The ABC of Information Security
Part One(1)
by
Book Cover & Preview Text
Chapter 4
Developing of Corporate Information Security Policy:
Every organization embarking on Information Security must have an Information Security policy. Since policies are used to define the security principles, rules and standards to which everyone must conform, the Policy document must be given its desired respect and every staff of the organization must have a copy.
The Information Security Policy is intended to help users and providers of Information Technology Services to understand what they need to know and do to make sure the company systems stay secure.
The objective of the policy document is as follows:
-To provide management direction and support for Information Security in all business units and related branches of the organization.
-To achieve common objectives and a common direction for Information
Security management throughout the organization.
- Lastly to demonstrate management support and commitment for Information Security.
This important security document which must be published and promoted so that it is well- known and respected in the organization must contain the following:
- Legal and contractual compliance.
- Security education, awareness and training.
- Virus protection, prevention and detection.
-Business Continuity Planning
The policy document must be able to define specific management roles and responsibilities including making reference to an appointed Information Security Manager, who must report to the Chief Executive Officer of the organization. This senior manager must have a responsibility of Information Security in the organization.
In this Policy document, must have all responsibilities and accountability of all personnel defined. This should make reference to potential sanctions under employment contracts or prevailing computer misuse legislation where appropriate.
This policy owner, who is normally the appointed Information Security Manager, must ensure that there is annual review process defined for the security policy which involves confirming the fitness-for-purpose and making relevance of the local Information security policy. This process will have to be formally recorded.
This local security policy must be supported by lower level standards and procedures. This set of Security Standards should form the basis of the detailed documentation.
The Security policy must contain the processes for reporting security incidents in your organization. The Local Information Security Manager, must on a weekly basis send security report to the Chief Executive Officer of the Organization. In case in your organization, there is a higher Information Security Officer than the Local Information Security Manager, say a Regional Information Manager, there has to be arrangement that on a monthly basis, a report is sent to that person too.
The Local Policy must define:
- The overall objectives and scope for Information Security for that particular organization.
- The benefits to be gained in being able to share information with other branches of the Organization, external agencies, including customers, suppliers, business partners and authorities.
The endorsement of Policy Statement by the senior management of the organization must be explicit in the policy document. The policy document should be signed by the Chief Executive officer of the organization.
The Role of the Information Asset Security (IAS) Policy:
The following are some questions which should be answered to ensure that local instructions and practices are aligned to business needs and remain relevant.
- Have we been able to identify issues relating to Information Security instructions to our business?
-Will these security instructions meet our business needs, now and in the future?
- How will those instructions be maintained and kept current?
- Are these instructions adequately defined so that they are understood by our customers and Service Providers?
- Can those instructions be translated into specific and measurable service requirements?
Principles of Information Security:
What is involved in Principles of Information Security? They are normally general ideas about protecting your Organization’s Information.
The following are some identified points under Principle of Information Security:
- a) There must be laid down procedures which must be implemented and maintained to protect the confidentiality, integrity and availability of your organization information.
- b) It must be clearly understood in the organization that, it is not a one man show but everyone in the organization must be involved in the Information Security deployment.
- c) Availability to organization’s information must be controlled on the basis of minimum exposure needed to perform business functions while retaining sufficient open communications for effective business performance.
- d) Your organization’s processes and systems for the management of Information Security must be as unobtrusive as possible and also not necessarily interfere with the conduct of the business.
- e) It is every manager’s responsibility to ensure that staff and contractors of your organization know what is expected of them and that they act in a secure way to protect the company’s information base.
f) A copy of your organization’s policy statement must be made available to all employees and contractors. Copies should be provided on demand for consultation. New employee induction programmes should introduce and explain the policy document and related standards, procedures and instructions. Instruction guides and rules should be provided for your employees and contractors.
1) A Sample of an Information Security Policy of ABC & Co. Ltd.
Relevant Pages:
A cover page of the Policy document should have something depicting Information and in addition the organization’s logo.
The First page of the Security Policy could have the Chief Executive Officer photograph signifying that the organization’s management gives full support for Information Security.
Introduction: This Information Security policy, which complies with the ABC & Co. Ltd. Security Policy, is intended to help users and providers of Information Technology services to understand what they need to know and do to make sure ABC & Co. System stay secure.
Information Security:
Information Security does not concern about the security of computers and the information retained in them only, but it also extends to our documents used in the offices. ABC & Co. Ltd. relies fully on its computer and other records which are very vital for its continuation of our business. We must ensure we get ourselves secured from:
THEFT of computer equipment and that of computer and documented information which could be useful to our competitors.
DAMAGE to our computer equipment, caused either by accident or intentional.
DISRUPTION to the services of the computer as this will cause temporary loss of access to the information we need to run the business.
LOSS of the documented information that we need. Documents which you can readily locate are as good as lost.
Formats
Book Details
About the Book
The ABC of Information Security
This comprehensive practical book on Information Security is a good companion of CEOs, Managers, IT Officers, Supervisors and other computer users. This book is packed with a lot of practical examples of the subject matter which everyone will enjoy reading it. Information Security is not limited to the IT department but the entire organization. The book is so easy to read that even beginners of the use of computers and its services will enjoy reading it. Information Security does not cover only computers but all Information Technology resources and documents inthe offices.
About the Author
Timothy K. Asiedu was born and raised in Accra, Ghana. Timothy obtained a PhD in Electronic Business, E- Commerce, E- Education, …and Networking from a research institute called IPSI Belgrade, Ltd in the European Union. This is after Timothy has obtained his Bsc.degree in Computer Science and Statistics from University of Ghana, Legon, Accra.
Dr.Asiedu is currently the CEO of a Ghanaian based ICT Solution provider organization located in Accra, Ghana called TIM Technology Services Ltd. Apart from managing the day to day activities of the organization; he also plays the Lead consulting role of the organization. The organization is into Education/Training, Business Consulting and ICT Solution provision. Before taking up the role of CEO for this organization, Dr. Asiedu worked with international organizations like DHL Ghana Ltd, Ghacem Ltd.Tema, and Alfa Laval Separation, Soborg, Denmark. At DHL Ghana Ltd., he worked as Systems Administrator and Information Security Co-ordinator. He is also a researcher and normally researches with IEEE, Inc. Most of Dr. Asiedu publications were published by IPSI Belgrade, Ltd in co-operation with University of Belgrade, EU and Purdue University, USA. Apart from these publications, there is also a publication of his, published by CPM West, USA in Information Security