What is information security policy?
Information security policy is a set of suggestions (laws), which company need notice, to make their information system safe and immune against malicious attacks!
Usally this kind of policy is written to different level employies, but the common element in all these policies is - target!
Policy can include conjuct set of rules about all themes which related with information security and computer usage, or seperated rules about various theme, for example, e-mail, network or physical security.
Why company need information security policy?
Many information systems have not been designed to be secure, but without these systems bussines life is hard imagine. Increasingly, companies and their information systems and networks are faced with security threats from a wide range of source, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denail of service attacks, have become more common, more ambitious and increasingly sophisticated.
And to do company's information system safe is not enough only with moderna technolgies and software, but also everyone in this company need to be a part of security system.
Security policy modelling process point to system's weakest area and give advices, how to prevent them.
How policy have been created?
There are different ways how to create security policy, but the main idea is the same. There are a set of questions to which company's employies need to answer and after that, special information security awareness companies process these answers and write your own (company) information security policy.
The other way to create this policy is use special software which automaticaly process the answers, evaluate the risks and give out policy. This way is easier and thats also take less time,but usually is not so qualitative.
The policy need to bee written in form that is relevant, accessible and understandable to the intended readers!
Company get policy. What next?!
Now company's manager need to nominate one person who will be responsible about policy writen rules observation. This person need to introduce all employies to these rules and also published and make this policy available.
Now this person need to check and control how these rules are implemented in life. This person need to be very close to manager and regulary inform if there is some problems.
Problems!
Usually problems starts when need impement policy's rules in life. Peoples need to change ther daily work observance and try to work notice these rules. It's always hard, but there are many ways how to stimulate or even press to do this. This process more easly makes special e-learning courses which provide information security awareness companies, for example, Infosecuritylab. And also managers can develop some kind of bonuss system to employies which notice these rules or warnning these who ignore!
Infosecuritylab - http://www.infosecuritylab.com
No comments:
Post a Comment