Information security policies and procedures are one of the most fundamental components of any security program. They strengthen the security and well being of data belonging to organisations by providing the gateway to compliance and are the bottom line, of information security adherence.
An information security policy can be loosely described as a written down set of rules and standards agreed upon at the highest levels of an organisation as means for enforcing information security in a predefined and organised manner.
Information security policies should always have management support as they underpin the security and well being of organisation information resources.
A well written security policy builds a foundation for a comprehensive and effective security program, by giving authority to security activities, identifying the organisations goals and objectives as well as defining the assets and principles the organisation considers valuable.
Policies help to define the organisations response to laws and regulations, minimise risk, improves personal responsibilities/accountability, ensure the organisation complies with relevant legislation , serves as a basis for interpreting or resolving conflicts as well as being a written standard for incident response and enforcement.
Senior management should approve security policy and procedure definition within an organisation ensuring they do not conflict and are not detrimental to the organisations core business activities and legal, statutory or regulatory laws within that industry.
Once the security policies have been approved and signed off their existence and importance must be made known to members of staff so that they are aware of their responsibilities towards the organisation, fellow members of staff, clients and third party organisations when they use systems.
Ease of implementation and adherence of security policies is best carried out with the aid of security awareness programs. These programs should be tailored for its particular audience and should be periodically reviewed for its effectiveness in disseminating information to the organisation.
Security policies are all the more important for organisations especially where certain legislative enactments have made it mandatory for financial and health organisations to have information security policies rendering non-compliance illegal and punishable with stiff penalties.
Our strategy is to define security policies only after conducting a sound analysis of your business from a technological, physical and business point of view to ensure your policies are practical and enforceable.
Our consultants have multi-industry experience in defining information security policies tailored specifically towards your organisation's information security requirements.
This we achieve by performing the following:
- Analysing current security policies and procedures
- Identifying any gaps
- Making recommendations
- Writing policies
|
