2 responses

Information Security Policy

A good information security policy sets clear, defined boundaries for how users should be using company technology. The policy acts as a contingency plan for how the company will handle the situation if or when things go wrong.

The resources to build an effective information security policy can be found in many publications and articles found from the web. An excellent source that I found to be informative and helpful is the InfoSec Institute’s article (Key Elements of, 2018) which outlines the key sections of an information security policy. It also includes some helpful examples of policy rules. Another great source that I found is research papers from The SANS Institute. It is a terrific source for security research, training, and information. The whitepaper found from the source (Liddiard, 2002), although old, outlines how to design, create, and implement an information security policy and the author shares his experience and has listed down clear steps to follow.

The first most important item that I would include is the Data Breach Response Policy which can also be known as an incident response plan. The purpose of this policy is to establish the goals and vision for how the organization will respond to a data breach. This plan will help to mitigate the risks of being a victim of a cyber-attack because it will detail how the organization plans to protect data assets throughout the incident response process. The policy should define who it applies to and when it comes into effect, including the definition of a breach, staff roles and responsibilities, standards and metrics, reporting, remediation, and feedback mechanisms (RSI Security, 2019).

Another important item (but often overlooked) that I would include in an Information Security Policy is the audits of the IT assets and its security. The audits will review the security practices and policies of the central IT systems, as well as the end-user departments and at every corner of the enterprise, similar to automated machines and IoT that might be employed at remote manufacturing plants. The audit should look not only at the software and hardware techniques you have in place to protect security but also at remote site personnel habits and compliance with security policies. This will help in finding and fixing the loopholes that people often perceive as not existing.

 

References

(n.A.). (2018). Key Elements of an Information Security Policy. Retrieved from: https://resources.infosecinstitute.com/key-elements-information-security-policy/

Liddiard, M. (2002). Building and Implementing an Information Security Policy. Retrieved from: https://www.sans.org/reading-room/whitepapers/policyissues/building-implementing-information-security-policy-509

RSI Security. (2019). How To Build An Information Security Plan For Your Small Business. Retrieved from: https://blog.rsisecurity.com/how-to-build-an-information-security-plan-for-your-small-business/