Discuss about the Development of Effective Security Policies of an Organization.
The development of effective security policies is very important to any organization. Different types of information are stored in different information systems, and their relevance and value are depended on the security of the information. Therefore is important that organizations develop effective security policies aided to protect the information as well as the individuals interacting with the information. An information technology security policy is, therefore, a well-written strategy that identifies the rules and procedures for accessing, protecting and maintaining an organizations network, information technology assets as well as resources (Siponen et al. 2014, p. 12). It is a company document that states the company plans aimed at protecting the company physical assets as well as the information technology assets. This report seeks to help us understand security policies and their purpose as well as the methodologies and processes used by an organization in developing the policy guideline. A special focus will be laid to the chosen acceptable use policy as our case security policy.
Many corporate organizations, businesses or educational institution have embraced the adoption and use of security policies in governing the access and usage of certain information. The development of the Acceptable Use Policy has helped many organizations in stipulating the constraints and user practices that they must agree to before accessing or getting access to a certain corporate network or the internet (Herath et al. 2014, p. 67). According to information technology, a security policy in the most case establishes what must be done by a user, an administrator of a website, the owner or the creator of the website or internet to protect information stored in their computer database (Safa et al. 2016, p. 45). The security policies are continuously upgraded or updated due to changes resulting from employee or technology requirements. The security policies are designed to ensure that information in an organization, business or any institution website is confidential, valuable and available in time of need without any compromise or modification which distorts the information.
For information system to be termed as secure, then it must meet its objectives of confidentiality, integrity, and availability which are termed as the characteristic elements of a secure system. Security policies, therefore, ensure that confidentiality is achieved by allowing access to information to only authorized persons or by ensuring that valuable information is only kept in the hands of the intended persons (D'Arcy et al. 2014, p. 23). Its objective of integrity requires that the system should maintain the value as well as the state of the information by protecting it from modification while availability objective requires that the information and security should always be available when they are needed.
The Acceptable use policy is, therefore, a security policy mostly used in many educational facilities and in most corporate and business facilities which require that employees and students must sign up an acceptable or legal use policy before being granted a network ID. In this case, an Acceptable Use Policy is normally presented to the user when he signs up with an Internet Service provider (ISP). The policy gives or provides certain guidelines which the user must agree to and in most case guide or restrict the user from using the service as part of violating any law or attempting to break the security system of any computer network (Sommestad et al. 2014). It also regulates or restricts the posting of commercial messages to unauthorized groups as well as an attempt to send junk emails or spam to anyone. The security policy is therefore used to establish what must be done by corporate business and educational institutions to the information stored on their computers as well as business websites. The policy is also used to protect individuals or people working or having access to the information since anyone who makes decisions or takes action in any situation where the information is at risk is equally at risk (Peltier, 2016). And therefore the security policy allows people to take necessary actions without fear of reprisal and also compels the safeguarding of information by eliminating or reducing personal liability for employees or users of the information. Regardless of the network used as to whether the organizations, institutions or businesses use the Local Area Network (LAN) or even the Wide Area Network (WAN), it is important that they develop effective security policies. Therefore, the Acceptable Use Policy (AUP) forms an integral part of the framework of security policies.
To develop an effective security policy and in this case, an acceptable use policy, certain guidelines, and steps are to be developed by the organization, company, business or an educational institution. Such procedures include those of risk assessment, password policies guidelines, organizational, administrative response, the user responsibilities, the e-mail guidelines and policies, the internet guidelines, disaster recovery as well intrusion detection policies.
Therefore the first step to developing an acceptable use policy is to conduct a risk assessment with the organization, company, business or education institution which faces information risk and is in need of security policies. Risk assessment is usually an ongoing process of discovery or potential security risk, correcting them and preventing future problems (Neisse et al. 2014, p. 123). It is also an essential part of sound security practices and forms an important part of compliance with security standards. Risk assessment helps the organization or business to determine the level acceptable level of the risks as well the resulting security requirements for each identified risk, and it involves system risk documentation, determination, and safeguarding.
The second guideline provided in the development of the acceptable use policy is the development of password or designing the organizational password policy. Passwords have been found to be very important aspects of computer information security whereby a poorly chosen password may result in unauthorized access or exploitation of the company resources (Neisse et al. 2014). Organization needs develop effective password policy to govern the authorization of access to company or organizational information. Such password policies include the regulating of sharing of the password which requires that for information technology security passwords should not be shared and should always be treated as sensitive and confidential and therefore should not be shared through websites or any link which may pose a risk to the information or data related to the company or organization.
The administrative response is also very important in developing an effective security policy, it is, therefore, important for the information technology experts involved in designing and development of the security policies to inform the administrative personnel of the organization. They will then help in providing measures or developing the action and against the users going against or caught violating the security policies. Their response ensures that the policy is agreed upon by the management and administrative departments of the system. They also give more recommendations on what should be done to enhance data or information security with their organization from their experience.
