Security Policy is defined as living documents which allow organization and management team to draw clear and understandable objectives, rules and formal procedures and goals that will help the overall security posture and architecture. Its main purpose is to explain what is deemed as allowable and what is not, engaging them in securing the company critical systems. It is also derived that policy practices with regard to integrity, confidentiality and availability.
Confidentiality is ensuring that the only people who can access to information are the authorized person. It’s to prevent information being exploited and this helps to keep valuable information only in the hands of those who can view it. Integrity is all about maintaining the state or value of information. It means that it is safely protected from unauthorized modification. This is to ensure that all the information are genuine and can’t be modified or destroyed. Availability is to ensure that all information system is always available when it is needed. This is to support the critical business processing.
Therefore by having a good security policy, it can react or recover from situations in the minimal time like risk assessment, disaster, administrative responsibility, password policy, user responsibilities, E-mail policy, internet policy and intrusion detection.
Through Christopher's blog post regarding 'Security Policy', I further understand the importance of the policy being the 'spine' of the company's information security through the objectives, rules and procedures that have been made clear. I also learned that the policies are related to CIA. True with that, the value and state of information is maintained to only authorized people. However, having a good security policy needs more than that, namely a few other functions that need to be considered.
ReplyDeleteFirstly, the policy has to be understandable and realistic. Secondly, as you have mentioned, it has to be consistent, but also it has to be regularly reviewed to cope with the changes in the company and industry. Finally, and most importantly, the policy has to be enforceable. Punishment has to be carried out on those that do not abide by it. Only then will you have a good security policy that will keep the company or organization safe and protected.