. Q., & Abu-Shanab, E. A. (2014). Addressing Security and Privacy Issues in Cloud Computing. Journal of Emerging Technologies In Web Intelligence, 6(2), 192-199. doi:10.4304/jetwi.6.2.192-199
Thompson, S. C. (2004). Policies to Protect Information Systems: Building Barriers to Intrusion from Social Engineering Attacks. Library & Archival Security, 19(1), 3-14. Doi:10.1300/JI14v19n0102
Unsworth, K. (2009). Ethical Concerns of Information Policy and Organization in National Security. Cataloging & Classification Quarterly, 47(7), 642-656. doi:10.1080/01639370903118663
Wang, X., & Li, Y. (2004). Formal definition and implementation of business-oriented SoD access control policy.Information Management & Computer Security, 12(5), 379-388. doi:10.1108/09685220410563351
Zaitseva, M. (2014). Information and security components of the Russian foreign policy. Informacijos Mokslai / Information Sciences, 7058-68.