Find This Guidelines in Developing Information Security Policy For Your Organization

In 1858, a telegram of 98 words from Queen Victoria to President James Buchanan of the United States opened a new era in global communication. The queen's message of congratulation took 16½ hours to transmit through the new transatlantic telegraph cable. The president then sent a reply of 143 words back to the queen. Normally, without the cable, a dispatch in one direction would have taken perhaps 12 days by the speediest combination of inland telegraph and fast steamer.

Today, the speed of your message from UK to US could be as fast as you click the "send" button if you send a message via E-mail. In business, the corporate and the organizations depend on the reliability of the system information.

Information is an asset which, like other important business assets, has value to the corporate and consequently needs to be suitably protected in reference to the management of the information security. Information security protects information from a wide range of threats in order to ensure business continuity and minimize business damage. Information security is achieved by implementing a suitable set of controls in the form of policies, procedures, organizational structures, systems and functions to ensure that the security objectives of the organization are met.

Information Security deals with a number of important concepts. Information security is concerned with ensuring the information security of all information and the systems, processes and procedures relating to the management and use of the information. Information may be in hard copy or soft copy stored on various types of information media such as diskettes, compact discs or computer networks.

1. Information has varying degrees of sensitivity and criticality. A great deal of information may need no, or only very low levels of security. However, other information may be commercially sensitive and will require higher levels of security. Information assets must be classified and managed according to their security requirements and to ensure that security controls are commensurate with the security risks.

2. There is increasing dependence on information systems and on the exchange of information between Business Units and with business partners. This brings with it increasing exposure to security threats.

Information security should be applied to all corporate operations. Business Units are responsible for ensuring that their information assets are appropriately protected. All users have responsibility for the information security they utilize, and management must ensure that information security controls are properly implemented. Information security does not ensure security. However, the information security does provide a framework and reference point for management to implement appropriate information security controls, and is a means of raising awareness of users’ responsibilities relating to information security.

The potential consequences of an Information Security breach can:

1. Loss of life and injury

2. Loss of shareholder confidence

3. Interruption of business processes

4. Financial loss

5. Loss of client confidence

6. Criminal charges

7. Brand and reputation damage

8. Litigation

General statement of information security policy

Information and its supporting processes, systems, and networks should be available to employees (and authorized third parties) to enable them to optimize their performance. Information must be subject to an appropriate level of control to protect it from loss, unauthorized manipulation or disclosure.

Objectives of information security standard policy:

1. Availability: To ensure that authorized users have access to information and its supporting processes, systems and networks when required.

2. Integrity: To safeguard the accuracy and completeness of information and associated processing methods.

3. Confidentiality: To ensure that information is accessible to only those authorized to have access.

Purpose of information security policy

Information security olicy provides a framework for management to implement and maintain a level of information security that is commensurate with information security risks. Its purpose is to ensure that:

1. Trust between Business Units and trading partners with whom share public and private networks are maintained.

2. Information is secure and is protected in a manner that is commensurate with its level of sensitivity and security risk.

3. Regulatory obligations are complied with, for example privacy legislation.

The following areas are those that need security guideline in regards to information security standard:

1. Careless talk

Careless Talk means:

• Talking about business, the office, and people from work, etc where you can be overheard.

• Discussing business with people who are not authorized to know.

Careless talk also means providing sensitive information inadvertently to someone who wants it for a specific purpose such as breaking into the corporate premises or computer systems. This is called Social Engineering.

Before you talk to someone about your work and the corporate business you should ask yourself the following question:

Does this person have a defined ‘Need to Know’?

If they don’t have a Need to Know, then you should not talk to them about information they should not hear.

2. Email security guideline

Email is regarded as a critical component of the corporate communications system and is provided as a business tool. The security, confidentiality and integrity of Email cannot be guaranteed and certainly cannot be considered private. Due to this, you should act professionally and appropriately at all times.

If you need to send information that is sensitive or confidential and you cannot guarantee the email security, consider another method of sending this information, unless you have approved encryption.

3. Instant messaging guideline

Instant Messaging (IM) is a communication tool that provides for two-way communication in real-time. For the two-way communication to occur each person must use the same IM product such as ICQ, Yahoo Messenger or MSN Messenger (called Windows Messenger in Windows XP).

We cannot guarantee Instant Messaging security for the communications of the information, the security and integrity of information via Instant Messaging cannot be guaranteed, so do not discuss sensitive business or private and personal details using Instant Messaging.

4. Internet policy guideline

This access is a privilege and you are expected to act professionally and appropriately while using the Internet. What you do on the Internet can be monitored internally / externally and your actions can be traced back to the computer you are using.

Internet access is a business tool, so that’s why internet security policy should be developed as guidelines to support the business. Why?

• Information and activities can be monitored and manipulated.

• Security of transmissions is not guaranteed.

• Information can be easily and uncontrollably distributed.

• Files downloaded from the Internet may contain viruses and other malicious programs.

5. Laptop security guideline

Laptops are very valuable organizational assets because they contain many work files that are important to the corporate and may contain sensitive business information, which must be protected at all times.

6. Office security guideline

The corporate business premises and office areas have a variety of physical security controls in place, however staff should be vigilant at all times. The corporate business premises and office areas have a variety of physical security controls in place, however staff should be vigilant at all times. The security guidelines should be developed to manage the following.

• Strangers in the workplace

• Classified information / assets

• Clear desk

• Screen-saver or screen-lock

• Secure faxing

• Secure photocopying

• Virus scanning

7. Password security guideline

Your User ID, password and/or token provides you with access to information on the corporate computer systems, that only you should have access to, based on the Need to Know Principle. First guideline in password security is selecting a good password. A good password is something that cannot be easily guessed.

• A mixture of: upper and lower case letters; numbers; and symbols

• At least 8 characters

• Should not be written down at any time

• Should not be shared with anyone else.

Knowing common passwords that are easy to guess is a good thing in password security guidelines. An easy to guess password is a word that you have chosen that is related to something that is commonly known about you or could be easily ascertained.

8. Secure media handling

Why Should You Destroy Media Securely? Media contains your organization’s information. Unauthorized people should not have access to your organizations information at any time. When you throw something in the rubbish or waste paper bin you do not know where it can end up when it leaves your office.

9. Spam security

Most of you would receive physical junk mail (adverts, brochures etc) in your mailbox at home. Spam is the electronic equivalent; however there are some differences between the hardcopy version of junk mail and the email version.

It would be extremely rare for you to receive pornography and other offensive hardcopy advertisements at home unsolicited, however Spam received via email often contains this type of material or information. Therefore, an anti spam security policy regulation is needed within an organization.

10. Virus security

If you think you’re totally safe from virus infection because of the antivirus scanning programs installed on the corporate IT systems – think again. Hundreds or maybe thousands of new viruses and worms are introduced into the ‘wild’ every week.

Therefore you must regularly update the system at the earliest with the update patch and critical security patches. For your organization, the automatic patch update is very important to deploy such as WSUS (windows server update services) system.