Policy Framework
Management of Information Security
• At board level, responsibility for Information Security shall reside with the Head of ICT.
• The managers shall be responsible for enforcing, implementing, monitoring, documenting and communicating security policy requirements for the company.
• All staff, permanent or temporary, and third party contractors must be aware of the information security procedures and comply.
Information Security Training
• Information security training shall be borne in the staff induction process.
• An ongoing awareness program shall be established and maintained in this company to ensure that staff awareness is refreshed and updated as necessary.
Contracts of Employment
• Staff security requirements shall be addressed at the recruitment phase and all contracts of employment shall contain a clause for confidentiality.
• The job description of all staff shall clearly state the company’s expectations as it relates to information security.
Acceptable conduct
• Emails shall not contain offensive and abusive messages, indecent images and materials that harasses others.
• Internet access must be used strictly for official purposes. Indecent and offensive websites, personal downloads and unofficial discussion sessions will not be acceptable.
• All mobile devices and tablet PCs must not be used for unapproved business purposes.
Employee Termination
• Employee credentials shall be deactivated immediately upon termination of employee contract
policies and procedures. Staff to have the relevant training to be able to fill their role
This chapter began by explaining what security management is. It defined it as the core component that made up the foundation of a corporation’s security program. Risk management, security organizations, security education, information classification, information security policies, standards, procedures, baselines and guidelines are the elements of the core component. This chapter further explained that security management is activated to protect company assets. These assets can easily be identified through risk analysis. This risk analysis exposes the threat that can easily put the assets at risk. The risk analysis, according to this chapter also facilitates identification of the budgets to know how much fund is needed to protect the
Regardless of the organization’s size, there should be a comprehensive security plan in place. This ensure that personnel will understand regulations and follow protocols. Be sure to require that all employees successfully complete an annual security refresher course, such as through a webinars or online training module. It will also help management successfully respond to and resolve IT emergencies. Security plans should be customized to fit the needs of every organization. There are many security plan ideas and templates available online.
Give the support and appropriate training opportunities to enable staff to carry out their responsibilities
The seventh rule is to "help keep flame wars under control" (Shea). "Flaming" is what people do when they express a strongly held opinion without holding back an emotion (Shea). The eighth rule of Netiquette is to "respect other people's privacy" (Shea). The ninth rule is "to not abuse your power" (Shea). Knowing more than others, or having more power than they do, does not give you the right to take advantage of them. The last rule of Netiquette is to "be forgiving of other people's mistakes" (Shea). Internet etiquette is necessary when going online. The rules are simple and easy to abide by. Guidelines for using the web help to minimize possible mistakes.
that the right source be notified to ensure that the issue is addressed quickly. Successful enforcement of all instruction is intended to produce the information security needed to produce a healthy infrastructure.
A good policy should be concerned with providing data confidentiality, integrity, availability, resource protections, and also should be audited periodically. An example of policy is to send out critical data via the Internet, the data must be encrypted. The second part is procedures: which are a detail of the steps and documentations that explain how a particular function or job should be done. For instance, a detail instruction which tells how a particular program should be installed. The last part is the awareness and training which is very critical to take into consideration. Thus, all employees should be trained and aware of general security by providing them with security training whenever it is necessary and educate them about cyber security.
The Information Security team commits to the confidentiality, integrity, and availability of assets. Even more, security policies clarify how the company intends to protect company assets against similar breaches in the future. For example, the Monitoring and Logging Policy define the following procedures to review:
The annexed appendix will further elaborate on the Job requisites. This appendix will be additionally a cross reference to the staff who are being employed. The employed staffs will be able to work forward on what the company and management are probing for in them in terms of their commitment, tasked obligations and erudition.
We need an IT Security and Compliance policy to provide information security procedures and guidelines within our company to safe guard our proprietary information and personal data of our employees and customers. Information security is the study and practice of protecting information. The main goal of information security is to protect its confidentiality, integrity, and availability. This encompasses both outside attackers and inside threats that may affect one or more of the CIA Triad.
Please do not submit any content that infringes on the intellectual property rights of another. Likewise, any unlawful, abusive, defamatory, harassing, obscene, or otherwise objectionable content is prohibited. You further
In this paper, Berber et al discusses ways of formalizing information security requirements. They noted that risk analysis and the concentration on threats, vulnerability and assets are the most effective means of protecting all IT resources.
Even respected information security techniques involving compliance and audit may fail to address real contemporary information risk. “Traditional approaches to information security, such as publishing a thick manual of policies and standards, no longer work. They might be fine for enabling you, and your management, to tick your compliance boxes, to demonstrate that you’re
Security is paramount for any organization. Managers need to ensure employees do not break the rules, and managers should be in tune with standards set forth concerning both security and safety. Macpherson, Robert, and Frederick M. Burkle talks about the principal of Organizational Security and they state, “It establishes the corporate standard for staff safety and security requirements and commitment based on the precepts of ‘Duty of Care.’ It is a signal to all stakeholders, staff, trustees, management, partners and donors that the organization takes the safety and security of its staff and the integrity of its programs seriously” (2013). Although managers do not write the rules governing most procedures, the managers are encouraged to enforce the standards of an organization to ensure there is no misconception of what policy states and how policy is applied. Supervisors should know whom to contact if a question arises concerning any policy that an answer is unknown. The security policies for an organization can cover numerous areas, but most organizations attempt to simplify these areas to include three main branches that filter down to the multiple areas of concern. These main themes are information security, personnel security, and physical security.
Security Training for Employees: Provide security training to employees and make them understand that they should never reveal private customer information on email or in chats as none of these methods are secure.