The other important step to the development of effective security policy is helping to make the users understand their responsibilities when using the information system. This is important because most networks today are faced with conflicting goals of availability, security, and scalability (Webb et al. 2014, p. 90). In this case, most users are only concerned with the availability of the information, and they need, or concern is to use the tools to undertake certain tasks. In most cases, most users tend to defeat the information security procedures or guidelines when they perceive them as been an interference or obstacle to their workflow (Ulusoy et al. 2015, p. 453). It is therefore important for the organization or businesses to build user awareness programs to issues relating to information security by clearly defining their security objectives to the users, by identifying their user groups for effective security control as well as presenting their security policies to the users.
Since most organizations use emails to perform most of their communication, it is important also to develop email and internet policies governing the same. This is because most of the information may be sent as spam or may be modified to distort the intended message. Such policies govern the domains of the company emails and can even give a specification of the size or content of the message or email. Such ensures that business emails are not used for personal purposes, but their use is only limited and restricted to official office use only. In such case, if anyone caught defeating such policies then appropriate administrative measures can be adopted (Arpaci et al. 2015). Internet policies relating to the computing facilities should also be developed to control the information risk in either a general network security, network security or server security.
Lastly, it’s the development of disaster or data recovery systems including back up files as well as system restore and also security mechanisms for intrusion detection. The backup and restore networks are very important to the continuity of a business and therefore their environments must be secured. As much as the backing up of data is necessary it is not always sufficient as long their backup environment is not secured (Ahmad et al. 2014). Organizations and businesses, therefore, must ensure their computing facilities are equipped or installed with backup and restore networks which are secured by implementing appropriate technologies in the backup storage devices as well as implement an appliance that can encrypt data at some point in the storage network. Such steps and guidelines will lead to the development of effective, acceptable use security policy that can be helpful to many organizations, businesses as well as educational institutions.
From the findings above related to the development of acceptable use security policy for organizations, business, or education facilities it is recommended that the organization should first create user awareness through education on the importance of information security. It will provide them with the knowledge as some of the users of such information do not know the importance of the security measures imposed and whether they are any legal actions if anyone found violating or experiences a risk related to the certain information. Since most employees in business access the internets and business websites to perform their given tasks, the organizations should try to change the attitude of the users towards the realization of their role in company security (DeHaan et al. 2015). It is equally important that the employees understand that the business needs them as they need it to and therefore issues of security should be a collective initiative of both parties.
The risk to information has also been encountered due to lack of effective monitoring and evaluation. It is therefore recommended that the website operators and managers should always try to ask for feedback from the users about their experience when using certain websites or internet sources and monitor their progress as they continue to use them. Some end up performing task-irrelevant and others which cannot be supported by certain systems and hence may lead to crackdown or loss of important data. In the case where the companies have some sensitive information which cannot be relayed to the public than the organizations are recommended to develop different websites for different users to limit access to sensitive data (Muthalagu 2016). It is also recommended that the companies develop information security website where users can start familiarizing themselves with the internet security issues which should be clear to understand as well as easy for the users to browse and navigate.
In conclusion, security policies are therefore important for any organization dealing with internet resources and assets. The security of internet information is the responsibility of the administrators, owners or creators or websites as well as the users of the internet resources. For the systems to be secured the most important policy to be adopted is, therefore, the acceptable use security policy as it guides and regulates the initial access to the internet. It's effective development and implementation will play a very important role in the overall security of other internet related risks.
List of References
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-370.
Arpaci, I., Kilicer, K. and Bardakci, S., 2015. Effects of security and privacy concerns on educational use of cloud services.Computers in Human Behavior, 45, pp. 93-98.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful information security requirements: a coping perspective. Journal of Management Information Systems, 31(2), pp.285-318.
DeHaan, M.P., Likins, A.K. and Vidal, S.K., Red Hat, Inc., 2015.Discovery of network software relationships.U.S. Patent 8,990,368.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. and Rao, H.R., 2014. Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information systems journal, 24(1), pp.61-84.
Hsu, J.S.C., Shih, S.P., Hung, Y.W. and Lowry, P.B., 2015. The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research, 26(2), pp.282-300.
Muthalagu, I., 2016. PLM (Product Lifecycle Management) System Administrator Process for Document Management System (DMS) in Energy Devices Domain.
Neisse, R., Steri, G. and Baldini, G., 2014, October. Enforcement of security policy rules for the internet of things. In Wireless and Mobile Computing, Networking and Communications (WiMob), 2014 IEEE 10th International Conference on (pp. 165-172). IEEE.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Safa, N.S., Von Solms, R. and Furnell, S., 2016.Information security policy compliance model in organizations. Computers & security, 56, pp.70-82.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing information security policy compliance: a systematic review of quantitative studies. Information Management & Computer Security, 22(1), pp.42-75.
Ulusoy, H., Colombo, P., Ferrari, E., Kantarcioglu, M. and Pattuk, E., 2015, April.GuardMR: fine-grained security policy enforcement for MapReduce systems. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (pp. 285-296).ACM.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management.Computers & security, 44, pp.1-15.