Serious new organizational security concerns have been brought with the widespread adoption of e-business. From the beginning the Internet has exhibited multifarious vulnerabilities in its Internet protocols, host systems, network administration and in its underlying communications nodes and network. The Internet’s ever-changing vulnerabilities have been continuously exploited by disgruntled employees, competitors, hackers and others, leading to loss of privacy and security, lost of customers, financial damage, uncertainty and disruption, and corporate embarrassment. In addition among the many employees often granted internet access for valid business purposes have been reported as having abused or misused the tool, either from lack of awareness of valid, value-adding business Internet usages, lack of understanding its insecurities, purely or from malicious intent. This makes the internet both a risky and profitable tool that needs protection in order to be effective to the organization.
A security policy can be described as a strategy on how a company can implement information security technologies and principles. A security policy is different from security procedures and processes, in that both specific and high level guideline on how the company’s data should be protected will be included in the policy; however it will not provide a specific guideline for implementation or how it is going to be accomplished. This leaves room for choosing which methods and security devices are efficient for the budget and company. A security policy is vendor and technology independent, its main aim is to establish the policies, that if implemented will help attaining the recommended goal. All the company data and electronic system are covered under the security policy. A security policy as a general rule would not include the company’s data hard copies under its cover but some overlaps are inevitable, since at some point the now soft copies were initially hard copies. Three main objectives must be covered within a security policy namely; it must provide protection for the integrity of your company’s information, it must allow for the privacy and confidentiality of the company and it has to provide for the companies information availability (Dojkovski, Lichtenstein, & Warren, 2012).
Three security policies recommended for organization
Password policy is a security policy that would be efficient for any organization mainly since it’s designed as a set of rules that help enhance the security of a computer. It encourages the users to implement and use properly strong passwords in the systems. In most organization password policy is part of their official regulations and as such may often be taught as part of security awareness training. Its main advantage in a company is that it is designed in a way that it is able to effectively protect the organizations network resources by requiring strong passwords that are secure. It mitigates password capture through having secure transmission of the passwords; it mitigates cracking and guessing through a limit on entries frequency, construction of strong passwords. Avoidance and password expiration of recent used passwords, mainly to prevent re-use of passwords and reduction of the user load through use of local password management and Single sign on to enable stronger policies.
An NSP or network security policy is also a recommendable security policy for any organization. It can be described as a generic document that outlines computer network access rules, lays out some of the companies basic architectural environment of the network security and company security. The document that is written by a committee is usually several pages long as a security policy it is beneficial since it not only helps keep out unauthorized entries but also governs email attachments, habits of web browsing, use of encryptions and passwords and data access. It specifies these rules for individuals or groups throughout the different levels of the company. As an organizational security policy NSP would exert control over potential risky and keep malicious users out within an organization making it a good choice as a security policy. It will moreover make it easier to securely access personal files from any location (Gaskin, 1998).
Among the many security mechanisms available for storing personal and confidential information, data encryption is the most efficient and widespread. In that regardless of the storage method either hard or soft ware it is still easy, reliable, and fast. It is considered a powerful tool since it guarantees mitigations from any possible corruption without any flaws mainly due to its reliance on global standards for data encryption. It will also ensure that a company is compliant with security policies as part of its wide solutions; its solutions are efficient and cost effective for any organization. In case data encryption is written correctly it will enable the storage of critical data in the background while normal business is uninterrupted. In an organization it will help to protect and save any important information, whether on a desktop or laptop, email server, removable storage media, corporate network or a PDA file.
How to implement security policies
When preparing to implement a security policy it must first be backed by the company’s topmost management team. Since if they are not in support of the implementation it will lack the departmental corporation and it will more likely fail, therefore all heads of departments must get involved especially the legal services and the human resource must play a major role in the implementation.
Next is the reviewing of all the available security policies and understanding how they are important or can fit in the organization. Ensure that before the policy is enacted the relevant tools that align with it are in place. Next differentiate between procedures, policies and processes. Here there is need for careful consideration of the necessary procedures and processes needed after the policy is done. Certain procedures in addition must be created or added to help support the new policy. For example on how to notify the users if they are non- responsive or on how your users respond in case they suspect an incident with the security policies.
Next there should be emphasis on the user education, and on that note a training session on the policy should be held regularly to provide the basic data and training on security awareness and policy implementation. Users must acknowledge and accept the user- level policy in writing that will state if they have read the policies and they agree with it. This should be coordinated and handled by the human resource department where the user will sign the policy with other HR documents that might need the user’s signature.
Lastly it is important to note that there is no policy that will ever be applicable 100% successfully in all case scenarios no matter how well implemented it is. However, even in such cases exceptions can only be granted if they are well documented and written. It is important to note from the start that an exception to the policy can only be reviewed if the reasons benefit the business and this it cannot be excepted since the policy is regarded as the company’s official standard(Lichtenstein, & Swatman, 2001).
There are two similarities shared by the security policies that are efficient namely; they provide attainable and realistic security goals and they accurately reflect an organizations strategy for security. Recognize that a security policy should not be shelved after being created, but rather be consulted actively throughout the organization of the company. By incorporating into the company management process your custom security policy, it is possible to enjoy risk reduction for years to come or meet applicable regulations, depending on how it is implemented.
Dojkovski, S., Lichtenstein, S., & Warren, M. (2012). Challenges in fostering an information security culture in Australian small and medium sized enterprises. In ECIW2006: proceedings of the 5th European conference on Information Warfare and Security (pp. 31-40). Academic Conferences Limited.
Gaskin, J.E. (1998) Internet acceptable usage policies. Information Systems Management, 15(2).
Lichtenstein, S., & Swatman, P. M. (2001). Effective management and policy in e-business security. In Proceedings of Fourteenth International Bled Electronic Commerce Conference.