Sample Information Security Policy

Only available on StudyMode
  • Download(s): 119
  • Published: August 23, 2010
Read full document
Text Preview

Preamble
DooDads4Sale.com acknowledges an obligation to ensure appropriate security for all Information Technology data, equipment, and processes in its domain of ownership and control. This obligation is shared, to varying degrees, by every member of the company. This document will:

1. Enumerate the elements that constitute IT security. 2. Explain the need for IT security.
3. Specify the various categories of IT data, equipment, and processes subject to this policy. 4. Indicate, in broad terms, the IT security responsibilities of the various roles in which each member of the university may function. 5. Indicate appropriate levels of security through standards and guidelines.

Scope of IT Security
1. Definition of Security.
Security can be defined as "the state of being free from unacceptable risk". The risk concerns the following categories of losses: • Confidentiality of Information.
• Integrity of data.
• Assets.
• Efficient and Appropriate Use.
• System Availability.
Confidentiality refers to the privacy of personal or corporate information. This includes issues of copyright.

Integrity refers to the accuracy of data. Loss of data integrity may be gross and evident, as when a computer disc fails, or subtle, as when a character in a file is altered.

The assets that must be protected include:
• Computer and Peripheral Equipment.
• Communications Equipment.
• Computing and Communications Premises.
• Power, Water, Environmental Control, and Communications utilities. • Supplies and Data Storage Media.
• System Computer Programs and Documentation.
• Application Computer Programs and Documentation. • Information.

Efficient and Appropriate Use ensures that the company’s IT resources are used for the purposes for which they were intended, in a manner that does not interfere with the rights of others.

Availability is concerned with the full functionality of a system (e.g. finance or payroll) and its components.

The potential causes of these losses are termed "threats". These threats may be human or non-human, natural, accidental, or deliberate. 2. Domains of Security.
This policy will deal with the following domains of security: • Computer system security: CPU, Peripherals, OS. This includes data security. • Physical security: The premises occupied by the IT personnel and equipment. • Operational security: Environment control, power equipment, operation activities. • Procedural security by IT, vendor, management personnel, as well as ordinary users. • Communications security: Communications equipment, personnel, transmission paths, and adjacent areas.

Reasons for IT Security
Confidentiality of information is mandated by common law, formal statute, explicit agreement, or convention. Different classes of information warrant different degrees of confidentiality. The hardware and software components that constitute the company’s IT assets represent a sizable monetary investment that must be protected. The same is true for the information stored in its IT systems, some of which may have taken huge resources to generate, and some of which can never be reproduced. The use of company IT assets in other than in a manner and for the purpose for which they were intended represents a misallocation of valuable company resources, and possibly a danger to its reputation or a violation of the law. Finally, proper functionality of IT systems is required for the efficient operation of the company. Some systems, such as the web administration, data-base administration, order processing, and accounting systems are of paramount importance to the mission of the company. Other systems (e.g. somebody’s PC) are of less...
tracking img