Security Policies: Importance, Development, Comparison, and Implementation Heather Ebhardt
INF 325: Telecommunications & Networking Concepts
Instructor: Dr. Arman Kanooni
Security Policies: Importance, Development, Comparison, and Implementation
Internet and network security are a primary concern for many businesses. In today's world, the number of hacks and leaks of data is continuing to rise, which is what makes security the primary concern. What may or may not be apparent is that many breaches of data tend to be caused by internal users' errors that may not even have been meant to be malicious. Liaskos and Sandy quote a study by Roman which revealed ...about 50 per cent of company management were concerned about the issue of unacceptable Internet use. The consequences that may arise from unacceptable use include loss of productivity (‘cyberloafing’), increased service costs, increased risks of litigation and damage or loss of data (Liaskos & Sandy, 2004, p 90). Whenever a new network is being considered or implemented, security should be of the primary concern, with the pros and cons of each type of system being weighed. After the network has been decided and implemented, a risk assessment or analysis should be conducted that details how the network is used, what the risks are, where data could be lost or is most sensitive, or any other possible thing that could be a security concern which is turn creates a security plan. It is because of the risk of these internal errors that a strong security policy should be in place for all end users. Scott explains: “Information security policies provide vital support to security professionals as they strive to reduce the risk profile of a business and fend off both internal and external threats” (Scott, 2013, para 1). In addition to weighing the pros and cons of implementing a new network structure and determining the risks of each, in order to protect the sensitive data of the company one must understand the difference between a security policy and a security plan and how each is used, develop a security policy that covers all the needs of the business, compare and understand the differences between different users, and ensure that the policy will be implemented successfully.
A security plan and a security policy work hand in hand in order to create computer security. Stallings and Case quote the definition of computer security from the NIST Computer Security Handbook which reads: "The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)" (Stallings & Case, 2012, p 512). The purpose of both the security plan and the security policy is to make sure that the requirements for computer security are being met. Security plans are usually developed after the initial risk assessment is completed and involve knowing what the threats are to a network and defining what is needed to counteract any problems and can include risk mitigation execution strategies or the implementation of security products. Business Research Guide explains that there are two types of security measures that should be planned for, proactive and reactive: Pro-active security involves controlling account access to sensitive data on a need to know basis, proper encryption of stored data, strong policies controlling employee use of e-mail and the internet, the proper delegation of responsibilities among technical staff, hardened password policies and the education of employees to aid them in understanding the security system and the necessity of all policies. Reactive security on the other hand involves backing up sensitive data in a safe and secure fashion that is readily accessible in case of emergency (Business Research Guide, N.D., para 3). Security...
References: Albright, J. G. (2002). Basics of an IT security policy. Informally published manuscript, SANS Institute, Available from Global Information Assurance Certification. (Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46). Retrieved from http://www.giac.org/paper/gsec/1863/basics-security-policy/103278
Business Research Guide. (N.D.). IT security plan. Retrieved from http://www.business
Cisco Systems. (2008). Data leakage worldwide: Common risks and mistakes employees make. Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/enterprise- networks/data-loss-prevention/white_paper_c11-499060.pdf
Liaskos, J., & Sandy, G. A. (2004). An evaluation of Internet use policies of Victorian local government. Australian Journal Of Public Administration, 63(4), 90-100. doi:10.1111/j.1467-8500.2004.00405.x. Retrieved from EBSCOhost.
Olzak, T. & Bunter, B. (2010, May 07). Security basics - components of security policies. Bright Hub, Retrieved from http://www.brighthub.com/computing/smb-security/articles
Scott, A. (2013, April). How to create a good information security policy. Computer Weekly, Retrieved from http://www.computerweekly.com/feature/How-to-create-a-good- information-security-policy
Stallings, W., & Case, T. (2012). Business Data Communications: Infrastructure, Networking, and Security, VitalSource for Ashford University. [VitalSource Bookshelf version]. Retrieved from http://online.vitalsource.com/books/9781269749831/outline/
Please join StudyMode to read the full document