The Role of Information Security Policy
The failure of organizations to implement a comprehensive and robust information security program can mean the untimely demise for some and costly setbacks for others. At the heart of information security is security policy. Without security policy there can be no security program. Without people, security policies would not exist. They would not be written, implemented, and enforced. Security policies and the adoption of standards provide many benefits as shall be discussed in this paper. Further is discussed how information in systems often falls under different classifications to reflect a degree of sensitivity and how this relates to an organization’s security policy. 1.0 Security Policy and Standards
1.1 Defining Information Security Policy
Conklin et al (2012, “Information Security Policy”) states, “policy is the essential foundation of an effective security program,” and “the centrality of information security policies to virtually everything that happens in the information security field is increasingly evident.” Webopedia.com defines security policy as “a document that outlines the rules, laws, and practices for computer network access” (2013, “Security Policy”). The document regulates how an organization will manage, protect, and distribute its sensitive information. Information security policy addresses many issues such as the following: disclosure, integrity, and availability concerns; who may access what information in what manner; maximized sharing versus least privilege; separation of duties; and who controls and who owns the information. 1.2 Defining Information Security Standards
Standards are recommended or imposed practices that should or must be followed. The businessdictionary.com website (2013, “Standards”) defines standards as “written definition, limit, or rule, approved and monitored for compliance by an authoritative agency or...