The Role of Information Security Policy

The Role of Information Security Policy

Information Security Policy is a very important part of organizations’ security protection. Organizations need their employees to build a secure working environment against all kinds of security threats. Information Security Policy is a good tool to show employees how to do it.

Policies are statements of objectives and direction that guide implementations. (McBee, 2007) Policy guides employees and others working for the organization how to deal with something important, in this case, data. For example, an organization may have a policy for all the important internal using data: all these data should be encrypted. This policy guides employees to install a program that automatically encrypts all the internal data. This policy can show employees how to protect the organization and build a secure working environment. Information Security Policy basically includes:

 Privilege standards. It includes what level of employees can access what kind of data. What kind of privilege they can have. Under what kind of condition they can access the data.

 Authentication standards. It is about the authentication of the system. Such as how can user login to the system; how the authentication works; how the users be assign to different level; and how the system change privileges to users.

 Firewall practices. It includes how to use the firewall or anti-virus program; how frequently to run a full scan, how often should the software be upgraded, and how to response if any attack is detected.

 Email and instant message use. It includes what kind of use is allowed with emails and instant messages; how to scan incoming and outgoing emails and instant messages; how to deal with emails that has potentially malicious codes.

 Client device security. It includes what kind of firewall or anti-virus software should be installed in client devices; what kind of restrictions to laptops, smart phones, tablets, and other mobile devices. What kind privilege can users have from using their mobile devices; and whether copy data to mobile devices is allowed.

 Server security. How to protect servers, how to maintain servers; how to deal with the attacks to servers; and what kind of access is allowed to the servers.

 Wireless security. How to use wireless access points; how to figure which wireless access points are safe; and how to protect wireless access points from security threats.

 Information privacy. It includes how to define