Source of resources for the Information security policy
The resources for building an information security policy are people, finances, and information resources which can be sourced internally and externally. Information resources will be provided by the organization. They include computers and storage devices. People include the Information security manager who is to oversee the implementation of the policy (Karyda, Kiountouzis & Kokolakis, 2005). This will be me and we probably can get another person for assistance. Thirdly is the internet service provider who will be sourced from outside. This will not be part of the organization; he/she will remain a third party. The organization will also provide the financial resources need for the policy.
Important Items in the Information security policy
The most important items that I would include in the new policy is classification of data and Authority and Access control policy.
Classification of data
Data in any organization have different value. For this reason, there may be the need for separation and each kind may require special handling. I would therefore include an information classification system to help in data protection which is very important. Protecting all the data include insensitive one may overburden the organization’s resources. There is therefore the need to classify data in high risk, confidential and public class (Wood & Lineman, 2009). High risks data is that which is even protected by the law including personnel, financial and payroll data. Confidential data is that which is not included in the law, but data owners find it necessary to protect it against unauthorized access. Finally, public data is that which is that which can be distributed and accessed freely. Classifying this data is necessary to avoid overburdening the resources and at the same time maintain data confidentiality and integrity.
Authority and Access control policy
It is very important to define who should access what data and who should not access it. The information security policy should specify this clearly. The management should access all the data, but the middle and low-level staff should be bound not to access some data or even share. The senior level managers should be given the role of giving other staff the permission to access and share any information (Sandhu & Samarati, 1994). The information security policy should address every position in the organization and their authoritative status.
References
Karyda, M., Kiountouzis, E., & Kokolakis, S. (2005). Information systems security policies: a contextual perspective. Computers & Security, 24(3), 246-260
Sandhu, R. S., & Samarati, P. (1994). Access control: principle and practice. IEEE communications magazine, 32(9), 40-48.
Wood, C. C., & Lineman, D. (2009). Information Security Policies Made Easy Version 11. Information Shield, Inc.